From bd9369797d0cf9f7d3147874d5c08f034dba19ef Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 11:54:10 +0000 Subject: [PATCH 01/12] Kick off temurin sign jsf using groovy script --- .../build/common/sign_temurin_jsf.groovy | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 pipelines/build/common/sign_temurin_jsf.groovy diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy new file mode 100644 index 000000000..1a0b10252 --- /dev/null +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -0,0 +1,87 @@ +/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* + Signs and verifies SBOMs using the Eclipse signing PEM key + https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ + + Parameters: + UPSTREAM_JOB_NAME Upstream job name from which to copy unsigned SBOMs + UPSTREAM_JOB_NUMBER Job number of UPSTREAM_JOB_NAME to copy artifacts from + UPSTREAM_DIR Directory of UPSTREAM_JOB_NAME to copy artifacts from +*/ + +def NODE_LABEL = "jsfsign" + +stage('Signing SBOM') { + // Build SBOM Libraries + println "Kicking off build_sign_sbom_libraries to build SBOM libraries" + def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries', + propagate: true + + node(NODE_LABEL) { + + try { + // Clean workspace + println "Cleaning workspace" + cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true + + println "Copying SBOMs from ${UPSTREAM_JOB_NUMBER} build number ${UPSTREAM_JOB_NUMBER}" + context.copyArtifacts( + projectName: "${UPSTREAM_JOB_NAME}", + selector: context.specific("${UPSTREAM_JOB_NUMBER}"), + filter: 'workspace/target/*sbom*.json', + fingerprintArtifacts: true, + target: 'artifacts', + flatten: true + ) + + println "Copying JARs from build_sign_sbom_libraries build number ${buildSBOMLibrariesJob.getNumber()}" + context.copyArtifacts( + projectName: "build_sign_sbom_libraries", + selector: context.specific("${buildSBOMLibrariesJob.getNumber()}"), + filter: 'cyclonedx-lib/build/jar/*.jar', + fingerprintArtifacts: true, + target: 'artifacts', + flatten: true + ) + + def publicKey = "ef-attestation-public" + def privateKey = "ef-attestation-private" + + withCredentials([file(credentialsId: privateKey, variable: 'PRIVATE_KEY'), file(credentialsId: publicKey, variable: 'PUBLIC_KEY')]) { + // Sign SBOMS + sh ''' + cd artifacts + for ARTIFACT in $(find . \( -name *sbom*.json \) | grep -v metadata.json); do + echo "Signing ${ARTIFACT}" + java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" + + echo "Verifying Signature on ${ARTIFACT}" + java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" + done + ''' + } + context.timeout(time: 1, unit: 'HOURS') { + archiveArtifacts artifacts: 'artifacts/*sbom*.json' + } + } + catch (FlowInterruptedException e) { + throw new Exception("[ERROR] Archive artifact timeout 1 HOURS for sign_temurin_jsf has been reached. Exiting...") + } + finally { + cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true + } + } +} \ No newline at end of file From 6bdf791a632c246966d4790562479dae430e51d0 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 11:58:03 +0000 Subject: [PATCH 02/12] remove backslash --- pipelines/build/common/sign_temurin_jsf.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 1a0b10252..036142b89 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -64,7 +64,7 @@ stage('Signing SBOM') { // Sign SBOMS sh ''' cd artifacts - for ARTIFACT in $(find . \( -name *sbom*.json \) | grep -v metadata.json); do + for ARTIFACT in $(find . ( -name *sbom*.json ) | grep -v metadata.json); do echo "Signing ${ARTIFACT}" java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" From 251d6e12e8c9be86ea4303fa8663c829e2743b9e Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 11:59:39 +0000 Subject: [PATCH 03/12] import package --- pipelines/build/common/sign_temurin_jsf.groovy | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 036142b89..487c540f5 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -22,6 +22,8 @@ limitations under the License. UPSTREAM_DIR Directory of UPSTREAM_JOB_NAME to copy artifacts from */ +import org.jenkinsci.plugins.workflow.steps.FlowInterruptedException + def NODE_LABEL = "jsfsign" stage('Signing SBOM') { From 359b72ed4099200f6d9267d58ae42422f0276050 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 12:05:41 +0000 Subject: [PATCH 04/12] Double quotes to single --- pipelines/build/common/sign_temurin_jsf.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 487c540f5..dc87309a6 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -24,7 +24,7 @@ limitations under the License. import org.jenkinsci.plugins.workflow.steps.FlowInterruptedException -def NODE_LABEL = "jsfsign" +def NODE_LABEL = 'jsfsign' stage('Signing SBOM') { // Build SBOM Libraries From b8617cb43a3a98a49faff994d174aac39864560e Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 12:43:17 +0000 Subject: [PATCH 05/12] Move SBOM library job into try block --- pipelines/build/common/sign_temurin_jsf.groovy | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index dc87309a6..d059b88f2 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -24,17 +24,17 @@ limitations under the License. import org.jenkinsci.plugins.workflow.steps.FlowInterruptedException -def NODE_LABEL = 'jsfsign' - stage('Signing SBOM') { - // Build SBOM Libraries - println "Kicking off build_sign_sbom_libraries to build SBOM libraries" - def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries', - propagate: true - node(NODE_LABEL) { + node('jsfsign') { try { + + // Build SBOM Libraries + println "Kicking off build_sign_sbom_libraries to build SBOM libraries" + def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries', + propagate: true + // Clean workspace println "Cleaning workspace" cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true From 0df843e96348a184c2639aebe4835f3623eb4d19 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 12:51:05 +0000 Subject: [PATCH 06/12] Remove context --- pipelines/build/common/sign_temurin_jsf.groovy | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index d059b88f2..6c8450736 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -29,10 +29,9 @@ stage('Signing SBOM') { node('jsfsign') { try { - // Build SBOM Libraries println "Kicking off build_sign_sbom_libraries to build SBOM libraries" - def buildSBOMLibrariesJob = context.build job: 'build_sign_sbom_libraries', + def buildSBOMLibrariesJob = build job: 'build_sign_sbom_libraries', propagate: true // Clean workspace @@ -40,9 +39,9 @@ stage('Signing SBOM') { cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true println "Copying SBOMs from ${UPSTREAM_JOB_NUMBER} build number ${UPSTREAM_JOB_NUMBER}" - context.copyArtifacts( + copyArtifacts( projectName: "${UPSTREAM_JOB_NAME}", - selector: context.specific("${UPSTREAM_JOB_NUMBER}"), + selector: specific("${UPSTREAM_JOB_NUMBER}"), filter: 'workspace/target/*sbom*.json', fingerprintArtifacts: true, target: 'artifacts', @@ -50,9 +49,9 @@ stage('Signing SBOM') { ) println "Copying JARs from build_sign_sbom_libraries build number ${buildSBOMLibrariesJob.getNumber()}" - context.copyArtifacts( + copyArtifacts( projectName: "build_sign_sbom_libraries", - selector: context.specific("${buildSBOMLibrariesJob.getNumber()}"), + selector: specific("${buildSBOMLibrariesJob.getNumber()}"), filter: 'cyclonedx-lib/build/jar/*.jar', fingerprintArtifacts: true, target: 'artifacts', @@ -75,7 +74,7 @@ stage('Signing SBOM') { done ''' } - context.timeout(time: 1, unit: 'HOURS') { + timeout(time: 1, unit: 'HOURS') { archiveArtifacts artifacts: 'artifacts/*sbom*.json' } } From 51e614477ba1d7a36767967071cf4829412e6ea0 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 13:04:33 +0000 Subject: [PATCH 07/12] Remove brackets --- pipelines/build/common/sign_temurin_jsf.groovy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 6c8450736..cb70594d2 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -38,7 +38,7 @@ stage('Signing SBOM') { println "Cleaning workspace" cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true - println "Copying SBOMs from ${UPSTREAM_JOB_NUMBER} build number ${UPSTREAM_JOB_NUMBER}" + println "Copying SBOMs from ${UPSTREAM_JOB_NAME} build number ${UPSTREAM_JOB_NUMBER}" copyArtifacts( projectName: "${UPSTREAM_JOB_NAME}", selector: specific("${UPSTREAM_JOB_NUMBER}"), @@ -65,7 +65,7 @@ stage('Signing SBOM') { // Sign SBOMS sh ''' cd artifacts - for ARTIFACT in $(find . ( -name *sbom*.json ) | grep -v metadata.json); do + for ARTIFACT in $(find . -name *sbom*.json | grep -v metadata.json); do echo "Signing ${ARTIFACT}" java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" From 8d561b3717c9a280960df99e1d817401da5b47f2 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 13:09:00 +0000 Subject: [PATCH 08/12] Add double quotes to find expression --- pipelines/build/common/sign_temurin_jsf.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index cb70594d2..9cd903d59 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -65,7 +65,7 @@ stage('Signing SBOM') { // Sign SBOMS sh ''' cd artifacts - for ARTIFACT in $(find . -name *sbom*.json | grep -v metadata.json); do + for ARTIFACT in $(find . -name "*sbom*.json" | grep -v metadata.json); do echo "Signing ${ARTIFACT}" java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" From 381ee19c9c9ee96448a713db5903a2f588278843 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 13:11:12 +0000 Subject: [PATCH 09/12] Add set -eu to sh script --- pipelines/build/common/sign_temurin_jsf.groovy | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 9cd903d59..ba7c9c0ef 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -64,6 +64,9 @@ stage('Signing SBOM') { withCredentials([file(credentialsId: privateKey, variable: 'PRIVATE_KEY'), file(credentialsId: publicKey, variable: 'PUBLIC_KEY')]) { // Sign SBOMS sh ''' + #!/bin/bash + set -eu + cd artifacts for ARTIFACT in $(find . -name "*sbom*.json" | grep -v metadata.json); do echo "Signing ${ARTIFACT}" From bf51640e9d2cd397e5daf5569e0f8f5a50f8df6d Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 13:14:03 +0000 Subject: [PATCH 10/12] Fix Java classpath --- pipelines/build/common/sign_temurin_jsf.groovy | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index ba7c9c0ef..5066d359f 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -66,14 +66,15 @@ stage('Signing SBOM') { sh ''' #!/bin/bash set -eu - + ls -la cd artifacts + ls -la for ARTIFACT in $(find . -name "*sbom*.json" | grep -v metadata.json); do echo "Signing ${ARTIFACT}" - java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" + java -cp "cyclonedx-lib/build/jar/*.jar" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" echo "Verifying Signature on ${ARTIFACT}" - java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" + java -cp "cyclonedx-lib/build/jar/*.jar" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" done ''' } From 93684ed438a7c3ad52624c5aeff49db391d7edcf Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 13:16:13 +0000 Subject: [PATCH 11/12] Fix Java class path --- pipelines/build/common/sign_temurin_jsf.groovy | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 5066d359f..1f0c8d67f 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -71,15 +71,16 @@ stage('Signing SBOM') { ls -la for ARTIFACT in $(find . -name "*sbom*.json" | grep -v metadata.json); do echo "Signing ${ARTIFACT}" - java -cp "cyclonedx-lib/build/jar/*.jar" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" + java -cp "./*.jar" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" echo "Verifying Signature on ${ARTIFACT}" - java -cp "cyclonedx-lib/build/jar/*.jar" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" + java -cp "./*.jar" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" done ''' } timeout(time: 1, unit: 'HOURS') { - archiveArtifacts artifacts: 'artifacts/*sbom*.json' + archiveArtifacts artifacts: 'artifacts/*sbom*.json', + excludes: '*metadata*' } } catch (FlowInterruptedException e) { From 8c73ae8201bcbbac8d4582957b1f68ed70e7be4d Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Mon, 16 Dec 2024 13:19:06 +0000 Subject: [PATCH 12/12] java classpath --- pipelines/build/common/sign_temurin_jsf.groovy | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pipelines/build/common/sign_temurin_jsf.groovy b/pipelines/build/common/sign_temurin_jsf.groovy index 1f0c8d67f..98ec2ff47 100644 --- a/pipelines/build/common/sign_temurin_jsf.groovy +++ b/pipelines/build/common/sign_temurin_jsf.groovy @@ -54,7 +54,7 @@ stage('Signing SBOM') { selector: specific("${buildSBOMLibrariesJob.getNumber()}"), filter: 'cyclonedx-lib/build/jar/*.jar', fingerprintArtifacts: true, - target: 'artifacts', + target: 'artifacts/cyclonedx-lib/build/jar', flatten: true ) @@ -71,16 +71,15 @@ stage('Signing SBOM') { ls -la for ARTIFACT in $(find . -name "*sbom*.json" | grep -v metadata.json); do echo "Signing ${ARTIFACT}" - java -cp "./*.jar" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" + java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile "${ARTIFACT}" --privateKeyFile "$PRIVATE_KEY" echo "Verifying Signature on ${ARTIFACT}" - java -cp "./*.jar" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" + java -cp "cyclonedx-lib/build/jar/*" temurin.sbom.TemurinSignSBOM --verbose --verifySignature --jsonFile "${ARTIFACT}" --publicKeyFile "$PUBLIC_KEY" done ''' } timeout(time: 1, unit: 'HOURS') { - archiveArtifacts artifacts: 'artifacts/*sbom*.json', - excludes: '*metadata*' + archiveArtifacts artifacts: 'artifacts/*sbom*.json' } } catch (FlowInterruptedException e) {