From 9d02d2c40525f66e55e7b875ecf2e08cb95d74df Mon Sep 17 00:00:00 2001
From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com>
Date: Wed, 8 Jan 2025 14:38:15 +0000
Subject: [PATCH] Update jdk8u sign.sh Eclipse signing to not sign apims
 Microsoft files (#4112)

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 sign.sh | 59 +++++++++++++++++++++++++++++++--------------------------
 1 file changed, 32 insertions(+), 27 deletions(-)

diff --git a/sign.sh b/sign.sh
index 618f86dfc..076d9d819 100755
--- a/sign.sh
+++ b/sign.sh
@@ -78,38 +78,43 @@ signRelease()
           echo "Signing ${f}"
           if [ "$SIGN_TOOL" = "eclipse" ]; then
            if [ "${VERSION}" = "8" ]; then
-            echo "Signing $f using Eclipse Foundation codesign service"
             dir=$(dirname "$f")
             file=$(basename "$f")
-            mv "$f" "${dir}/unsigned_${file}"
-            if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
-              echo "curl command failed, sign of $f failed"
+            # Check if file is a Microsoft supplied file that is already signed
+            if [[ "$file" =~ api-ms-win.* ]] || [[ "$file" =~ API-MS-Win.* ]] || [[ "$file" =~ msvcp.* ]] || [[ "$file" =~ ucrtbase.* ]] || [[ "$file" =~ vcruntime.* ]]; then
+              echo "Skipping Microsoft file $file"
+            else
+              echo "Signing $f using Eclipse Foundation codesign service"
+              mv "$f" "${dir}/unsigned_${file}"
+              if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
+                echo "curl command failed, sign of $f failed"
 
-              # Retry up to 20 times
-              max_iterations=20
-              iteration=1
-              success=false 
-              echo "Code Not Signed For File $f"
-              while [ $iteration -le $max_iterations ] && [ $success = false ]; do
-                echo $iteration Of $max_iterations
-                sleep 1
-                if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
-                  echo "curl command failed, $f Failed Signing On Attempt $iteration"
-                  success=false
-                  iteration=$((iteration+1))
-                  if [ $iteration -gt $max_iterations ]
-                  then
-                    echo "Errors Encountered During Signing"
-                    exit 1
+                # Retry up to 20 times
+                max_iterations=20
+                iteration=1
+                success=false 
+                echo "Code Not Signed For File $f"
+                while [ $iteration -le $max_iterations ] && [ $success = false ]; do
+                  echo $iteration Of $max_iterations
+                  sleep 1
+                  if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
+                    echo "curl command failed, $f Failed Signing On Attempt $iteration"
+                    success=false
+                    iteration=$((iteration+1))
+                    if [ $iteration -gt $max_iterations ]
+                    then
+                      echo "Errors Encountered During Signing"
+                      exit 1
+                    fi
+                  else
+                    echo "$f Signed OK On Attempt $iteration"
+                    success=true
                   fi
-                else
-                  echo "$f Signed OK On Attempt $iteration"
-                  success=true
-                fi
-              done
+                done
+              fi
+              chmod --reference="${dir}/unsigned_${file}" "$f"
+              rm -rf "${dir}/unsigned_${file}"
             fi
-            chmod --reference="${dir}/unsigned_${file}" "$f"
-            rm -rf "${dir}/unsigned_${file}"
            else
             echo "Eclipse signing for JDK version ${VERSION} does not externally sign Windows executables post-build"
            fi