Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent multiple Windows exe/dll signing and verify #1157

Merged
merged 15 commits into from
Dec 11, 2024
Merged

Prevent multiple Windows exe/dll signing and verify #1157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
4b16a3e
Update verify_signing.groovy to check Windows exes only have one sign…
andrew-m-leonard Dec 5, 2024
fe5b0b9
Update verify_signing.groovy to check Windows exes only have one sign…
andrew-m-leonard Dec 5, 2024
052adf5
Update verify_signing.groovy to check Windows exes only have one sign…
andrew-m-leonard Dec 5, 2024
6dfeb14
Update verify_signing.groovy to check Windows exes only have one sign…
andrew-m-leonard Dec 5, 2024
7c44470
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 5, 2024
ccc2ce7
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 5, 2024
7aeeedd
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
9a76577
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
2832f7e
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
d775739
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
79eb418
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
b42ffe1
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
03537b1
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 6, 2024
6d2ab9e
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 10, 2024
07a44dd
Prevent jdk11+ from running external sign.sh as already signed during…
andrew-m-leonard Dec 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 53 additions & 43 deletions pipelines/build/common/openjdk_build_pipeline.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1558,57 +1558,67 @@ class Build {
fi
for f in $FILES
do
echo "Signing $f using Eclipse Foundation codesign service"
dir=$(dirname "$f")
file=$(basename "$f")
mv "$f" "${dir}/unsigned_${file}"
success=false
if [ "${base_os}" == "mac" ]; then
if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then
echo "curl command failed, sign of $f failed"
else
success=true
fi
else
if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
echo "curl command failed, sign of $f failed"
else
success=true
ms_file_skipped=false
if [ "${base_os}" == "windows" ]; then
# Check if file is a Microsoft supplied file that is already signed
if [[ "$file" =~ api-ms-win.* ]] || [[ "$file" =~ msvcp.* ]] || [[ "$file" =~ ucrtbase.* ]] || [[ "$file" =~ vcruntime.* ]]; then
echo "Skipping Microsoft file $file"
ms_file_skipped=true
fi
fi
if [ $success == false ]; then
# Retry up to 20 times
max_iterations=20
iteration=1
echo "Code Not Signed For File $f"
while [ $iteration -le $max_iterations ] && [ $success = false ]; do
echo $iteration Of $max_iterations
sleep 1
if [ "${base_os}" == "mac" ]; then
if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then
success=true
fi
if [ $ms_file_skipped == false ]; then
echo "Signing $f using Eclipse Foundation codesign service"
mv "$f" "${dir}/unsigned_${file}"
success=false
if [ "${base_os}" == "mac" ]; then
if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then
echo "curl command failed, sign of $f failed"
else
if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
success=true
fi
success=true
fi

if [ $success = false ]; then
echo "curl command failed, $f Failed Signing On Attempt $iteration"
iteration=$((iteration+1))
if [ $iteration -gt $max_iterations ]
then
echo "Errors Encountered During Signing"
exit 1
fi
else
if ! curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
echo "curl command failed, sign of $f failed"
else
echo "$f Signed OK On Attempt $iteration"
success=true
fi
done
fi
chmod --reference="${dir}/unsigned_${file}" "$f"
rm -rf "${dir}/unsigned_${file}"
fi
if [ $success == false ]; then
# Retry up to 20 times
max_iterations=20
iteration=1
echo "Code Not Signed For File $f"
while [ $iteration -le $max_iterations ] && [ $success = false ]; do
echo $iteration Of $max_iterations
sleep 1
if [ "${base_os}" == "mac" ]; then
if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign; then
success=true
fi
else
if curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign; then
success=true
fi
fi

if [ $success = false ]; then
echo "curl command failed, $f Failed Signing On Attempt $iteration"
iteration=$((iteration+1))
if [ $iteration -gt $max_iterations ]
then
echo "Errors Encountered During Signing"
exit 1
fi
else
echo "$f Signed OK On Attempt $iteration"
fi
done
fi
chmod --reference="${dir}/unsigned_${file}" "$f"
rm -rf "${dir}/unsigned_${file}"
fi # ms_file_skipped == false
done
'''
// groovylint-enable
Expand Down
27 changes: 22 additions & 5 deletions pipelines/build/common/verify_signing.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Parameters:
- TARGET_OS : "mac" or "windows"
- TARGET_ARCH : "aarch64 or "x64" or "x86-32"
- NODE_LABEL : Jenkins label for where to run
- CERT_ISSUED_TO : Issued to org name to verify Windows Signatures

*/

Expand Down Expand Up @@ -112,7 +113,7 @@ void unpackArchives(String unpack_dir, String[] archives) {
}

// Verify executables for Signatures
void verifyExecutables(String unpack_dir) {
void verifyExecutables(String unpack_dir, String issueToOrg) {
if (params.TARGET_OS == "mac") {
// On Mac find all dylib's and "executable" binaries
// Ignore "legal" text folder to reduce the number of non-extension files it finds...
Expand Down Expand Up @@ -167,7 +168,7 @@ void verifyExecutables(String unpack_dir) {

// Find all exe/dll's that must be Signed

withEnv(['unpack_dir='+unpack_dir, 'signtool='+signtool]) {
withEnv(['unpack_dir='+unpack_dir, 'signtool='+signtool, 'issueToOrg='+issueToOrg]) {
// groovylint-disable
sh '''
#!/bin/bash
Expand All @@ -185,8 +186,24 @@ void verifyExecutables(String unpack_dir) {
unsigned="$unsigned $f"
cc_unsigned=$((cc_unsigned+1))
else
echo "Signed correctly: ${f}"
cc_signed=$((cc_signed+1))
num_microsoft_sigs=$("${signtool}" verify /v /all /pa ${f} | grep "Issued to:" | grep "Microsoft" | wc -l)
num_org_sigs=$("${signtool}" verify /v /all /pa ${f} | grep "Issued to:" | grep "${issueToOrg}" | wc -l)
if [[ "$num_microsoft_sigs" -ne 0 ]] && [[ "$num_org_sigs" -ne 0 ]]; then
echo "Error: ${f} should not be signed by ${issueToOrg} as it is already signed by Microsoft."
unsigned="$unsigned $f"
cc_unsigned=$((cc_unsigned+1))
elif [[ "$num_microsoft_sigs" -eq 0 ]] && [[ "$num_org_sigs" -gt 1 ]]; then
echo "Error: ${f} is signed by ${issueToOrg} ${num_org_sigs} times, it must only be signed once."
unsigned="$unsigned $f"
cc_unsigned=$((cc_unsigned+1))
elif [[ "$num_microsoft_sigs" -eq 0 ]] && [[ "$num_org_sigs" -eq 0 ]]; then
echo "Error: ${f} is NOT signed by ${issueToOrg}."
unsigned="$unsigned $f"
cc_unsigned=$((cc_unsigned+1))
else
echo "Signed correctly: ${f}"
cc_signed=$((cc_signed+1))
fi
fi
done

Expand Down Expand Up @@ -355,7 +372,7 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
unpackArchives(unpack_dir, archives)

// Verify all executables for Signatures
verifyExecutables(unpack_dir)
verifyExecutables(unpack_dir, "${params.CERT_ISSUED_TO}")

// Verify installers (if built) are Signed and Notarized(mac only)
verifyInstallers()
Expand Down
Loading