fix: clean-up after signature

ppkarwasz · ppkarwasz · commit 286e0218ba79 · 2026-04-21T16:01:00.000+02:00
diff --git a/src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java b/src/main/java/org/apache/commons/release/plugin/mojos/BuildAttestationMojo.java
@@ -501,8 +501,14 @@ private void signAndWriteStatement(final Statement statement, final Path outputP
             throw new MojoExecutionException("Failed to serialize attestation statement", e);
         }
         final AbstractGpgSigner signer = getSigner();
-        final Path paeFile = DsseUtils.writePaeFile(statementBytes, outputPath);
-        final byte[] sigBytes = DsseUtils.signFile(signer, paeFile);
+        final byte[] sigBytes;
+        try {
+            final Path paeFile = DsseUtils.writePaeFile(statementBytes, outputPath);
+            sigBytes = DsseUtils.signFile(signer, paeFile);
+            Files.deleteIfExists(paeFile);
+        } catch (final IOException e) {
+            throw new MojoExecutionException("Failed to sign attestation statement", e);
+        }
 
         final Signature sig = new Signature()
                 .setKeyid(DsseUtils.getKeyId(sigBytes))
