Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign JMOD Windows exe/dll's using exploded/assemble method #822

Merged
merged 14 commits into from
Sep 30, 2023
Merged

Sign JMOD Windows exe/dll's using exploded/assemble method #822

Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
5cbbee8
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
7ff6880
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
592006d
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
b3804fb
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
a06a4b7
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
65aa3dc
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
3a29b69
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
f6b37c6
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
3273b7c
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
777102c
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
4e13e0e
Enable JMOD signing for Windows
andrew-m-leonard Sep 28, 2023
eb7db0c
Enable JMOD signing for Windows
andrew-m-leonard Sep 29, 2023
89a2055
Enable JMOD signing for Windows
andrew-m-leonard Sep 29, 2023
93ef4ff
Enable JMOD signing for Windows
andrew-m-leonard Sep 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 37 additions & 33 deletions pipelines/build/common/openjdk_build_pipeline.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1482,84 +1482,88 @@ class Build {
context.println '[CHECKOUT] Checking out to adoptium/temurin-build...'
repoHandler.checkoutAdoptBuild(context)
printGitRepoInfo()
if (buildConfig.TARGET_OS == 'mac' && buildConfig.JAVA_TO_BUILD != 'jdk8u') {
def macSignBuildArgs
if ((buildConfig.TARGET_OS == 'mac' || buildConfig.TARGET_OS == 'windows') && buildConfig.JAVA_TO_BUILD != 'jdk8u') {
context.println "Processing exploded build, sign JMODS, and assemble build, for platform ${buildConfig.TARGET_OS} version ${buildConfig.JAVA_TO_BUILD}"
def signBuildArgs
if (env.BUILD_ARGS != null && !env.BUILD_ARGS.isEmpty()) {
macSignBuildArgs = env.BUILD_ARGS + ' --make-exploded-image'
signBuildArgs = env.BUILD_ARGS + ' --make-exploded-image'
} else {
macSignBuildArgs = '--make-exploded-image'
signBuildArgs = '--make-exploded-image'
}
context.withEnv(['BUILD_ARGS=' + macSignBuildArgs]) {
context.withEnv(['BUILD_ARGS=' + signBuildArgs]) {
context.println 'Building an exploded image for signing'
context.sh(script: "./${ADOPT_DEFAULTS_JSON['scriptDirectories']['buildfarm']}")
}
def macos_base_path_arch = 'x86_64'
if (buildConfig.ARCHITECTURE == 'aarch64') {
macos_base_path_arch = 'aarch64'
}
def macos_base_path = "workspace/build/src/build/macosx-${macos_base_path_arch}-server-release"
if (buildConfig.JAVA_TO_BUILD == 'jdk11u') {
macos_base_path = "workspace/build/src/build/macosx-${macos_base_path_arch}-normal-server-release"
}
def base_path = context.sh(script: "ls -d workspace/build/src/build/* | tr -d '\\n'", returnStdout:true)
context.println "base build path for jmod signing = ${base_path}"
context.stash name: 'jmods',
includes: "${macos_base_path}/hotspot/variant-server/**/*," +
"${macos_base_path}/support/modules_cmds/**/*," +
"${macos_base_path}/support/modules_libs/**/*," +
includes: "${base_path}/hotspot/variant-server/**/*," +
"${base_path}/support/modules_cmds/**/*," +
"${base_path}/support/modules_libs/**/*," +
// JDK 16 + jpackage needs to be signed as well
"${macos_base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher"
"${base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher"

context.node('eclipse-codesign') {
context.sh "rm -rf ${macos_base_path}/* || true"
context.sh "rm -rf ${base_path}/* || true"

repoHandler.checkoutAdoptBuild(context)
printGitRepoInfo()

// Copy pre assembled binary ready for JMODs to be codesigned
context.unstash 'jmods'
context.withEnv(["macos_base_path=${macos_base_path}"]) {
def target_os = "${buildConfig.TARGET_OS}"
context.withEnv(['base_os='+target_os, 'base_path='+base_path]) {
// groovylint-disable
context.sh '''
#!/bin/bash
set -eu
echo "Signing JMOD files"
TMP_DIR="${macos_base_path}/"
ENTITLEMENTS="$WORKSPACE/entitlements.plist"
FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f)
echo "Signing JMOD files under build path ${base_path} for base_os ${base_os}"
TMP_DIR="${base_path}/"
if [ "${base_os}" == "mac" ]; then
ENTITLEMENTS="$WORKSPACE/entitlements.plist"
FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f)
else
FILES=$(find "${TMP_DIR}" -type f -name '*.exe' -o -name '*.dll')
fi
for f in $FILES
do
echo "Signing $f using Eclipse Foundation codesign service"
dir=$(dirname "$f")
file=$(basename "$f")
mv "$f" "${dir}/unsigned_${file}"
curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign
if [ "${base_os}" == "mac" ]; then
curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign
else
curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign
fi
chmod --reference="${dir}/unsigned_${file}" "$f"
rm -rf "${dir}/unsigned_${file}"
done
'''
// groovylint-enable
}
context.stash name: 'signed_jmods', includes: "${macos_base_path}/**/*"
context.stash name: 'signed_jmods', includes: "${base_path}/**/*"
}

// Remove jmod directories to be replaced with the stash saved above
context.sh "rm -rf ${macos_base_path}/hotspot/variant-server || true"
context.sh "rm -rf ${macos_base_path}/support/modules_cmds || true"
context.sh "rm -rf ${macos_base_path}/support/modules_libs || true"
context.sh "rm -rf ${base_path}/hotspot/variant-server || true"
context.sh "rm -rf ${base_path}/support/modules_cmds || true"
context.sh "rm -rf ${base_path}/support/modules_libs || true"
// JDK 16 + jpackage needs to be signed as well
if (buildConfig.JAVA_TO_BUILD != 'jdk11u') {
context.sh "rm -rf ${macos_base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher || true"
context.sh "rm -rf ${base_path}/jdk/modules/jdk.jpackage/jdk/jpackage/internal/resources/jpackageapplauncher || true"
}

// Restore signed JMODs
context.unstash 'signed_jmods'

def macAssembleBuildArgs
def assembleBuildArgs
if (env.BUILD_ARGS != null && !env.BUILD_ARGS.isEmpty()) {
macAssembleBuildArgs = env.BUILD_ARGS + ' --assemble-exploded-image'
assembleBuildArgs = env.BUILD_ARGS + ' --assemble-exploded-image'
} else {
macAssembleBuildArgs = '--assemble-exploded-image'
assembleBuildArgs = '--assemble-exploded-image'
}
context.withEnv(['BUILD_ARGS=' + macAssembleBuildArgs]) {
context.withEnv(['BUILD_ARGS=' + assembleBuildArgs]) {
context.println 'Assembling the exploded image'
context.sh(script: "./${ADOPT_DEFAULTS_JSON['scriptDirectories']['buildfarm']}")
}
Expand Down