Prevent jdk11+ from running external sign.sh as already signed during…

[andrew-m-leonard]

Fixes #3997 and #4057

Eclipse Temurin jdk-11+ Windows & Mac signing is performed internally during the jmod build, if sign_build is called after the build, we end up with "duplicate" Signatures, and for jdk-24+ the JDK runtime is modified causing a runtime failure due to the new jlink runtime verification.

This PR ensure for Eclipse Temurin signing, only jdk8u signs everything, and for jdk-11+ ONLY Contents/MacOS/libjli.dylib is signed, which is the bundle executable entry point which has to be signed post-bundle build.

[merks]

I'm looking forward to this being fixed in 24+27...

Given two reviewers are required to merge this fix, assigning an additional reviewer would be a good thing. 😬

[andrew-m-leonard]

I'm looking forward to this being fixed in 24+27...

Given two reviewers are required to merge this fix, assigning an additional reviewer would be a good thing. 😬

@merks hi, i'm hoping to get this merged today. I then need to do some separate work to build jdk24 which has now branched from mainstream jdk(head(25)) upstream, hopeful I can get that done in the next day too.

[andrew-m-leonard]

sign_build tests jobs:

• jdk 24 mac x64 : https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/29626/console - SUCCESS
• jdk 25 win x64 : https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/29630/console - SUCCESS
• jdk 24 mac aarch64 : https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/29625/console - SUCCESS
• jdk 8 mac x64 : https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/29628/console - SUCCESS
• jdk 8 win x64 : https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/29629/console - SUCCESS

[jerboaa]

Looks OK to me. Thanks for tracking this libjli.dylib issue down in the MacOS folder!