From 4b16a3e74b569087f4507111821ef780c5a686da Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 11:31:15 +0000 Subject: [PATCH 01/15] Update verify_signing.groovy to check Windows exes only have one signature Signed-off-by: Andrew Leonard --- pipelines/build/common/verify_signing.groovy | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy index 25e7bebbc..b485ee1be 100644 --- a/pipelines/build/common/verify_signing.groovy +++ b/pipelines/build/common/verify_signing.groovy @@ -185,8 +185,15 @@ void verifyExecutables(String unpack_dir) { unsigned="$unsigned $f" cc_unsigned=$((cc_unsigned+1)) else - echo "Signed correctly: ${f}" - cc_signed=$((cc_signed+1)) + num_sigs=$("${signtool}" verify /all /pa ${f} | grep -E '^[0-9][[:space:]]+sha256' | wc -l) + if [[ "$num_sigs" -ne 1 ]]; then + echo "Error: ${f} has ${num_sigs} Signatures, it must only have one." + unsigned="$unsigned $f" + cc_unsigned=$((cc_unsigned+1)) + else + echo "Signed correctly: ${f}" + cc_signed=$((cc_signed+1)) + fi fi done From fe5b0b974b7350bccfafbcd14f977c0fa1327a6e Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 12:55:01 +0000 Subject: [PATCH 02/15] Update verify_signing.groovy to check Windows exes only have one signature Signed-off-by: Andrew Leonard --- pipelines/build/common/verify_signing.groovy | 22 ++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy index b485ee1be..3c251f644 100644 --- a/pipelines/build/common/verify_signing.groovy +++ b/pipelines/build/common/verify_signing.groovy @@ -22,6 +22,7 @@ Parameters: - TARGET_OS : "mac" or "windows" - TARGET_ARCH : "aarch64 or "x64" or "x86-32" - NODE_LABEL : Jenkins label for where to run + - CERT_ISSUED_TO : Issued to org name to verify Windows Signatures */ @@ -112,7 +113,7 @@ void unpackArchives(String unpack_dir, String[] archives) { } // Verify executables for Signatures -void verifyExecutables(String unpack_dir) { +void verifyExecutables(String unpack_dir, String issueToOrg) { if (params.TARGET_OS == "mac") { // On Mac find all dylib's and "executable" binaries // Ignore "legal" text folder to reduce the number of non-extension files it finds... @@ -185,12 +186,21 @@ void verifyExecutables(String unpack_dir) { unsigned="$unsigned $f" cc_unsigned=$((cc_unsigned+1)) else - num_sigs=$("${signtool}" verify /all /pa ${f} | grep -E '^[0-9][[:space:]]+sha256' | wc -l) - if [[ "$num_sigs" -ne 1 ]]; then - echo "Error: ${f} has ${num_sigs} Signatures, it must only have one." + num_microsoft_sigs=$("${signtool}" verify /v /all /pa ${f} | grep "Issued to:" | grep "Microsoft" | wc -l) + num_org_sigs=$("${signtool}" verify /v /all /pa ${f} | grep "Issued to:" | grep "${issueToOrg}" | wc -l) + if [[ "$num_microsoft_sigs" -ne 0 ]] && [[ "$num_org_sigs" -ne 0 ]]; then + echo "Error: ${f} should not be signed by ${issueToOrg} as it is already signed by Microsoft." unsigned="$unsigned $f" cc_unsigned=$((cc_unsigned+1)) - else + elif [[ "$num_microsoft_sigs" -eq 0 ]] && [[ "$num_org_sigs" -gt 1 ]]; then + echo "Error: ${f} is signed by ${issueToOrg} ${num_org_sigs} times, it must only be signed once." + unsigned="$unsigned $f" + cc_unsigned=$((cc_unsigned+1)) + elif [[ "$num_microsoft_sigs" -eq 0 ]] && [[ "$num_org_sigs" -eq 0 ]]; then + echo "Error: ${f} is NOT signed by ${issueToOrg}." + unsigned="$unsigned $f" + cc_unsigned=$((cc_unsigned+1)) + elif echo "Signed correctly: ${f}" cc_signed=$((cc_signed+1)) fi @@ -362,7 +372,7 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") { unpackArchives(unpack_dir, archives) // Verify all executables for Signatures - verifyExecutables(unpack_dir) + verifyExecutables(unpack_dir, "${params.CERT_ISSUED_TO}") // Verify installers (if built) are Signed and Notarized(mac only) verifyInstallers() From 052adf5323f42018e11f5dcf84908ab58d53bb1f Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 13:17:19 +0000 Subject: [PATCH 03/15] Update verify_signing.groovy to check Windows exes only have one signature Signed-off-by: Andrew Leonard --- pipelines/build/common/verify_signing.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy index 3c251f644..6ec91064b 100644 --- a/pipelines/build/common/verify_signing.groovy +++ b/pipelines/build/common/verify_signing.groovy @@ -200,7 +200,7 @@ void verifyExecutables(String unpack_dir, String issueToOrg) { echo "Error: ${f} is NOT signed by ${issueToOrg}." unsigned="$unsigned $f" cc_unsigned=$((cc_unsigned+1)) - elif + else echo "Signed correctly: ${f}" cc_signed=$((cc_signed+1)) fi From 6dfeb146960587a28c1d999456626d6611c9ce04 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 13:44:37 +0000 Subject: [PATCH 04/15] Update verify_signing.groovy to check Windows exes only have one signature Signed-off-by: Andrew Leonard --- pipelines/build/common/verify_signing.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy index 6ec91064b..f28bd4264 100644 --- a/pipelines/build/common/verify_signing.groovy +++ b/pipelines/build/common/verify_signing.groovy @@ -168,7 +168,7 @@ void verifyExecutables(String unpack_dir, String issueToOrg) { // Find all exe/dll's that must be Signed - withEnv(['unpack_dir='+unpack_dir, 'signtool='+signtool]) { + withEnv(['unpack_dir='+unpack_dir, 'signtool='+signtool, 'issueToOrg='+issueToOrg]) { // groovylint-disable sh ''' #!/bin/bash From 7c4447047f7f6f3adcda2aa3c81e1bbac35cea01 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 15:02:12 +0000 Subject: [PATCH 05/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 04010a1e6..e547e71dd 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -748,11 +748,12 @@ class Build { /* Run the Sign downstream job. We run this job on windows and jdk8 hotspot & jdk13 mac builds. The job code signs and notarizes the binaries so they can run on these operating systems without encountering issues. + tarball signing only required for jdk8u, as jdk11+ is signed dynamically during the build. */ def sign(VersionInfo versionInfo) { // Sign and archive jobs if needed if ( - buildConfig.TARGET_OS == 'windows' || (buildConfig.TARGET_OS == 'mac') + (buildConfig.TARGET_OS == 'windows' || (buildConfig.TARGET_OS == 'mac') && buildConfig.JAVA_TO_BUILD == 'jdk8u') ) { context.stage('sign zip/tgz') { def filter = '' From ccc2ce7deb8b665436f8bd655d93d1ae2f5c7227 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 5 Dec 2024 15:56:01 +0000 Subject: [PATCH 06/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index e547e71dd..479bc61a9 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -748,7 +748,7 @@ class Build { /* Run the Sign downstream job. We run this job on windows and jdk8 hotspot & jdk13 mac builds. The job code signs and notarizes the binaries so they can run on these operating systems without encountering issues. - tarball signing only required for jdk8u, as jdk11+ is signed dynamically during the build. + Tarball signing only required for jdk8u, as jdk11+ is signed dynamically during the build. */ def sign(VersionInfo versionInfo) { // Sign and archive jobs if needed From 7aeeedd998cc3f1616fe3112db0f4a0bcdbb9e3e Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 12:57:10 +0000 Subject: [PATCH 07/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 479bc61a9..ae394b022 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -753,7 +753,7 @@ class Build { def sign(VersionInfo versionInfo) { // Sign and archive jobs if needed if ( - (buildConfig.TARGET_OS == 'windows' || (buildConfig.TARGET_OS == 'mac') && buildConfig.JAVA_TO_BUILD == 'jdk8u') + (buildConfig.TARGET_OS == 'windows' || buildConfig.TARGET_OS == 'mac') && buildConfig.JAVA_TO_BUILD == 'jdk8u') ) { context.stage('sign zip/tgz') { def filter = '' From 9a76577e321b0fad356a754e6680431aae3edf62 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 14:11:02 +0000 Subject: [PATCH 08/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index ae394b022..d554fc7a6 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1571,7 +1571,10 @@ class Build { success=true fi else - if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then + if [ "$file" =~ api-ms-win.* ] || [ "$file" =~ msvcp.* ] || [ "$file" =~ ucrtbase.* ] || [ "$file" =~ vcruntime.* ]; then + echo "Skipping Microsoft file $file" + success=true + elif ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then echo "curl command failed, sign of $f failed" else success=true From 2832f7e969e1f430173b4f4581a31cd57045c556 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 14:23:59 +0000 Subject: [PATCH 09/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index d554fc7a6..37d46523c 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -753,7 +753,8 @@ class Build { def sign(VersionInfo versionInfo) { // Sign and archive jobs if needed if ( - (buildConfig.TARGET_OS == 'windows' || buildConfig.TARGET_OS == 'mac') && buildConfig.JAVA_TO_BUILD == 'jdk8u') + (buildConfig.TARGET_OS == 'windows' || buildConfig.TARGET_OS == 'mac') && + buildConfig.JAVA_TO_BUILD == 'jdk8u' ) { context.stage('sign zip/tgz') { def filter = '' From d7757392deb980334ddaac8b33140cd95114a270 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 15:46:35 +0000 Subject: [PATCH 10/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 +- tt.sh | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 tt.sh diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 37d46523c..275d2e627 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1572,7 +1572,7 @@ class Build { success=true fi else - if [ "$file" =~ api-ms-win.* ] || [ "$file" =~ msvcp.* ] || [ "$file" =~ ucrtbase.* ] || [ "$file" =~ vcruntime.* ]; then + if [[ "$file" =~ api-ms-win.* ]] || [[ "$file" =~ msvcp.* ]] || [[ "$file" =~ ucrtbase.* ]] || [[ "$file" =~ vcruntime.* ]]; then echo "Skipping Microsoft file $file" success=true elif ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then diff --git a/tt.sh b/tt.sh new file mode 100644 index 000000000..d2f26996f --- /dev/null +++ b/tt.sh @@ -0,0 +1,6 @@ + +file="api-ms-winsdfsdfsf.dll" +if [[ "$file" =~ api-ms-win.* ]] || [[ "$file" =~ msvcp.* ]] || [[ "$file" =~ ucrtbase.* ]] || [[ "$file" =~ vcruntime.* ]]; then + echo "Skipping Microsoft file $file" +fi + From 79eb4189c7ef717626e40dc1ab3992fadda39ddf Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 16:42:07 +0000 Subject: [PATCH 11/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- tt.sh | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 tt.sh diff --git a/tt.sh b/tt.sh deleted file mode 100644 index d2f26996f..000000000 --- a/tt.sh +++ /dev/null @@ -1,6 +0,0 @@ - -file="api-ms-winsdfsdfsf.dll" -if [[ "$file" =~ api-ms-win.* ]] || [[ "$file" =~ msvcp.* ]] || [[ "$file" =~ ucrtbase.* ]] || [[ "$file" =~ vcruntime.* ]]; then - echo "Skipping Microsoft file $file" -fi - From b42ffe1bbd6a28f943d458316a1e61ab7a636147 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 19:12:51 +0000 Subject: [PATCH 12/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- .../common/openjdk_build_pipeline.groovy | 93 ++++++++++--------- 1 file changed, 50 insertions(+), 43 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 275d2e627..d4cb58dce 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1563,57 +1563,64 @@ class Build { echo "Signing $f using Eclipse Foundation codesign service" dir=$(dirname "$f") file=$(basename "$f") - mv "$f" "${dir}/unsigned_${file}" - success=false - if [ "${base_os}" == "mac" ]; then - if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then - echo "curl command failed, sign of $f failed" - else - success=true - fi - else + ms_file_skipped=false + if [ "${base_os}" == "windows" ]; then + # Check if file is a Microsoft supplied file that is already signed if [[ "$file" =~ api-ms-win.* ]] || [[ "$file" =~ msvcp.* ]] || [[ "$file" =~ ucrtbase.* ]] || [[ "$file" =~ vcruntime.* ]]; then echo "Skipping Microsoft file $file" - success=true - elif ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then - echo "curl command failed, sign of $f failed" - else - success=true + ms_file_skipped=true fi fi - if [ $success == false ]; then - # Retry up to 20 times - max_iterations=20 - iteration=1 - echo "Code Not Signed For File $f" - while [ $iteration -le $max_iterations ] && [ $success = false ]; do - echo $iteration Of $max_iterations - sleep 1 - if [ "${base_os}" == "mac" ]; then - if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then - success=true - fi + if [ $ms_file_skipped == false ]; then + mv "$f" "${dir}/unsigned_${file}" + success=false + if [ "${base_os}" == "mac" ]; then + if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then + echo "curl command failed, sign of $f failed" else - if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then - success=true - fi + success=true fi - - if [ $success = false ]; then - echo "curl command failed, $f Failed Signing On Attempt $iteration" - iteration=$((iteration+1)) - if [ $iteration -gt $max_iterations ] - then - echo "Errors Encountered During Signing" - exit 1 - fi + else + if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then + echo "curl command failed, sign of $f failed" else - echo "$f Signed OK On Attempt $iteration" + success=true fi - done - fi - chmod --reference="${dir}/unsigned_${file}" "$f" - rm -rf "${dir}/unsigned_${file}" + fi + if [ $success == false ]; then + # Retry up to 20 times + max_iterations=20 + iteration=1 + echo "Code Not Signed For File $f" + while [ $iteration -le $max_iterations ] && [ $success = false ]; do + echo $iteration Of $max_iterations + sleep 1 + if [ "${base_os}" == "mac" ]; then + if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then + success=true + fi + else + if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then + success=true + fi + fi + + if [ $success = false ]; then + echo "curl command failed, $f Failed Signing On Attempt $iteration" + iteration=$((iteration+1)) + if [ $iteration -gt $max_iterations ] + then + echo "Errors Encountered During Signing" + exit 1 + fi + else + echo "$f Signed OK On Attempt $iteration" + fi + done + fi + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" + fi # ms_file_skipped == false done ''' // groovylint-enable From 03537b1d605d44e15c30354e4ec8c902c3094642 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 6 Dec 2024 20:52:07 +0000 Subject: [PATCH 13/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index d4cb58dce..148b9f48f 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1560,7 +1560,6 @@ class Build { fi for f in $FILES do - echo "Signing $f using Eclipse Foundation codesign service" dir=$(dirname "$f") file=$(basename "$f") ms_file_skipped=false @@ -1572,6 +1571,7 @@ class Build { fi fi if [ $ms_file_skipped == false ]; then + echo "Signing $f using Eclipse Foundation codesign service" mv "$f" "${dir}/unsigned_${file}" success=false if [ "${base_os}" == "mac" ]; then From 6d2ab9e1501d1e0a7896b28dbe85771a5a73bbf8 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 10 Dec 2024 10:23:07 +0000 Subject: [PATCH 14/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 148b9f48f..693a1bd31 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1551,6 +1551,8 @@ class Build { #!/bin/bash set -eu echo "Signing JMOD files under build path ${base_path} for base_os ${base_os}" + echo "FINDING libjli.dylib ..." + find "${base_path}" -name "libjli.dylib" TMP_DIR="${base_path}/" if [ "${base_os}" == "mac" ]; then ENTITLEMENTS="$WORKSPACE/entitlements.plist" From 07a44dd1dcadaca315013d307b9d152921fd5c2d Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 10 Dec 2024 16:17:06 +0000 Subject: [PATCH 15/15] Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard --- pipelines/build/common/openjdk_build_pipeline.groovy | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 693a1bd31..2b8c60929 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -748,13 +748,11 @@ class Build { /* Run the Sign downstream job. We run this job on windows and jdk8 hotspot & jdk13 mac builds. The job code signs and notarizes the binaries so they can run on these operating systems without encountering issues. - Tarball signing only required for jdk8u, as jdk11+ is signed dynamically during the build. */ def sign(VersionInfo versionInfo) { // Sign and archive jobs if needed if ( - (buildConfig.TARGET_OS == 'windows' || buildConfig.TARGET_OS == 'mac') && - buildConfig.JAVA_TO_BUILD == 'jdk8u' + buildConfig.TARGET_OS == 'windows' || (buildConfig.TARGET_OS == 'mac') ) { context.stage('sign zip/tgz') { def filter = '' @@ -1551,8 +1549,6 @@ class Build { #!/bin/bash set -eu echo "Signing JMOD files under build path ${base_path} for base_os ${base_os}" - echo "FINDING libjli.dylib ..." - find "${base_path}" -name "libjli.dylib" TMP_DIR="${base_path}/" if [ "${base_os}" == "mac" ]; then ENTITLEMENTS="$WORKSPACE/entitlements.plist"