From eab15ddce3e44fda330fb11acfeb3242cbd4463d Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Wed, 5 Jul 2023 09:33:23 +0100 Subject: [PATCH 1/7] Add check for codesigning process. --- .../common/openjdk_build_pipeline.groovy | 47 ++++++++++++++----- 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 8d8c9e737..af1115cf8 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -301,7 +301,7 @@ class Build { // Use BUILD_REF override if specified vendorTestBranches = buildConfig.BUILD_REF ?: vendorTestBranches - + try { context.println 'Running smoke test' context.stage('smoke test') { @@ -332,10 +332,10 @@ class Build { context.string(name: 'VENDOR_TEST_REPOS', value: vendorTestRepos), context.string(name: 'VENDOR_TEST_BRANCHES', value: vendorTestBranches), context.string(name: 'TIME_LIMIT', value: '1') - ] + ] currentBuild.result = testJob.getResult() return testJob.getResult() - + } } catch (Exception e) { context.println "Failed to execute test: ${e.message}" @@ -351,7 +351,7 @@ class Build { def jdkBranch = getJDKBranch() def jdkRepo = getJDKRepo() def openj9Branch = (buildConfig.SCM_REF && buildConfig.VARIANT == 'openj9') ? buildConfig.SCM_REF : 'master' - + List testList = buildConfig.TEST_LIST List dynamicList = buildConfig.DYNAMIC_LIST List numMachines = buildConfig.NUM_MACHINES @@ -463,7 +463,7 @@ class Build { wait: true currentBuild.result = testJob.getResult() context.node('worker') { - //Copy Taps files from downstream test jobs if files available. + //Copy Taps files from downstream test jobs if files available. context.sh 'rm -f workspace/target/AQAvitTaps/*.tap' try { context.timeout(time: 2, unit: 'HOURS') { @@ -543,7 +543,7 @@ class Build { } } - targets.each { targetMode, targetTests -> + targets.each { targetMode, targetTests -> try { context.println "Remote trigger: ${targetTests}" remoteTargets["${targetTests}"] = { @@ -1478,7 +1478,8 @@ class Build { context.unstash 'jmods' context.withEnv(["macos_base_path=${macos_base_path}"]) { // groovylint-disable - context.sh ''' + try { + context.sh ''' #!/bin/bash set -eu echo "Signing JMOD files" @@ -1492,10 +1493,32 @@ class Build { file=$(basename "$f") mv "$f" "${dir}/unsigned_${file}" curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - chmod --reference="${dir}/unsigned_${file}" "$f" - rm -rf "${dir}/unsigned_${file}" + TESTMACSIGN=`grep -i "Apple Certification Authority" "$f"|wc -l` + if [ $TESTMACSIGN -gt 0 ] + then + echo "Code Signed" + else + echo "Code Not Signed - Have 2nd Attempt" + sleep 2 + curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + TESTMACSIGN2=`grep -i "Apple Certification Authority" "$f"|wc -l` + if [ $TESTMACSIGN2 -gt 0 ] + then + echo "$f Signed OK On 2nd Attempt" + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" + else + echo "$f Failed Signing On 2nd Attempt" + exit 1 + fi + fi done ''' + } catch (e) { + context.println("Failed to Perform Signing") + currentBuild.result = 'FAILURE' + } + // groovylint-enable } context.stash name: 'signed_jmods', includes: "${macos_base_path}/**/*" @@ -1670,7 +1693,7 @@ class Build { } } - /* + /* this function should only be used in pr-tester */ def updateGithubCommitStatus(STATE, MESSAGE) { @@ -1722,7 +1745,7 @@ class Build { context.println "Executing tests: ${buildConfig.TEST_LIST}" context.println "Build num: ${env.BUILD_NUMBER}" context.println "File name: ${filename}" - + def enableReproducibleCompare = Boolean.valueOf(buildConfig.ENABLE_REPRODUCIBLE_COMPARE) def enableTests = Boolean.valueOf(buildConfig.ENABLE_TESTS) def enableInstallers = Boolean.valueOf(buildConfig.ENABLE_INSTALLERS) @@ -1925,7 +1948,7 @@ class Build { platform = 'x86-64_' + buildConfig.TARGET_OS } else { platform = buildConfig.ARCHITECTURE + '_' + buildConfig.TARGET_OS - } + } if ( !(platform == 'riscv64_linux' || platform =='aarch64_windows') ) { if ( !(buildConfig.JAVA_TO_BUILD == 'jdk8u' && platform == 's390x_linux') ) { context.echo "Remote trigger Eclipse Temurin AQA_Test_Pipeline job with ${platform} ${buildConfig.JAVA_TO_BUILD}" From cf904894f641911e6f35eb356218f581b6bbc866 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Wed, 5 Jul 2023 10:21:13 +0100 Subject: [PATCH 2/7] Add looping signing attempts --- .../common/openjdk_build_pipeline.groovy | 39 ++++++++++++------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index af1115cf8..32c630657 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1497,21 +1497,32 @@ class Build { if [ $TESTMACSIGN -gt 0 ] then echo "Code Signed" + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" else - echo "Code Not Signed - Have 2nd Attempt" - sleep 2 - curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - TESTMACSIGN2=`grep -i "Apple Certification Authority" "$f"|wc -l` - if [ $TESTMACSIGN2 -gt 0 ] - then - echo "$f Signed OK On 2nd Attempt" - chmod --reference="${dir}/unsigned_${file}" "$f" - rm -rf "${dir}/unsigned_${file}" - else - echo "$f Failed Signing On 2nd Attempt" - exit 1 - fi - fi + max_iterations=20 + iteration=1 + while [ $iteration -le $max_iterations ] + do + echo "Code Not Signed - Have Another Try" + sleep 1 + curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + TESTMACSIGN2=`grep -i "Apple Certification Authority" "$FILE"|wc -l` + if [ $TESTMACSIGN2 -gt 0 ] + then + echo "$f Signed OK On Attempt $iteration" + break + else + echo "$f Failed Signing On Attempt $iteration" + iteration=$((iteration+1)) + fi + if [ $iteration -eq $max_iterations ] + then + echo "Reached Max Attempts" + exit 1 + fi + done + fi done ''' } catch (e) { From ecbf38cf57aac1f6fc604c5fbd7f1df64ad09dae Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Wed, 5 Jul 2023 11:09:18 +0100 Subject: [PATCH 3/7] Fix extra space --- pipelines/build/common/openjdk_build_pipeline.groovy | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 32c630657..6c4add2f1 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1507,22 +1507,24 @@ class Build { echo "Code Not Signed - Have Another Try" sleep 1 curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - TESTMACSIGN2=`grep -i "Apple Certification Authority" "$FILE"|wc -l` + TESTMACSIGN2=`grep -i "Apple Certification Authority" "$f"|wc -l` if [ $TESTMACSIGN2 -gt 0 ] then echo "$f Signed OK On Attempt $iteration" + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" break else echo "$f Failed Signing On Attempt $iteration" iteration=$((iteration+1)) fi - if [ $iteration -eq $max_iterations ] + if [ $iteration -eq $max_iterations ] then echo "Reached Max Attempts" exit 1 fi done - fi + fi done ''' } catch (e) { From 2cad75346a2a46a688468bafa1c910f1f50bf267 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Thu, 6 Jul 2023 08:22:37 +0100 Subject: [PATCH 4/7] Review fixes Convert grep string to constant, and echo max iterations --- pipelines/build/common/openjdk_build_pipeline.groovy | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 6c4add2f1..2dc019eb3 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1484,6 +1484,7 @@ class Build { set -eu echo "Signing JMOD files" TMP_DIR="${macos_base_path}/" + MACSIGNSTRING="Apple Certification Authority" ENTITLEMENTS="$WORKSPACE/entitlements.plist" FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f) for f in $FILES @@ -1493,7 +1494,7 @@ class Build { file=$(basename "$f") mv "$f" "${dir}/unsigned_${file}" curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - TESTMACSIGN=`grep -i "Apple Certification Authority" "$f"|wc -l` + TESTMACSIGN=`grep -i "$MACSIGNSTRING" "$f"|wc -l` if [ $TESTMACSIGN -gt 0 ] then echo "Code Signed" @@ -1520,7 +1521,7 @@ class Build { fi if [ $iteration -eq $max_iterations ] then - echo "Reached Max Attempts" + echo "Reached Max Attempts = $max_iterations" exit 1 fi done From 56bf9476449233bb0862087984a619b0abc1f4d0 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Thu, 6 Jul 2023 08:27:51 +0100 Subject: [PATCH 5/7] Add fail switch to curl Add fail switch to curl --- pipelines/build/common/openjdk_build_pipeline.groovy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 2dc019eb3..b223be712 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1493,7 +1493,7 @@ class Build { dir=$(dirname "$f") file=$(basename "$f") mv "$f" "${dir}/unsigned_${file}" - curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign TESTMACSIGN=`grep -i "$MACSIGNSTRING" "$f"|wc -l` if [ $TESTMACSIGN -gt 0 ] then @@ -1507,7 +1507,7 @@ class Build { do echo "Code Not Signed - Have Another Try" sleep 1 - curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign TESTMACSIGN2=`grep -i "Apple Certification Authority" "$f"|wc -l` if [ $TESTMACSIGN2 -gt 0 ] then From 75ee4c5123ce730f9bd0995b2e8c37513e7a9532 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Thu, 6 Jul 2023 09:12:09 +0100 Subject: [PATCH 6/7] Use constant for signing string. --- pipelines/build/common/openjdk_build_pipeline.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index b223be712..2ecfd0c92 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1508,7 +1508,7 @@ class Build { echo "Code Not Signed - Have Another Try" sleep 1 curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - TESTMACSIGN2=`grep -i "Apple Certification Authority" "$f"|wc -l` + TESTMACSIGN2=`grep -i "$MACSIGNSTRING" "$f"|wc -l` if [ $TESTMACSIGN2 -gt 0 ] then echo "$f Signed OK On Attempt $iteration" From cc3417e15531bff8882169d1305211fc288d2c90 Mon Sep 17 00:00:00 2001 From: Scott Fryer Date: Wed, 12 Jul 2023 12:27:18 +0100 Subject: [PATCH 7/7] Bug fix in library signing check. --- .../common/openjdk_build_pipeline.groovy | 78 ++++++++++--------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy index 2ecfd0c92..284e51136 100644 --- a/pipelines/build/common/openjdk_build_pipeline.groovy +++ b/pipelines/build/common/openjdk_build_pipeline.groovy @@ -1489,43 +1489,51 @@ class Build { FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f) for f in $FILES do - echo "Signing $f using Eclipse Foundation codesign service" - dir=$(dirname "$f") - file=$(basename "$f") - mv "$f" "${dir}/unsigned_${file}" - curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - TESTMACSIGN=`grep -i "$MACSIGNSTRING" "$f"|wc -l` - if [ $TESTMACSIGN -gt 0 ] + echo "Signing $f using Eclipse Foundation codesign service" + dir=$(dirname "$f") + file=$(basename "$f") + mv "$f" "${dir}/unsigned_${file}" + curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + echo File = $f + TESTMACSIGN=`grep -i "$MACSIGNSTRING" "$f"|wc -l` + echo "Sign Result = $TESTMACSIGN" + if [[ $TESTMACSIGN -gt 0 ]] + then + echo "Code Signed For File $f" + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" + else + max_iterations=20 + iteration=1 + success=false + errcount=0 + echo "Code Not Signed For File $f" + while [[ $iteration -le $max_iterations ]] && [ $success = false ]; do + echo $iteration Of $max_iterations + sleep 1 + curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign + TESTMACSIGN2=`grep -i "$MACSIGNSTRING" "$f"|wc -l` + echo TESTMACSIGN2 = $TESTMACSIGN2 + if [[ $TESTMACSIGN2 -gt 0 ]] + then + echo "$f Signed OK On Attempt $iteration" + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" + success=true + else + echo "$f Failed Signing On Attempt $iteration" + success=false + iteration=$((iteration+1)) + errcount=$((errcount+1)) + fi + done + if [[ $errcount -gt 0 ]] then - echo "Code Signed" - chmod --reference="${dir}/unsigned_${file}" "$f" - rm -rf "${dir}/unsigned_${file}" - else - max_iterations=20 - iteration=1 - while [ $iteration -le $max_iterations ] - do - echo "Code Not Signed - Have Another Try" - sleep 1 - curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign - TESTMACSIGN2=`grep -i "$MACSIGNSTRING" "$f"|wc -l` - if [ $TESTMACSIGN2 -gt 0 ] - then - echo "$f Signed OK On Attempt $iteration" - chmod --reference="${dir}/unsigned_${file}" "$f" - rm -rf "${dir}/unsigned_${file}" - break - else - echo "$f Failed Signing On Attempt $iteration" - iteration=$((iteration+1)) - fi - if [ $iteration -eq $max_iterations ] - then - echo "Reached Max Attempts = $max_iterations" - exit 1 - fi - done + echo "Errors Encountered During Signing" + echo "Error Count = $errcount" + exit 1 fi + fi done ''' } catch (e) {