From 9ff239d33c31eaf6aad4651fc7a3880203b2fb7c Mon Sep 17 00:00:00 2001 From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com> Date: Sat, 30 Sep 2023 03:54:10 +0100 Subject: [PATCH] Sign JMOD Windows exe/dll's using exploded/assemble method (#822) * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard * Enable JMOD signing for Windows Signed-off-by: Andrew Leonard --------- Signed-off-by: Andrew Leonard --- .../common/openjdk_build_pipeline.groovy | 70 ++++++++++--------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index d23618a03..c0eb0c74f 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1482,84 +1482,88 @@ class Build { context.println '[CHECKOUT] Checking out to adoptium/temurin-build...' repoHandler.checkoutAdoptBuild(context) printGitRepoInfo() - if (buildConfig.TARGET_OS == 'mac' && buildConfig.JAVA_TO_BUILD != 'jdk8u') { - def macSignBuildArgs + if ((buildConfig.TARGET_OS == 'mac' || buildConfig.TARGET_OS == 'windows') && buildConfig.JAVA_TO_BUILD != 'jdk8u') { + context.println "Processing exploded build, sign JMODS, and assemble build, for platform ${buildConfig.TARGET_OS} version ${buildConfig.JAVA_TO_BUILD}" + def signBuildArgs if (env.BUILD_ARGS != null && !env.BUILD_ARGS.isEmpty()) { - macSignBuildArgs = env.BUILD_ARGS + ' --make-exploded-image' + signBuildArgs = env.BUILD_ARGS + ' --make-exploded-image' } else { - macSignBuildArgs = '--make-exploded-image' + signBuildArgs = '--make-exploded-image' } - context.withEnv(['BUILD_ARGS=' + macSignBuildArgs]) { + context.withEnv(['BUILD_ARGS=' + signBuildArgs]) { context.println 'Building an exploded image for signing' context.sh(script: "./${ADOPT_DEFAULTS_JSON['scriptDirectories']['buildfarm']}") } - def macos_base_path_arch = 'x86_64' - if (buildConfig.ARCHITECTURE == 'aarch64') { - macos_base_path_arch = 'aarch64' - } - def macos_base_path = "workspace/build/src/build/macosx-${macos_base_path_arch}-server-release" - if (buildConfig.JAVA_TO_BUILD == 'jdk11u') { - macos_base_path = "workspace/build/src/build/macosx-${macos_base_path_arch}-normal-server-release" - } + def base_path = context.sh(script: "ls -d workspace/build/src/build/* | tr -d '\\n'", returnStdout:true) + context.println "base build path for jmod signing = ${base_path}" context.stash name: 'jmods', - includes: "${macos_base_path}/hotspot/variant-server/**/*," + - "${macos_base_path}/support/modules_cmds/**/*," + - "${macos_base_path}/support/modules_libs/**/*," + + includes: "${base_path}/hotspot/variant-server/**/*," + + "${base_path}/support/modules_cmds/**/*," + + "${base_path}/support/modules_libs/**/*," + // JDK 16 + jpackage needs to be signed as well - "${macos_base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher" + "${base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher" context.node('eclipse-codesign') { - context.sh "rm -rf ${macos_base_path}/* || true" + context.sh "rm -rf ${base_path}/* || true" repoHandler.checkoutAdoptBuild(context) printGitRepoInfo() // Copy pre assembled binary ready for JMODs to be codesigned context.unstash 'jmods' - context.withEnv(["macos_base_path=${macos_base_path}"]) { + def target_os = "${buildConfig.TARGET_OS}" + context.withEnv(['base_os='+target_os, 'base_path='+base_path]) { // groovylint-disable context.sh ''' #!/bin/bash set -eu - echo "Signing JMOD files" - TMP_DIR="${macos_base_path}/" - ENTITLEMENTS="$WORKSPACE/entitlements.plist" - FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f) + echo "Signing JMOD files under build path ${base_path} for base_os ${base_os}" + TMP_DIR="${base_path}/" + if [ "${base_os}" == "mac" ]; then + ENTITLEMENTS="$WORKSPACE/entitlements.plist" + FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f) + else + FILES=$(find "${TMP_DIR}" -type f -name '*.exe' -o -name '*.dll') + fi for f in $FILES do echo "Signing $f using Eclipse Foundation codesign service" dir=$(dirname "$f") file=$(basename "$f") mv "$f" "${dir}/unsigned_${file}" - curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + if [ "${base_os}" == "mac" ]; then + curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + else + curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign + fi chmod --reference="${dir}/unsigned_${file}" "$f" rm -rf "${dir}/unsigned_${file}" done ''' // groovylint-enable } - context.stash name: 'signed_jmods', includes: "${macos_base_path}/**/*" + context.stash name: 'signed_jmods', includes: "${base_path}/**/*" } // Remove jmod directories to be replaced with the stash saved above - context.sh "rm -rf ${macos_base_path}/hotspot/variant-server || true" - context.sh "rm -rf ${macos_base_path}/support/modules_cmds || true" - context.sh "rm -rf ${macos_base_path}/support/modules_libs || true" + context.sh "rm -rf ${base_path}/hotspot/variant-server || true" + context.sh "rm -rf ${base_path}/support/modules_cmds || true" + context.sh "rm -rf ${base_path}/support/modules_libs || true" // JDK 16 + jpackage needs to be signed as well if (buildConfig.JAVA_TO_BUILD != 'jdk11u') { - context.sh "rm -rf ${macos_base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher || true" + context.sh "rm -rf ${base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher || true" } // Restore signed JMODs context.unstash 'signed_jmods' - def macAssembleBuildArgs + def assembleBuildArgs if (env.BUILD_ARGS != null && !env.BUILD_ARGS.isEmpty()) { - macAssembleBuildArgs = env.BUILD_ARGS + ' --assemble-exploded-image' + assembleBuildArgs = env.BUILD_ARGS + ' --assemble-exploded-image' } else { - macAssembleBuildArgs = '--assemble-exploded-image' + assembleBuildArgs = '--assemble-exploded-image' } - context.withEnv(['BUILD_ARGS=' + macAssembleBuildArgs]) { + context.withEnv(['BUILD_ARGS=' + assembleBuildArgs]) { context.println 'Assembling the exploded image' context.sh(script: "./${ADOPT_DEFAULTS_JSON['scriptDirectories']['buildfarm']}") }