Mac codesign signing using eclipse-codesign does not check for success

[andrew-m-leonard]

The Signing of Mac binaries by the eclipse-codesign service does not check each individual signing is successful

ci-jenkins-pipelines/pipelines/build/common/openjdk_build_pipeline.groovy

Line 1426 in e63be5b

curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign

[steelhead31]

Think I have a potential fix for this, by examining each signed binary for the string "Apple Certification Authority" , built and unsigned binaries don't contain it...

[sophia-guo]

is this also an issue with https://github.com/adoptium/temurin-build/blob/master/sign.sh#L134

https://github.com/adoptium/temurin-build/blob/master/sign.sh#L86 ?

[steelhead31]

is this also an issue with https://github.com/adoptium/temurin-build/blob/master/sign.sh#L134

https://github.com/adoptium/temurin-build/blob/master/sign.sh#L86 ?

@sophia-guo I dont think we have seen the same error in the above two jobs ( but I think the underlying cause is volume related, in submitting a large number of requests in a short time ), however both of those curl requests use the --fail switch , so would likely fail "properly", and not carry on regardless. I will have a further look at those 2 scripts, and see if they could use the "retry" resilience. I've also added the --fail switch to the mac signing PR :)

[steelhead31]

Closed as Mac signing PR is now merged.

[adamfarley]

Heya @steelhead31 - Can I ask if the unannounced failures seen here (or more accurately the apparent failure to sign them here, sans any report of failure) are being worked somewhere?

[steelhead31]

Hi @adamfarley  this fix has been implemented into the sign.sh script, but needs reflecting into the pipeline script, it doesn't guarantee success, but will loop numerous times in order to try again. The failure detailed here appears to be a genuine fault with the notarisation service, and I'd expect it to have failed. The job on mac platforms has complete successfully since the linked build (e.g https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9315/ & https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9309/ , so its just a case of improving the pipeline script to match sign.sh ... this is on my to do list, so I've re-opened this, and will try and get to it as soon as Im able!

[adamfarley]

Thanks Scott!

[steelhead31]

Not related to Mac, but this shows a good example of the code signing service encountering an issue whilst doing the code signing..

https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/26029/console

Signing ./bin/jfr.exe
Signing ./bin/jfr.exe using Eclipse Foundation codesign service
Signing ./bin/jhat.exe
Signing ./bin/jhat.exe using Eclipse Foundation codesign service curl: (22) The requested URL returned error: 502 Build step 'Execute shell' marked build as failure