From 089f565e9e4d75065303207fc103a0278bf0d5a1 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 10:24:32 +0000
Subject: [PATCH 01/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 171 +++++++++++++++++++
 1 file changed, 171 insertions(+)
 create mode 100644 pipelines/build/common/verify_signing.groovy

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
new file mode 100644
index 000000000..2f72d8585
--- /dev/null
+++ b/pipelines/build/common/verify_signing.groovy
@@ -0,0 +1,171 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+
+Description: Verifies the upstream job artifacts are signed and notarized as expected.
+
+Parameters:
+  - UPSTREAM_JOB_NAME    : Upstream job name containing artifacts
+  - UPSTREAM_JOB_NUMBER  : Upstream job number containing artifacts
+  - TARGET_OS            : "mac" or "windows"
+  - MAC_VERIFY_LABEL     : Jenkins label for where to run "mac"
+  - WINDOWS_VERIFY_LABEL : Jenkins label for where to run "windows"
+
+*/
+
+
+Boolean verify = false
+String  verifyNode
+switch(params.TARGET_OS) {
+    'mac':
+        verifyNode = params.MAC_VERIFY_LABEL
+        verify = true
+        break
+    'windows':
+        verifyNode = params.WINDOWS_VERIFY_LABEL
+        verify = true
+        break
+    default:
+        println "No signing verification for: ${params.TARGET_OS}"
+}
+
+if (verify) {
+    println "Verifying signing for platform ${params.TARGET_OS}, ${job params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
+
+    // Switch to appropriate node
+    node(verifyNode) {
+        timestamps {
+                // Clean workspace to ensure no old artifacts
+                context.cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
+
+                def jdkFilter
+                def jreFilter
+                if (params.TARGET_OS == "mac") {
+                    jdkFilter = "workspace/target/*-jdk*.tar.gz"
+                    jreFilter = "workspace/target/*-jre*.tar.gz"
+                } else { // Windows
+                    jdkFilter = "workspace/target/*-jdk*.zip"
+                    jreFilter = "workspace/target/*-jre*.zip"
+                }
+
+                println "[INFO] Retrieving ${jdkFilter} artifacts from ${job params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                copyArtifacts(
+                    projectName: "${job params.UPSTREAM_JOB_NAME}",
+                    selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
+                    filter: "${jdkFilter}",
+                    fingerprintArtifacts: true,
+                    flatten: true
+                )
+                println "[INFO] Retrieving ${jreFilter} artifacts from ${job params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                copyArtifacts(
+                    projectName: "${job params.UPSTREAM_JOB_NAME}",
+                    selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
+                    filter: "${jreFilter}",
+                    fingerprintArtifacts: true,
+                    flatten: true
+
+                // For Mac we need to also verify pkg files are "Notarized"
+                if (params.TARGET_OS == "mac") {
+                    println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${job params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                    copyArtifacts(
+                        projectName: "${job params.UPSTREAM_JOB_NAME}",
+                        selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
+                        filter: "workspace/target/*.pkg",
+                        fingerprintArtifacts: true,
+                        flatten: true
+                }
+
+                // Unpack archives
+                if (params.TARGET_OS == "mac") {
+                    context.sh("mkdir jdk && tar -C jdk *-jdk*.tar.gz")
+                    context.sh("mkdir jre && tar -C jre *-jre*.tar.gz")
+                } else { // Windows
+                    context.sh("mkdir jdk && unzip *-jdk*.tar.gz -d jdk")
+                    context.sh("mkdir jre && unzip *-jre*.tar.gz -d jre")
+                }
+
+                // Copy JDK so it can be used for unpacking
+                context.sh("cp -r jdk jdk_cp")
+
+                def jdk_bin = "${WORKSPACE}/jdk_cp/bin"
+                if (params.TARGET_OS == "mac") {
+                    jdk_bin = "${WORKSPACE}/jdk_cp/Contents/Home/bin"
+                }
+
+                withEnv(['PATH+JAVA=${jdk_bin}']) {
+                    def folders = ["jdk", "jre"]
+                    folders.each { folder ->
+                        // Expand JMODs
+                        context.println "Expanding JMODS under ${folder}"
+                        def jmods = findFiles(glob: "${folder}/**/*.jmod")
+                        jmods.each { jmod ->
+                            def expand_dir = "expanded_" + context.sh(script:"basename ${jmod}", returnStdout:true)
+                            context.sh("mkdir ${expand_dir} && jmod extract --dir ${expand_dir} ${jmod}")
+                        }
+
+                        // Expand "modules" compress image containing jmods
+                        context.println "Expanding 'modules' compressed image file under ${folder}"
+                        def modules = findFiles(glob: "${folder}/**/modules")
+                        modules.each { module ->
+                            def expand_dir = "expanded_" + context.sh(script:"basename ${module}", returnStdout:true)
+                            context.sh("mkdir ${expand_dir} && jimage extract --dir ${expand_dir} ${module}")
+                        }
+                    }
+                }
+
+                if (params.TARGET_OS == "mac") {
+                    // On Mac find all dylib's and binaries marked as "executable",
+                    // also add "jpackageapplauncher" specific case which is not marked as "executable"
+                    // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
+                    def bins = context.sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true)
+                    bins.each { bin ->
+                       def rc = context.sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
+                       if (rc != 0) {
+                           println "Error: dylib not signed: ${bin}"
+                           currentBuild.result = 'FAILURE'
+                       } else {
+                           println "Signed correctly: ${bin}"
+                       }
+                    }
+
+                    // Find all pkg's that need to be Notarized
+                    def pkgs = findFiles(glob: "*.pkg")
+                    pkgs.each { pkg ->
+                       def rc = context.sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
+                       if (rc != 0) {
+                           println "Error: pkg not Notarized: ${pkg}"
+                           currentBuild.result = 'FAILURE'
+                       } else {
+                           println "Notarized correctly: ${pkg}"
+                       }
+                    }
+                } else { // Windows
+                    // Find all exe/dll's that must be Signed
+                    def bins = findFiles(glob: "**/*.exe")
+                    bins.addAll(findFiles(glob: "**/*.dll"))
+                    bins.each { bin ->
+                       def rc = context.sh(script:"signtool verify /v ${bin}", returnStatus:true)
+                       if (rc != 0) {
+                           println "Error: binary not signed: ${bin}"
+                           currentBuild.result = 'FAILURE'
+                       } else { 
+                           println "Signed correctly: ${bin}"
+                       } 
+                    }
+                }
+        }
+    }
+}
+

From 8607168f6266a2f3ba92dc6fe7905cb341dc2a37 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 10:35:05 +0000
Subject: [PATCH 02/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 2f72d8585..653a0ce7c 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -29,11 +29,11 @@ Parameters:
 Boolean verify = false
 String  verifyNode
 switch(params.TARGET_OS) {
-    'mac':
+    case 'mac':
         verifyNode = params.MAC_VERIFY_LABEL
         verify = true
         break
-    'windows':
+    case 'windows':
         verifyNode = params.WINDOWS_VERIFY_LABEL
         verify = true
         break

From 85b0edab3a04b53133a336b5e362ba265c8cd82d Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 10:36:22 +0000
Subject: [PATCH 03/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 653a0ce7c..fec379b60 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -75,6 +75,7 @@ if (verify) {
                     filter: "${jreFilter}",
                     fingerprintArtifacts: true,
                     flatten: true
+                ) 
 
                 // For Mac we need to also verify pkg files are "Notarized"
                 if (params.TARGET_OS == "mac") {
@@ -85,6 +86,7 @@ if (verify) {
                         filter: "workspace/target/*.pkg",
                         fingerprintArtifacts: true,
                         flatten: true
+                    )
                 }
 
                 // Unpack archives

From cfac82254ffdc4139fe712a75105b3f0a773d8b6 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 10:42:21 +0000
Subject: [PATCH 04/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index fec379b60..af8af1052 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -46,7 +46,8 @@ if (verify) {
 
     // Switch to appropriate node
     node(verifyNode) {
-        timestamps {
+        stage("verify_signing") {
+            timestamps {
                 // Clean workspace to ensure no old artifacts
                 context.cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
 
@@ -167,6 +168,7 @@ if (verify) {
                        } 
                     }
                 }
+            }
         }
     }
 }

From dff906fd37aebfa4ef3ab8e899e872b2087602fa Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 10:49:25 +0000
Subject: [PATCH 05/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 32 ++++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index af8af1052..082b35d3b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -49,7 +49,7 @@ if (verify) {
         stage("verify_signing") {
             timestamps {
                 // Clean workspace to ensure no old artifacts
-                context.cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
+                cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
 
                 def jdkFilter
                 def jreFilter
@@ -92,15 +92,15 @@ if (verify) {
 
                 // Unpack archives
                 if (params.TARGET_OS == "mac") {
-                    context.sh("mkdir jdk && tar -C jdk *-jdk*.tar.gz")
-                    context.sh("mkdir jre && tar -C jre *-jre*.tar.gz")
+                    sh("mkdir jdk && tar -C jdk *-jdk*.tar.gz")
+                    sh("mkdir jre && tar -C jre *-jre*.tar.gz")
                 } else { // Windows
-                    context.sh("mkdir jdk && unzip *-jdk*.tar.gz -d jdk")
-                    context.sh("mkdir jre && unzip *-jre*.tar.gz -d jre")
+                    sh("mkdir jdk && unzip *-jdk*.tar.gz -d jdk")
+                    sh("mkdir jre && unzip *-jre*.tar.gz -d jre")
                 }
 
                 // Copy JDK so it can be used for unpacking
-                context.sh("cp -r jdk jdk_cp")
+                sh("cp -r jdk jdk_cp")
 
                 def jdk_bin = "${WORKSPACE}/jdk_cp/bin"
                 if (params.TARGET_OS == "mac") {
@@ -111,19 +111,19 @@ if (verify) {
                     def folders = ["jdk", "jre"]
                     folders.each { folder ->
                         // Expand JMODs
-                        context.println "Expanding JMODS under ${folder}"
+                        println "Expanding JMODS under ${folder}"
                         def jmods = findFiles(glob: "${folder}/**/*.jmod")
                         jmods.each { jmod ->
-                            def expand_dir = "expanded_" + context.sh(script:"basename ${jmod}", returnStdout:true)
-                            context.sh("mkdir ${expand_dir} && jmod extract --dir ${expand_dir} ${jmod}")
+                            def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
+                            sh("mkdir ${expand_dir} && jmod extract --dir ${expand_dir} ${jmod}")
                         }
 
                         // Expand "modules" compress image containing jmods
-                        context.println "Expanding 'modules' compressed image file under ${folder}"
+                        println "Expanding 'modules' compressed image file under ${folder}"
                         def modules = findFiles(glob: "${folder}/**/modules")
                         modules.each { module ->
-                            def expand_dir = "expanded_" + context.sh(script:"basename ${module}", returnStdout:true)
-                            context.sh("mkdir ${expand_dir} && jimage extract --dir ${expand_dir} ${module}")
+                            def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
+                            sh("mkdir ${expand_dir} && jimage extract --dir ${expand_dir} ${module}")
                         }
                     }
                 }
@@ -132,9 +132,9 @@ if (verify) {
                     // On Mac find all dylib's and binaries marked as "executable",
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = context.sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true)
+                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true)
                     bins.each { bin ->
-                       def rc = context.sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
+                       def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
                        if (rc != 0) {
                            println "Error: dylib not signed: ${bin}"
                            currentBuild.result = 'FAILURE'
@@ -146,7 +146,7 @@ if (verify) {
                     // Find all pkg's that need to be Notarized
                     def pkgs = findFiles(glob: "*.pkg")
                     pkgs.each { pkg ->
-                       def rc = context.sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
+                       def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
                        if (rc != 0) {
                            println "Error: pkg not Notarized: ${pkg}"
                            currentBuild.result = 'FAILURE'
@@ -159,7 +159,7 @@ if (verify) {
                     def bins = findFiles(glob: "**/*.exe")
                     bins.addAll(findFiles(glob: "**/*.dll"))
                     bins.each { bin ->
-                       def rc = context.sh(script:"signtool verify /v ${bin}", returnStatus:true)
+                       def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)
                        if (rc != 0) {
                            println "Error: binary not signed: ${bin}"
                            currentBuild.result = 'FAILURE'

From 364239d7c7b6f3e93fa99cccd6232cb14ea57007 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 11:02:34 +0000
Subject: [PATCH 06/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 082b35d3b..6eb4f4084 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -26,8 +26,8 @@ Parameters:
 */
 
 
-Boolean verify = false
-String  verifyNode
+def verify = false
+def verifyNode
 switch(params.TARGET_OS) {
     case 'mac':
         verifyNode = params.MAC_VERIFY_LABEL

From b77f9bf04b625aa0c5efffc9039173c552c63300 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 11:17:55 +0000
Subject: [PATCH 07/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 6eb4f4084..ddaa851ec 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -45,8 +45,8 @@ if (verify) {
     println "Verifying signing for platform ${params.TARGET_OS}, ${job params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
 
     // Switch to appropriate node
-    node(verifyNode) {
-        stage("verify_signing") {
+    stage("verify_signing") {
+        node(verifyNode) {
             timestamps {
                 // Clean workspace to ensure no old artifacts
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true

From ae272739e962b00245fbd14c72aa3eb4008106fc Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 11:21:19 +0000
Subject: [PATCH 08/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index ddaa851ec..e69d8e3ee 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -42,7 +42,7 @@ switch(params.TARGET_OS) {
 }
 
 if (verify) {
-    println "Verifying signing for platform ${params.TARGET_OS}, ${job params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
+    println "Verifying signing for platform ${params.TARGET_OS}, ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
 
     // Switch to appropriate node
     stage("verify_signing") {
@@ -61,17 +61,17 @@ if (verify) {
                     jreFilter = "workspace/target/*-jre*.zip"
                 }
 
-                println "[INFO] Retrieving ${jdkFilter} artifacts from ${job params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                println "[INFO] Retrieving ${jdkFilter} artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
                 copyArtifacts(
-                    projectName: "${job params.UPSTREAM_JOB_NAME}",
+                    projectName: "${params.UPSTREAM_JOB_NAME}",
                     selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
                     filter: "${jdkFilter}",
                     fingerprintArtifacts: true,
                     flatten: true
                 )
-                println "[INFO] Retrieving ${jreFilter} artifacts from ${job params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                println "[INFO] Retrieving ${jreFilter} artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
                 copyArtifacts(
-                    projectName: "${job params.UPSTREAM_JOB_NAME}",
+                    projectName: "${params.UPSTREAM_JOB_NAME}",
                     selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
                     filter: "${jreFilter}",
                     fingerprintArtifacts: true,
@@ -80,9 +80,9 @@ if (verify) {
 
                 // For Mac we need to also verify pkg files are "Notarized"
                 if (params.TARGET_OS == "mac") {
-                    println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${job params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                    println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
                     copyArtifacts(
-                        projectName: "${job params.UPSTREAM_JOB_NAME}",
+                        projectName: "${params.UPSTREAM_JOB_NAME}",
                         selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
                         filter: "workspace/target/*.pkg",
                         fingerprintArtifacts: true,

From b785ea3b66a31d5ea8ac89dc1f211509a4c9b61c Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 13:33:33 +0000
Subject: [PATCH 09/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index e69d8e3ee..63632e9d0 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -78,7 +78,7 @@ if (verify) {
                     flatten: true
                 ) 
 
-                // For Mac we need to also verify pkg files are "Notarized"
+                // For Mac we need to also verify pkg files are "Notarized" if installers have been created
                 if (params.TARGET_OS == "mac") {
                     println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
                     copyArtifacts(
@@ -86,7 +86,8 @@ if (verify) {
                         selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
                         filter: "workspace/target/*.pkg",
                         fingerprintArtifacts: true,
-                        flatten: true
+                        flatten: true,
+                        optional: true
                     )
                 }
 

From 3355152d18aea3f954ddad20efb507d4e18cedff Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 13:37:40 +0000
Subject: [PATCH 10/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 63632e9d0..0ad4899f1 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -61,7 +61,7 @@ if (verify) {
                     jreFilter = "workspace/target/*-jre*.zip"
                 }
 
-                println "[INFO] Retrieving ${jdkFilter} artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                println "[INFO] Retrieving ${jdkFilter} artifacts from ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
                 copyArtifacts(
                     projectName: "${params.UPSTREAM_JOB_NAME}",
                     selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
@@ -69,7 +69,7 @@ if (verify) {
                     fingerprintArtifacts: true,
                     flatten: true
                 )
-                println "[INFO] Retrieving ${jreFilter} artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                println "[INFO] Retrieving ${jreFilter} artifacts from ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
                 copyArtifacts(
                     projectName: "${params.UPSTREAM_JOB_NAME}",
                     selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
@@ -80,7 +80,7 @@ if (verify) {
 
                 // For Mac we need to also verify pkg files are "Notarized" if installers have been created
                 if (params.TARGET_OS == "mac") {
-                    println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${params.UPSTREAM_JOB_NAME}/${params.UPSTREAM_JOB_NUMBER}"
+                    println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
                     copyArtifacts(
                         projectName: "${params.UPSTREAM_JOB_NAME}",
                         selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
@@ -93,8 +93,8 @@ if (verify) {
 
                 // Unpack archives
                 if (params.TARGET_OS == "mac") {
-                    sh("mkdir jdk && tar -C jdk *-jdk*.tar.gz")
-                    sh("mkdir jre && tar -C jre *-jre*.tar.gz")
+                    sh("mkdir jdk && tar -C jdk -xf *-jdk*.tar.gz")
+                    sh("mkdir jre && tar -C jre -xf *-jre*.tar.gz")
                 } else { // Windows
                     sh("mkdir jdk && unzip *-jdk*.tar.gz -d jdk")
                     sh("mkdir jre && unzip *-jre*.tar.gz -d jre")

From df270aa5a519f5f4d326c9a04973fbc09c7b67be Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 13:44:29 +0000
Subject: [PATCH 11/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 0ad4899f1..310dca0b1 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -116,7 +116,8 @@ if (verify) {
                         def jmods = findFiles(glob: "${folder}/**/*.jmod")
                         jmods.each { jmod ->
                             def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                            sh("mkdir ${expand_dir} && jmod extract --dir ${expand_dir} ${jmod}")
+                            sh("mkdir ${expand_dir}")
+                            sh("jmod extract --dir ${expand_dir} ${jmod}")
                         }
 
                         // Expand "modules" compress image containing jmods
@@ -124,7 +125,8 @@ if (verify) {
                         def modules = findFiles(glob: "${folder}/**/modules")
                         modules.each { module ->
                             def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                            sh("mkdir ${expand_dir} && jimage extract --dir ${expand_dir} ${module}")
+                            sh("mkdir ${expand_dir}")
+                            sh("jimage extract --dir ${expand_dir} ${module}")
                         }
                     }
                 }

From 558417775e0c6e3f09164f94fe24168a0295bd33 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:05:00 +0000
Subject: [PATCH 12/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 310dca0b1..599322b71 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -47,7 +47,7 @@ if (verify) {
     // Switch to appropriate node
     stage("verify_signing") {
         node(verifyNode) {
-            timestamps {
+            try {
                 // Clean workspace to ensure no old artifacts
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
 
@@ -101,7 +101,7 @@ if (verify) {
                 }
 
                 // Copy JDK so it can be used for unpacking
-                sh("cp -r jdk jdk_cp")
+                sh("cp -r jdk/*/* jdk_cp")
 
                 def jdk_bin = "${WORKSPACE}/jdk_cp/bin"
                 if (params.TARGET_OS == "mac") {
@@ -171,6 +171,10 @@ if (verify) {
                        } 
                     }
                 }
+
+            } finally {
+                // Clean workspace afterwards
+                cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
             }
         }
     }

From ee442cb86a27f53b0c4625d7da4dca92c9d5b26f Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:14:58 +0000
Subject: [PATCH 13/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 599322b71..65a9c6b85 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -107,7 +107,8 @@ if (verify) {
                 if (params.TARGET_OS == "mac") {
                     jdk_bin = "${WORKSPACE}/jdk_cp/Contents/Home/bin"
                 }
-
+println "jdk_bin=${jdk_bin}"
+sh("ls -l jdk_cp/Contents/Home/bin")
                 withEnv(['PATH+JAVA=${jdk_bin}']) {
                     def folders = ["jdk", "jre"]
                     folders.each { folder ->

From e88d623ba1b502429c213e4a8d96d19ad4e4f331 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:18:21 +0000
Subject: [PATCH 14/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 65a9c6b85..2579067c9 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -101,7 +101,7 @@ if (verify) {
                 }
 
                 // Copy JDK so it can be used for unpacking
-                sh("cp -r jdk/*/* jdk_cp")
+                sh("mkdir jdk_cp && cp -r jdk/*/* jdk_cp")
 
                 def jdk_bin = "${WORKSPACE}/jdk_cp/bin"
                 if (params.TARGET_OS == "mac") {

From 431e73d8f6cc22b2a8b3f25ff6b661fb82304676 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:21:05 +0000
Subject: [PATCH 15/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 2579067c9..cfb959a88 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -110,6 +110,7 @@ if (verify) {
 println "jdk_bin=${jdk_bin}"
 sh("ls -l jdk_cp/Contents/Home/bin")
                 withEnv(['PATH+JAVA=${jdk_bin}']) {
+sh("echo $PATH")
                     def folders = ["jdk", "jre"]
                     folders.each { folder ->
                         // Expand JMODs

From 4c38281f02ce98e0bc1133c05d25bffc8d12d8f8 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:25:48 +0000
Subject: [PATCH 16/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 42 +++++++++-----------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index cfb959a88..c8f1e8df0 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -107,29 +107,25 @@ if (verify) {
                 if (params.TARGET_OS == "mac") {
                     jdk_bin = "${WORKSPACE}/jdk_cp/Contents/Home/bin"
                 }
-println "jdk_bin=${jdk_bin}"
-sh("ls -l jdk_cp/Contents/Home/bin")
-                withEnv(['PATH+JAVA=${jdk_bin}']) {
-sh("echo $PATH")
-                    def folders = ["jdk", "jre"]
-                    folders.each { folder ->
-                        // Expand JMODs
-                        println "Expanding JMODS under ${folder}"
-                        def jmods = findFiles(glob: "${folder}/**/*.jmod")
-                        jmods.each { jmod ->
-                            def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                            sh("mkdir ${expand_dir}")
-                            sh("jmod extract --dir ${expand_dir} ${jmod}")
-                        }
-
-                        // Expand "modules" compress image containing jmods
-                        println "Expanding 'modules' compressed image file under ${folder}"
-                        def modules = findFiles(glob: "${folder}/**/modules")
-                        modules.each { module ->
-                            def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                            sh("mkdir ${expand_dir}")
-                            sh("jimage extract --dir ${expand_dir} ${module}")
-                        }
+
+                def folders = ["jdk", "jre"]
+                folders.each { folder ->
+                    // Expand JMODs
+                    println "Expanding JMODS under ${folder}"
+                    def jmods = findFiles(glob: "${folder}/**/*.jmod")
+                    jmods.each { jmod ->
+                        def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
+                        sh("mkdir ${expand_dir}")
+                        sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
+                    }
+
+                    // Expand "modules" compress image containing jmods
+                    println "Expanding 'modules' compressed image file under ${folder}"
+                    def modules = findFiles(glob: "${folder}/**/modules")
+                    modules.each { module ->
+                        def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
+                        sh("mkdir ${expand_dir}")
+                        sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
                     }
                 }
 

From 2588dd4dce606b2854659aab1a23c21f13d2d066 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:44:04 +0000
Subject: [PATCH 17/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index c8f1e8df0..f2a5e7e35 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -116,7 +116,7 @@ if (verify) {
                     jmods.each { jmod ->
                         def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
                         sh("mkdir ${expand_dir}")
-                        sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
+                        sh("echo ${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
                     }
 
                     // Expand "modules" compress image containing jmods

From a243ea49de60d6bcfcb3dc77b87855c2cd76d822 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:50:03 +0000
Subject: [PATCH 18/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f2a5e7e35..ec636f4b7 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -114,9 +114,9 @@ if (verify) {
                     println "Expanding JMODS under ${folder}"
                     def jmods = findFiles(glob: "${folder}/**/*.jmod")
                     jmods.each { jmod ->
-                        def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
+                        def expand_dir = "expanded_" + sh(script:"basename ${jmod} | tr -d '\r'", returnStdout:true)
                         sh("mkdir ${expand_dir}")
-                        sh("echo ${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
+                        sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
                     }
 
                     // Expand "modules" compress image containing jmods

From 2de20dc5db0c285ab414de178197018c9b566731 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 16:55:39 +0000
Subject: [PATCH 19/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index ec636f4b7..04222fbaa 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -115,6 +115,7 @@ if (verify) {
                     def jmods = findFiles(glob: "${folder}/**/*.jmod")
                     jmods.each { jmod ->
                         def expand_dir = "expanded_" + sh(script:"basename ${jmod} | tr -d '\r'", returnStdout:true)
+                        expand_dir = expand_dir.trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
                     }

From a955b0a54cfea87b4270f650b4e2482930f7c659 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 17:08:54 +0000
Subject: [PATCH 20/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 04222fbaa..0d748e043 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -114,7 +114,7 @@ if (verify) {
                     println "Expanding JMODS under ${folder}"
                     def jmods = findFiles(glob: "${folder}/**/*.jmod")
                     jmods.each { jmod ->
-                        def expand_dir = "expanded_" + sh(script:"basename ${jmod} | tr -d '\r'", returnStdout:true)
+                        def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
                         expand_dir = expand_dir.trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
@@ -125,6 +125,7 @@ if (verify) {
                     def modules = findFiles(glob: "${folder}/**/modules")
                     modules.each { module ->
                         def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
+                        expand_dir = expand_dir.trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
                     }
@@ -135,6 +136,7 @@ if (verify) {
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
                     def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true)
+                    bins.addAll(findFiles(glob: "./**/jpackageapplauncher"))
                     bins.each { bin ->
                        def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
                        if (rc != 0) {

From c4d9723b6172d4180c1e071952d9dba0dfaf9831 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 17:16:45 +0000
Subject: [PATCH 21/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 0d748e043..f0a9b1f94 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -115,7 +115,7 @@ if (verify) {
                     def jmods = findFiles(glob: "${folder}/**/*.jmod")
                     jmods.each { jmod ->
                         def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                        expand_dir = expand_dir.trim()
+                        expand_dir = "${folder}/${expand_dir}".trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
                     }
@@ -125,7 +125,7 @@ if (verify) {
                     def modules = findFiles(glob: "${folder}/**/modules")
                     modules.each { module ->
                         def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                        expand_dir = expand_dir.trim()
+                        expand_dir = "${folder}/${expand_dir}".trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
                     }

From 20d13950a4280dcdb9a2abb9fc6165ee366b5772 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 17:25:05 +0000
Subject: [PATCH 22/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f0a9b1f94..bc7791bf9 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -135,7 +135,7 @@ if (verify) {
                     // On Mac find all dylib's and binaries marked as "executable",
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true)
+                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true).split("\\r?\\n|\\r")
                     bins.addAll(findFiles(glob: "./**/jpackageapplauncher"))
                     bins.each { bin ->
                        def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)

From 4555bbcc5bc426a5fdbc56acfc26e8ba695238cb Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 22 Nov 2023 17:34:11 +0000
Subject: [PATCH 23/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index bc7791bf9..3ca70a5be 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -135,8 +135,7 @@ if (verify) {
                     // On Mac find all dylib's and binaries marked as "executable",
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib'", returnStdout:true).split("\\r?\\n|\\r")
-                    bins.addAll(findFiles(glob: "./**/jpackageapplauncher"))
+                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'", returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                        def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
                        if (rc != 0) {

From 9196e15a37086b69d6d12b2fd6957029bee9f1a4 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 09:35:43 +0000
Subject: [PATCH 24/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 72 +++++++++++---------
 1 file changed, 41 insertions(+), 31 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 3ca70a5be..ce18889af 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -92,50 +92,58 @@ if (verify) {
                 }
 
                 // Unpack archives
-                if (params.TARGET_OS == "mac") {
-                    sh("mkdir jdk && tar -C jdk -xf *-jdk*.tar.gz")
-                    sh("mkdir jre && tar -C jre -xf *-jre*.tar.gz")
-                } else { // Windows
-                    sh("mkdir jdk && unzip *-jdk*.tar.gz -d jdk")
-                    sh("mkdir jre && unzip *-jre*.tar.gz -d jre")
+                def unpack_dir = "unpacked"
+                def archives = ["jdk", "jre"]
+
+                archives.each { archive ->
+                    def dir = "${unpack_dir}/${archive}"
+                    if (params.TARGET_OS == "mac") {
+                        sh("mkdir -p ${dir} && tar -C ${dir} -xf *-${archive}*.tar.gz")
+                    } else { // Windows
+                        sh("mkdir -p ${dir} && unzip *-${archive}*.tar.gz -d ${dir}")
+                    }
                 }
 
-                // Copy JDK so it can be used for unpacking
-                sh("mkdir jdk_cp && cp -r jdk/*/* jdk_cp")
+                // Copy JDK so it can be used for unpacking using jmod/jimage
+                sh("mkdir jdk_cp && cp -r ${unpack_dir}/jdk/*/* jdk_cp")
 
                 def jdk_bin = "${WORKSPACE}/jdk_cp/bin"
                 if (params.TARGET_OS == "mac") {
                     jdk_bin = "${WORKSPACE}/jdk_cp/Contents/Home/bin"
                 }
 
-                def folders = ["jdk", "jre"]
-                folders.each { folder ->
+                // Expand the JMODs and modules image to test binaries within
+                archives.each { archive ->
+                    def dir = "${unpack_dir}/${archive}"
                     // Expand JMODs
-                    println "Expanding JMODS under ${folder}"
-                    def jmods = findFiles(glob: "${folder}/**/*.jmod")
+                    println "Expanding JMODS under ${dir}"
+                    def jmods = findFiles(glob: "${dir}/**/*.jmod")
                     jmods.each { jmod ->
                         def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                        expand_dir = "${folder}/${expand_dir}".trim()
+                        expand_dir = "${dir}/${expand_dir}".trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
                     }
 
                     // Expand "modules" compress image containing jmods
-                    println "Expanding 'modules' compressed image file under ${folder}"
-                    def modules = findFiles(glob: "${folder}/**/modules")
+                    println "Expanding 'modules' compressed image file under ${dir}"
+                    def modules = findFiles(glob: "${dir}/**/modules")
                     modules.each { module ->
                         def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                        expand_dir = "${folder}/${expand_dir}".trim()
+                        expand_dir = "${dir}/${expand_dir}".trim()
                         sh("mkdir ${expand_dir}")
                         sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
                     }
                 }
 
+                // Verify all executables for Signatures
                 if (params.TARGET_OS == "mac") {
                     // On Mac find all dylib's and binaries marked as "executable",
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || find . -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'", returnStdout:true).split("\\r?\\n|\\r")
+                    def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' ||
+                                          find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",
+                                  returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                        def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
                        if (rc != 0) {
@@ -145,22 +153,10 @@ if (verify) {
                            println "Signed correctly: ${bin}"
                        }
                     }
-
-                    // Find all pkg's that need to be Notarized
-                    def pkgs = findFiles(glob: "*.pkg")
-                    pkgs.each { pkg ->
-                       def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
-                       if (rc != 0) {
-                           println "Error: pkg not Notarized: ${pkg}"
-                           currentBuild.result = 'FAILURE'
-                       } else {
-                           println "Notarized correctly: ${pkg}"
-                       }
-                    }
                 } else { // Windows
                     // Find all exe/dll's that must be Signed
-                    def bins = findFiles(glob: "**/*.exe")
-                    bins.addAll(findFiles(glob: "**/*.dll"))
+                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'"
+                                  returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                        def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)
                        if (rc != 0) {
@@ -172,6 +168,20 @@ if (verify) {
                     }
                 }
 
+                // For Mac also verify installer (if built) is Notarized
+                if (params.TARGET_OS == "mac") {
+                    // Find all pkg's that need to be Notarized
+                    def pkgs = findFiles(glob: "*.pkg")
+                    pkgs.each { pkg ->
+                       def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
+                       if (rc != 0) {
+                           println "Error: pkg not Notarized: ${pkg}"
+                           currentBuild.result = 'FAILURE'
+                       } else {
+                           println "Notarized correctly: ${pkg}"
+                       }
+                    }
+                }
             } finally {
                 // Clean workspace afterwards
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true

From 4e1c969c05dbbee5472f6a7904b54d49b42dba05 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 09:39:08 +0000
Subject: [PATCH 25/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index ce18889af..853b69241 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -141,8 +141,8 @@ if (verify) {
                     // On Mac find all dylib's and binaries marked as "executable",
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' ||
-                                          find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",
+                    def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
+                                          find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                        def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
@@ -155,7 +155,7 @@ if (verify) {
                     }
                 } else { // Windows
                     // Find all exe/dll's that must be Signed
-                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'"
+                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'" \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                        def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)

From 66bca2111a7179b6bdded80e7244ff3efba8d7aa Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 09:42:57 +0000
Subject: [PATCH 26/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 853b69241..c359acc3c 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -155,7 +155,7 @@ if (verify) {
                     }
                 } else { // Windows
                     // Find all exe/dll's that must be Signed
-                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'" \
+                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'", \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                        def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)

From 3aadbfd56ee70ec831e27ec096a94dfb85921685 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 09:53:59 +0000
Subject: [PATCH 27/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index c359acc3c..389866e1b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -51,6 +51,7 @@ if (verify) {
                 // Clean workspace to ensure no old artifacts
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
 
+                // Find upstream job archives to be verified for Signatures
                 def jdkFilter
                 def jreFilter
                 if (params.TARGET_OS == "mac") {
@@ -100,7 +101,7 @@ if (verify) {
                     if (params.TARGET_OS == "mac") {
                         sh("mkdir -p ${dir} && tar -C ${dir} -xf *-${archive}*.tar.gz")
                     } else { // Windows
-                        sh("mkdir -p ${dir} && unzip *-${archive}*.tar.gz -d ${dir}")
+                        sh("mkdir -p ${dir} && unzip *-${archive}*.zip -d ${dir}")
                     }
                 }
 

From ea6ae8cc3f174d8dafdea20ed6e1ce0879f3be33 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 09:57:10 +0000
Subject: [PATCH 28/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 389866e1b..0217b5b7a 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -108,9 +108,9 @@ if (verify) {
                 // Copy JDK so it can be used for unpacking using jmod/jimage
                 sh("mkdir jdk_cp && cp -r ${unpack_dir}/jdk/*/* jdk_cp")
 
-                def jdk_bin = "${WORKSPACE}/jdk_cp/bin"
+                def jdk_bin = "jdk_cp/bin"
                 if (params.TARGET_OS == "mac") {
-                    jdk_bin = "${WORKSPACE}/jdk_cp/Contents/Home/bin"
+                    jdk_bin = "jdk_cp/Contents/Home/bin"
                 }
 
                 // Expand the JMODs and modules image to test binaries within

From e0d0d27c6f89e39a0abcd07678e3e8d7d55a9fa4 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 10:07:52 +0000
Subject: [PATCH 29/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 0217b5b7a..e68852e82 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -118,7 +118,8 @@ if (verify) {
                     def dir = "${unpack_dir}/${archive}"
                     // Expand JMODs
                     println "Expanding JMODS under ${dir}"
-                    def jmods = findFiles(glob: "${dir}/**/*.jmod")
+                    def jmods = sh(script:"find ${dir} -type f -name '*.jmod'", \
+                                   returnStdout:true).split("\\r?\\n|\\r")
                     jmods.each { jmod ->
                         def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
                         expand_dir = "${dir}/${expand_dir}".trim()
@@ -128,7 +129,8 @@ if (verify) {
 
                     // Expand "modules" compress image containing jmods
                     println "Expanding 'modules' compressed image file under ${dir}"
-                    def modules = findFiles(glob: "${dir}/**/modules")
+                    def modules = sh(script:"find ${dir} -type f -name 'modules'", \
+                                     returnStdout:true).split("\\r?\\n|\\r")
                     modules.each { module ->
                         def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
                         expand_dir = "${dir}/${expand_dir}".trim()
@@ -172,7 +174,8 @@ if (verify) {
                 // For Mac also verify installer (if built) is Notarized
                 if (params.TARGET_OS == "mac") {
                     // Find all pkg's that need to be Notarized
-                    def pkgs = findFiles(glob: "*.pkg")
+                    def pkgs = sh(script:"find . -type f -name '*.pkg'", \
+                                  returnStdout:true).split("\\r?\\n|\\r") 
                     pkgs.each { pkg ->
                        def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
                        if (rc != 0) {

From f7e7077a26dd3c7839ee91a6d17d73f83addc6b2 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 10:16:29 +0000
Subject: [PATCH 30/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 68 +++++++++++---------
 1 file changed, 39 insertions(+), 29 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index e68852e82..3b4b09d18 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -121,10 +121,12 @@ if (verify) {
                     def jmods = sh(script:"find ${dir} -type f -name '*.jmod'", \
                                    returnStdout:true).split("\\r?\\n|\\r")
                     jmods.each { jmod ->
-                        def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                        expand_dir = "${dir}/${expand_dir}".trim()
-                        sh("mkdir ${expand_dir}")
-                        sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
+                        if (jmod.trim() != "") {
+                            def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
+                            expand_dir = "${dir}/${expand_dir}".trim()
+                            sh("mkdir ${expand_dir}")
+                            sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
+                        }
                     }
 
                     // Expand "modules" compress image containing jmods
@@ -132,10 +134,12 @@ if (verify) {
                     def modules = sh(script:"find ${dir} -type f -name 'modules'", \
                                      returnStdout:true).split("\\r?\\n|\\r")
                     modules.each { module ->
-                        def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                        expand_dir = "${dir}/${expand_dir}".trim()
-                        sh("mkdir ${expand_dir}")
-                        sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
+                        if (module.trim() != "") {
+                            def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
+                            expand_dir = "${dir}/${expand_dir}".trim()
+                            sh("mkdir ${expand_dir}")
+                            sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
+                        }
                     }
                 }
 
@@ -148,26 +152,30 @@ if (verify) {
                                           find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
-                       def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
-                       if (rc != 0) {
-                           println "Error: dylib not signed: ${bin}"
-                           currentBuild.result = 'FAILURE'
-                       } else {
-                           println "Signed correctly: ${bin}"
-                       }
+                        if (bin.trim() != "") {
+                            def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
+                            if (rc != 0) {
+                                println "Error: dylib not signed: ${bin}"
+                                currentBuild.result = 'FAILURE'
+                            } else {
+                                println "Signed correctly: ${bin}"
+                            }
+                        }
                     }
                 } else { // Windows
                     // Find all exe/dll's that must be Signed
                     def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'", \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
-                       def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)
-                       if (rc != 0) {
-                           println "Error: binary not signed: ${bin}"
-                           currentBuild.result = 'FAILURE'
-                       } else { 
-                           println "Signed correctly: ${bin}"
-                       } 
+                        if (bin.trim() != "") {
+                            def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)
+                            if (rc != 0) {
+                                println "Error: binary not signed: ${bin}"
+                                currentBuild.result = 'FAILURE'
+                            } else { 
+                                println "Signed correctly: ${bin}"
+                            }
+                        }
                     }
                 }
 
@@ -177,13 +185,15 @@ if (verify) {
                     def pkgs = sh(script:"find . -type f -name '*.pkg'", \
                                   returnStdout:true).split("\\r?\\n|\\r") 
                     pkgs.each { pkg ->
-                       def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
-                       if (rc != 0) {
-                           println "Error: pkg not Notarized: ${pkg}"
-                           currentBuild.result = 'FAILURE'
-                       } else {
-                           println "Notarized correctly: ${pkg}"
-                       }
+                        if (pkg.trim() != "") {
+                            def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
+                            if (rc != 0) {
+                                println "Error: pkg not Notarized: ${pkg}"
+                                currentBuild.result = 'FAILURE'
+                            } else {
+                                println "Notarized correctly: ${pkg}"
+                            }
+                        }
                     }
                 }
             } finally {

From cfb8658771c59930d4b01fea52b1181f43549ea5 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 11:10:21 +0000
Subject: [PATCH 31/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 54 +++++++++++++-------
 1 file changed, 36 insertions(+), 18 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 3b4b09d18..770159ff1 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -20,33 +20,49 @@ Parameters:
   - UPSTREAM_JOB_NAME    : Upstream job name containing artifacts
   - UPSTREAM_JOB_NUMBER  : Upstream job number containing artifacts
   - TARGET_OS            : "mac" or "windows"
-  - MAC_VERIFY_LABEL     : Jenkins label for where to run "mac"
-  - WINDOWS_VERIFY_LABEL : Jenkins label for where to run "windows"
+  - TARGET_ARCH          : "aarch64 or "x64" or "x86-32"
+  - NODE_LABEL           : Jenkins label for where to run
 
 */
 
+// For Windows find the Windows Kit "signtool.exe", which should reside
+// under the default c:\Program Files (x86)\Windows Kit directory
+String find_signtool() {
+    def arch
+    switch (params.TARGET_ARCH) {
+        case "aarch64": arch = "arm64"; break
+        case "x64":     arch = "x64"; break
+        case "x86-32":  arch = "x86-32"; break
+        default:
+            println "ERROR: Unknown architecture: ${params.TARGET_ARCH}"
+            exit 1
+    }
+
+    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1/*/bin/*/${arch}"
+
+    def files = sh(script:"find ${windowsKitPath} -type f -name 'signtool.exe'", \
+                   returnStdout:true).split("\\r?\\n|\\r")
 
-def verify = false
-def verifyNode
-switch(params.TARGET_OS) {
-    case 'mac':
-        verifyNode = params.MAC_VERIFY_LABEL
-        verify = true
-        break
-    case 'windows':
-        verifyNode = params.WINDOWS_VERIFY_LABEL
-        verify = true
-        break
-    default:
-        println "No signing verification for: ${params.TARGET_OS}"
+    // Return the first one we find
+    if (files.size == 0 || files[0].trim() == "") {
+        println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
+        exit 2
+    } else {
+        return files[0].trim()
+    }
 }
 
-if (verify) {
+//
+// Main code
+//
+if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows")
+    println "No signing verification for platform: ${params.TARGET_OS}"
+} else {
     println "Verifying signing for platform ${params.TARGET_OS}, ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
 
     // Switch to appropriate node
     stage("verify_signing") {
-        node(verifyNode) {
+        node(params.NODE_LABEL) {
             try {
                 // Clean workspace to ensure no old artifacts
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true
@@ -163,12 +179,14 @@ if (verify) {
                         }
                     }
                 } else { // Windows
+                    def signtool = find_signtool()
+
                     // Find all exe/dll's that must be Signed
                     def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'", \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                         if (bin.trim() != "") {
-                            def rc = sh(script:"signtool verify /v ${bin}", returnStatus:true)
+                            def rc = sh(script:"${signtool} verify /v ${bin}", returnStatus:true)
                             if (rc != 0) {
                                 println "Error: binary not signed: ${bin}"
                                 currentBuild.result = 'FAILURE'

From 5165f3f10b29b4332c95bb4d1ea01f7b4791bce0 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 11:13:34 +0000
Subject: [PATCH 32/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 770159ff1..9f9fa8556 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -55,7 +55,7 @@ String find_signtool() {
 //
 // Main code
 //
-if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows")
+if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
     println "No signing verification for platform: ${params.TARGET_OS}"
 } else {
     println "Verifying signing for platform ${params.TARGET_OS}, ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"

From e528f64f3fde4593e762b0e1e916d5f8b60d538b Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 11:18:22 +0000
Subject: [PATCH 33/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 9f9fa8556..f97cc2c18 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -44,7 +44,7 @@ String find_signtool() {
                    returnStdout:true).split("\\r?\\n|\\r")
 
     // Return the first one we find
-    if (files.size == 0 || files[0].trim() == "") {
+    if (files.size() == 0 || files[0].trim() == "") {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {

From eeb40363429fd45029182132fe6803a42cba2d18 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 11:28:52 +0000
Subject: [PATCH 34/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f97cc2c18..5a13666f3 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -186,7 +186,7 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                         if (bin.trim() != "") {
-                            def rc = sh(script:"${signtool} verify /v ${bin}", returnStatus:true)
+                            def rc = sh(script:"${signtool} verify /pa /v ${bin}", returnStatus:true)
                             if (rc != 0) {
                                 println "Error: binary not signed: ${bin}"
                                 currentBuild.result = 'FAILURE'

From 94592b7091f9ec8bf2c8025819e8e8071ffa7625 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 23 Nov 2023 14:34:28 +0000
Subject: [PATCH 35/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 .../common/openjdk_build_pipeline.groovy      | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
index eac57ac68..22414f240 100644
--- a/pipelines/build/common/openjdk_build_pipeline.groovy
+++ b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -905,6 +905,37 @@ class Build {
                 flatten: true)
     }
 
+    // For Windows and Mac verify that all necessary executables are Signed and Notarized(mac)
+    private void verifySigning() {
+        if (buildConfig.TARGET_OS == "windows" || buildConfig.TARGET_OS == "mac") {
+            context.println "RUNNING sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
+
+            // Determine suitable node to run on
+            def verifyNode
+            if (buildConfig.TARGET_OS == "windows") {
+                verifyNode = "ci.role.test&&sw.os.windows"
+            } else {
+                verifyNode = "ci.role.test&&(sw.os.osx||sw.os.mac)"
+            }
+            if (buildConfig.ARCHITECTURE == "aarch64") {
+                verifyNode = verifyNode + "&&hw.arch.aarch64"
+            } else {
+                verifyNode = verifyNode + "&&hw.arch.x86"
+            }
+
+            // Execute sign verification job
+            def signVerifyJob = context.build job: 'build-scripts/release/sign_verification',
+                propagate: true,
+                parameters: [
+                        context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
+                        context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
+                        context.string(name: 'TARGET_OS', value: "${buildConfig.TARGET_OS}"),
+                        context.string(name: 'TARGET_ARCH', value: "${buildConfig.ARCHITECTURE}"),
+                        context.string(name: 'NODE_LABEL', value: "${verifyNode}")
+                ]
+        }
+    }
+
     private void gpgSign() {
         context.stage('GPG sign') {
             context.println "RUNNING sign_temurin_gpg for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
@@ -2052,6 +2083,15 @@ class Build {
                     }
                 }
 
+                // Verify Windows and Mac Signing for Temurin
+                if (buildConfig.VARIANT == 'temurin') {
+                    try {
+                        verifySigning()
+                    } catch (Exception e) {
+                        context.println(e.message)
+                    }
+                }
+
                 // Compare reproducible build if needed
                 if (enableReproducibleCompare) {
                     compareReproducibleBuild(nonDockerNodeName)

From afc4c2990defebd915bd5d812d1137957a46a486 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Fri, 24 Nov 2023 11:16:01 +0000
Subject: [PATCH 36/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 .../common/openjdk_build_pipeline.groovy      | 51 ++++++++++---------
 1 file changed, 28 insertions(+), 23 deletions(-)

diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
index 22414f240..f7bc5260d 100644
--- a/pipelines/build/common/openjdk_build_pipeline.groovy
+++ b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -908,31 +908,36 @@ class Build {
     // For Windows and Mac verify that all necessary executables are Signed and Notarized(mac)
     private void verifySigning() {
         if (buildConfig.TARGET_OS == "windows" || buildConfig.TARGET_OS == "mac") {
-            context.println "RUNNING sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
+            try {
+                context.println "RUNNING sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
 
-            // Determine suitable node to run on
-            def verifyNode
-            if (buildConfig.TARGET_OS == "windows") {
-                verifyNode = "ci.role.test&&sw.os.windows"
-            } else {
-                verifyNode = "ci.role.test&&(sw.os.osx||sw.os.mac)"
-            }
-            if (buildConfig.ARCHITECTURE == "aarch64") {
-                verifyNode = verifyNode + "&&hw.arch.aarch64"
-            } else {
-                verifyNode = verifyNode + "&&hw.arch.x86"
-            }
+                // Determine suitable node to run on
+                def verifyNode
+                if (buildConfig.TARGET_OS == "windows") {
+                    verifyNode = "ci.role.test&&sw.os.windows"
+                } else {
+                    verifyNode = "ci.role.test&&(sw.os.osx||sw.os.mac)"
+                }
+                if (buildConfig.ARCHITECTURE == "aarch64") {
+                    verifyNode = verifyNode + "&&hw.arch.aarch64"
+                } else {
+                    verifyNode = verifyNode + "&&hw.arch.x86"
+                }
 
-            // Execute sign verification job
-            def signVerifyJob = context.build job: 'build-scripts/release/sign_verification',
-                propagate: true,
-                parameters: [
-                        context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
-                        context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
-                        context.string(name: 'TARGET_OS', value: "${buildConfig.TARGET_OS}"),
-                        context.string(name: 'TARGET_ARCH', value: "${buildConfig.ARCHITECTURE}"),
-                        context.string(name: 'NODE_LABEL', value: "${verifyNode}")
-                ]
+                // Execute sign verification job
+                def signVerifyJob = context.build job: 'build-scripts/release/sign_verification',
+                    propagate: true,
+                    parameters: [
+                            context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
+                            context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
+                            context.string(name: 'TARGET_OS', value: "${buildConfig.TARGET_OS}"),
+                            context.string(name: 'TARGET_ARCH', value: "${buildConfig.ARCHITECTURE}"),
+                            context.string(name: 'NODE_LABEL', value: "${verifyNode}")
+                    ]
+            } catch (e) { 
+                context.println("Failed to sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ${e}")
+                currentBuild.result = 'FAILURE'
+            } 
         }
     }
 

From fbf88a785bdc81e423e44b00f3826de4b8028e5f Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Fri, 24 Nov 2023 14:03:04 +0000
Subject: [PATCH 37/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 40 ++++++++++----------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 5a13666f3..ea07e6701 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,9 +38,9 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1/*/bin/*/${arch}"
+    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1"
 
-    def files = sh(script:"find ${windowsKitPath} -type f -name 'signtool.exe'", \
+    def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
 
     // Return the first one we find
@@ -70,12 +70,15 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 // Find upstream job archives to be verified for Signatures
                 def jdkFilter
                 def jreFilter
+                def installerFilter
                 if (params.TARGET_OS == "mac") {
                     jdkFilter = "workspace/target/*-jdk*.tar.gz"
                     jreFilter = "workspace/target/*-jre*.tar.gz"
+                    installerFilter = "workspace/target/*.pkg"
                 } else { // Windows
                     jdkFilter = "workspace/target/*-jdk*.zip"
                     jreFilter = "workspace/target/*-jre*.zip"
+                    installerFilter = "workspace/target/*.msi"
                 }
 
                 println "[INFO] Retrieving ${jdkFilter} artifacts from ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
@@ -95,18 +98,15 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                     flatten: true
                 ) 
 
-                // For Mac we need to also verify pkg files are "Notarized" if installers have been created
-                if (params.TARGET_OS == "mac") {
-                    println "[INFO] Retrieving workspace/target/*.pkg artifacts from ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
-                    copyArtifacts(
-                        projectName: "${params.UPSTREAM_JOB_NAME}",
-                        selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
-                        filter: "workspace/target/*.pkg",
-                        fingerprintArtifacts: true,
-                        flatten: true,
-                        optional: true
-                    )
-                }
+                println "[INFO] Retrieving ${installerFilter} artifacts from ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
+                copyArtifacts(
+                    projectName: "${params.UPSTREAM_JOB_NAME}",
+                    selector: specific("${params.UPSTREAM_JOB_NUMBER}"),
+                    filter: "${installerFilter}",
+                    fingerprintArtifacts: true,
+                    flatten: true,
+                    optional: true
+                )
 
                 // Unpack archives
                 def unpack_dir = "unpacked"
@@ -159,13 +159,13 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                     }
                 }
 
-                // Verify all executables for Signatures
+                // Verify all executables and installers for Signatures
                 if (params.TARGET_OS == "mac") {
-                    // On Mac find all dylib's and binaries marked as "executable",
+                    // On Mac find all dylib's and binaries marked as "executable" and .pkg's,
                     // also add "jpackageapplauncher" specific case which is not marked as "executable"
                     // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
-                                          find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
+                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' -o -name '*.pkg' || \
+                                          find . -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' -o -name '*.pkg'",  \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                         if (bin.trim() != "") {
@@ -181,8 +181,8 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 } else { // Windows
                     def signtool = find_signtool()
 
-                    // Find all exe/dll's that must be Signed
-                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'", \
+                    // Find all exe/dll's and msi's that must be Signed
+                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll' -o -name '*.msi'", \
                                   returnStdout:true).split("\\r?\\n|\\r")
                     bins.each { bin ->
                         if (bin.trim() != "") {

From b165a2d0c1b83682a810b308daebcb9a45007383 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 11:21:19 +0000
Subject: [PATCH 38/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 243 +++++++++++--------
 1 file changed, 141 insertions(+), 102 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index ea07e6701..53c7f7680 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1"
+    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
 
     def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
@@ -52,6 +52,141 @@ String find_signtool() {
     }
 }
 
+// Unpack the archives so the signartures can be checked
+void unpackArchives(String unpack_dir, String[] archives) {
+    archives.each { archive ->
+        def dir = "${unpack_dir}/${archive}"
+        if (params.TARGET_OS == "mac") {
+            sh("mkdir -p ${dir} && tar -C ${dir} -xf *-${archive}*.tar.gz")
+        } else { // Windows
+            sh("mkdir -p ${dir} && unzip *-${archive}*.zip -d ${dir}")
+        }
+    }
+
+    // Copy JDK so it can be used for unpacking using jmod/jimage
+    sh("mkdir jdk_cp && cp -r ${unpack_dir}/jdk/*/* jdk_cp")
+
+    def jdk_bin = "jdk_cp/bin"
+    if (params.TARGET_OS == "mac") {
+        jdk_bin = "jdk_cp/Contents/Home/bin"
+    }
+
+    // Expand the JMODs and modules image to test binaries within
+    archives.each { archive ->
+        def dir = "${unpack_dir}/${archive}"
+        // Expand JMODs
+        println "Expanding JMODS under ${dir}"
+        def jmods = sh(script:"find ${dir} -type f -name '*.jmod'", \
+                       returnStdout:true).split("\\r?\\n|\\r")
+        jmods.each { jmod ->
+            if (jmod.trim() != "") {
+                def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
+                expand_dir = "${dir}/${expand_dir}".trim()
+                sh("mkdir ${expand_dir}")
+                sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
+            }
+        }
+
+        // Expand "modules" compress image containing jmods
+        println "Expanding 'modules' compressed image file under ${dir}"
+        def modules = sh(script:"find ${dir} -type f -name 'modules'", \
+                         returnStdout:true).split("\\r?\\n|\\r")
+        modules.each { module ->
+            if (module.trim() != "") {
+                def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
+                expand_dir = "${dir}/${expand_dir}".trim()
+                sh("mkdir ${expand_dir}")
+                sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
+            }
+        }
+    }
+}
+
+// Verify executables for Signatures
+void verifyExecutables(String unpack_dir) {
+    if (params.TARGET_OS == "mac") {
+        // On Mac find all dylib's and binaries marked as "executable",
+        // also add "jpackageapplauncher" specific case which is not marked as "executable"
+        // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
+        def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
+                              find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
+                      returnStdout:true).split("\\r?\\n|\\r")
+        bins.each { bin ->
+            if (bin.trim() != "") {
+                def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
+                if (rc != 0) {
+                    println "Error: executable not Signed: ${bin}"
+                    currentBuild.result = 'FAILURE'
+                } else {
+                    println "Signed correctly: ${bin}"
+                }
+            }
+        }
+    } else { // Windows
+        def signtool = find_signtool()
+
+        // Find all exe/dll's that must be Signed
+        def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'", \
+                      returnStdout:true).split("\\r?\\n|\\r")
+        bins.each { bin ->
+            if (bin.trim() != "") {
+                def rc = sh(script:"${signtool} verify /pa /v ${bin}", returnStatus:true)
+                if (rc != 0) {
+                    println "Error: executable not Signed: ${bin}"
+                    currentBuild.result = 'FAILURE'
+                } else {
+                    println "Signed correctly: ${bin}"
+                }
+            }
+        }
+    }
+}
+
+// Verify installers for Signatures and Notarization(mac only)
+void verifyInstallers() {
+    if (params.TARGET_OS == "mac") {
+        // Find all pkg's that need to be Signed and Notarized
+        def pkgs = sh(script:"find . -type f -name '*.pkg'", \
+                      returnStdout:true).split("\\r?\\n|\\r")
+        pkgs.each { pkg ->
+            if (pkg.trim() != "") {
+                def rc = sh(script:"pkgutil --check-signature ${pkg}", returnStatus:true)
+                if (rc != 0) {
+                    println "Error: pkg not Signed: ${pkg}"
+                    currentBuild.result = 'FAILURE'
+                } else {
+                    println "Signed correctly: ${pkg}"
+                }
+
+                rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
+                if (rc != 0) {
+                    println "Error: pkg not Notarized: ${pkg}"
+                    currentBuild.result = 'FAILURE'
+                } else {
+                    println "Notarized correctly: ${pkg}"
+                }
+            }
+        }
+    } else { // Windows
+        // Find all msi's that need to be Signed
+        def signtool = find_signtool()
+
+        def msis = sh(script:"find . -type f -name '*.msi'", \
+                      returnStdout:true).split("\\r?\\n|\\r")
+        msis.each { msi ->
+            if (msi.trim() != "") {
+                def rc = sh(script:"${signtool} verify /pa /v ${msi}", returnStatus:true)
+                if (rc != 0) {
+                    println "Error: installer not Signed: ${msi}"
+                    currentBuild.result = 'FAILURE'
+                } else {
+                    println "Signed correctly: ${msi}"
+                }
+            }
+        }
+    }
+}
+
 //
 // Main code
 //
@@ -111,109 +246,13 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 // Unpack archives
                 def unpack_dir = "unpacked"
                 def archives = ["jdk", "jre"]
+                unpackArchives(unpack_dir, archives)
 
-                archives.each { archive ->
-                    def dir = "${unpack_dir}/${archive}"
-                    if (params.TARGET_OS == "mac") {
-                        sh("mkdir -p ${dir} && tar -C ${dir} -xf *-${archive}*.tar.gz")
-                    } else { // Windows
-                        sh("mkdir -p ${dir} && unzip *-${archive}*.zip -d ${dir}")
-                    }
-                }
-
-                // Copy JDK so it can be used for unpacking using jmod/jimage
-                sh("mkdir jdk_cp && cp -r ${unpack_dir}/jdk/*/* jdk_cp")
-
-                def jdk_bin = "jdk_cp/bin"
-                if (params.TARGET_OS == "mac") {
-                    jdk_bin = "jdk_cp/Contents/Home/bin"
-                }
-
-                // Expand the JMODs and modules image to test binaries within
-                archives.each { archive ->
-                    def dir = "${unpack_dir}/${archive}"
-                    // Expand JMODs
-                    println "Expanding JMODS under ${dir}"
-                    def jmods = sh(script:"find ${dir} -type f -name '*.jmod'", \
-                                   returnStdout:true).split("\\r?\\n|\\r")
-                    jmods.each { jmod ->
-                        if (jmod.trim() != "") {
-                            def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                            expand_dir = "${dir}/${expand_dir}".trim()
-                            sh("mkdir ${expand_dir}")
-                            sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
-                        }
-                    }
-
-                    // Expand "modules" compress image containing jmods
-                    println "Expanding 'modules' compressed image file under ${dir}"
-                    def modules = sh(script:"find ${dir} -type f -name 'modules'", \
-                                     returnStdout:true).split("\\r?\\n|\\r")
-                    modules.each { module ->
-                        if (module.trim() != "") {
-                            def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                            expand_dir = "${dir}/${expand_dir}".trim()
-                            sh("mkdir ${expand_dir}")
-                            sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
-                        }
-                    }
-                }
-
-                // Verify all executables and installers for Signatures
-                if (params.TARGET_OS == "mac") {
-                    // On Mac find all dylib's and binaries marked as "executable" and .pkg's,
-                    // also add "jpackageapplauncher" specific case which is not marked as "executable"
-                    // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-                    def bins = sh(script:"find . -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' -o -name '*.pkg' || \
-                                          find . -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' -o -name '*.pkg'",  \
-                                  returnStdout:true).split("\\r?\\n|\\r")
-                    bins.each { bin ->
-                        if (bin.trim() != "") {
-                            def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
-                            if (rc != 0) {
-                                println "Error: dylib not signed: ${bin}"
-                                currentBuild.result = 'FAILURE'
-                            } else {
-                                println "Signed correctly: ${bin}"
-                            }
-                        }
-                    }
-                } else { // Windows
-                    def signtool = find_signtool()
-
-                    // Find all exe/dll's and msi's that must be Signed
-                    def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll' -o -name '*.msi'", \
-                                  returnStdout:true).split("\\r?\\n|\\r")
-                    bins.each { bin ->
-                        if (bin.trim() != "") {
-                            def rc = sh(script:"${signtool} verify /pa /v ${bin}", returnStatus:true)
-                            if (rc != 0) {
-                                println "Error: binary not signed: ${bin}"
-                                currentBuild.result = 'FAILURE'
-                            } else { 
-                                println "Signed correctly: ${bin}"
-                            }
-                        }
-                    }
-                }
+                // Verify all executables for Signatures
+                verifyExecutables(unpack_dir)
 
-                // For Mac also verify installer (if built) is Notarized
-                if (params.TARGET_OS == "mac") {
-                    // Find all pkg's that need to be Notarized
-                    def pkgs = sh(script:"find . -type f -name '*.pkg'", \
-                                  returnStdout:true).split("\\r?\\n|\\r") 
-                    pkgs.each { pkg ->
-                        if (pkg.trim() != "") {
-                            def rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
-                            if (rc != 0) {
-                                println "Error: pkg not Notarized: ${pkg}"
-                                currentBuild.result = 'FAILURE'
-                            } else {
-                                println "Notarized correctly: ${pkg}"
-                            }
-                        }
-                    }
-                }
+                // Verify installers (if built) are Signed and Notarized(mac only)
+                verifyInstallers()
             } finally {
                 // Clean workspace afterwards
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true

From d3eba8e43810bda1f640c6cba333be68a01f736e Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 14:58:40 +0000
Subject: [PATCH 39/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 53c7f7680..5b29aaf25 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -53,7 +53,7 @@ String find_signtool() {
 }
 
 // Unpack the archives so the signartures can be checked
-void unpackArchives(String unpack_dir, String[] archives) {
+def unpackArchives(String unpack_dir, String[] archives) {
     archives.each { archive ->
         def dir = "${unpack_dir}/${archive}"
         if (params.TARGET_OS == "mac") {
@@ -103,7 +103,7 @@ void unpackArchives(String unpack_dir, String[] archives) {
 }
 
 // Verify executables for Signatures
-void verifyExecutables(String unpack_dir) {
+def verifyExecutables(String unpack_dir) {
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and binaries marked as "executable",
         // also add "jpackageapplauncher" specific case which is not marked as "executable"
@@ -143,7 +143,7 @@ void verifyExecutables(String unpack_dir) {
 }
 
 // Verify installers for Signatures and Notarization(mac only)
-void verifyInstallers() {
+def verifyInstallers() {
     if (params.TARGET_OS == "mac") {
         // Find all pkg's that need to be Signed and Notarized
         def pkgs = sh(script:"find . -type f -name '*.pkg'", \

From 0a43dd8e41200d5f4c32599a7ee7bf402f252c24 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 15:21:01 +0000
Subject: [PATCH 40/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 5b29aaf25..06669e00b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -196,7 +196,7 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
     println "Verifying signing for platform ${params.TARGET_OS}, ${params.UPSTREAM_JOB_NAME} #${params.UPSTREAM_JOB_NUMBER}"
 
     // Switch to appropriate node
-    stage("verify_signing") {
+    stage("verify signatures") {
         node(params.NODE_LABEL) {
             try {
                 // Clean workspace to ensure no old artifacts

From faf927492a5246503b7ce1e6edcc438e800f388c Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 15:52:51 +0000
Subject: [PATCH 41/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 06669e00b..f3a74795e 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -53,7 +53,7 @@ String find_signtool() {
 }
 
 // Unpack the archives so the signartures can be checked
-def unpackArchives(String unpack_dir, String[] archives) {
+private void unpackArchives(String unpack_dir, String[] archives) {
     archives.each { archive ->
         def dir = "${unpack_dir}/${archive}"
         if (params.TARGET_OS == "mac") {

From b38add9ea1d93327845e8fc5808949984aad2008 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 15:57:56 +0000
Subject: [PATCH 42/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f3a74795e..967be9dbf 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -53,7 +53,7 @@ String find_signtool() {
 }
 
 // Unpack the archives so the signartures can be checked
-private void unpackArchives(String unpack_dir, String[] archives) {
+void unpackArchives(String unpack_dir, String[] archives) {
     archives.each { archive ->
         def dir = "${unpack_dir}/${archive}"
         if (params.TARGET_OS == "mac") {
@@ -244,8 +244,8 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 )
 
                 // Unpack archives
-                def unpack_dir = "unpacked"
-                def archives = ["jdk", "jre"]
+                String unpack_dir = "unpacked"
+                String[] archives = ["jdk", "jre"]
                 unpackArchives(unpack_dir, archives)
 
                 // Verify all executables for Signatures

From e8dfcf40866f860bc0642f19aad3d62af55360fc Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 16:08:56 +0000
Subject: [PATCH 43/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 967be9dbf..b257bdaf8 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -48,7 +48,9 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        return files[0].trim()
+        def signtool = files[0].trim()
+        println "Found signtool: ${signtool}"
+        return signtool 
     }
 }
 

From f9c838b208287fcdc83e0a248aea042c6e80ea8d Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 16:47:22 +0000
Subject: [PATCH 44/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 23 +++++++++++---------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index b257bdaf8..d82bd9eac 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -108,19 +108,22 @@ void unpackArchives(String unpack_dir, String[] archives) {
 def verifyExecutables(String unpack_dir) {
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and binaries marked as "executable",
-        // also add "jpackageapplauncher" specific case which is not marked as "executable"
-        // as it is within the jdk.jpackage resources used by jpackage util to generate user app launchers
-        def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
-                              find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
+        //def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
+        //#                      find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
+        //#              returnStdout:true).split("\\r?\\n|\\r")
+        def bins = sh(script:"find ${unpack_dir}",  \
                       returnStdout:true).split("\\r?\\n|\\r")
         bins.each { bin ->
             if (bin.trim() != "") {
-                def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
-                if (rc != 0) {
-                    println "Error: executable not Signed: ${bin}"
-                    currentBuild.result = 'FAILURE'
-                } else {
-                    println "Signed correctly: ${bin}"
+                // Is file a Mac 64 bit executable or dylib ?
+                if file ${bin} | grep "Mach-O 64-bit executable\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
+                    def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
+                    if (rc != 0) {
+                        println "Error: executable not Signed: ${bin}"
+                        currentBuild.result = 'FAILURE'
+                    } else {
+                        println "Signed correctly: ${bin}"
+                    }
                 }
             }
         }

From 1f7a20e4ba4d6e9dac29c02949d7d476de24bba1 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 20:33:26 +0000
Subject: [PATCH 45/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index d82bd9eac..9e6298061 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -116,8 +116,9 @@ def verifyExecutables(String unpack_dir) {
         bins.each { bin ->
             if (bin.trim() != "") {
                 // Is file a Mac 64 bit executable or dylib ?
-                if file ${bin} | grep "Mach-O 64-bit executable\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
-                    def rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
+                def rc = sh(script:"file ${bin} | grep \"Mach-O 64-bit executable\|Mach-O 64-bit dynamically linked shared library\" >/dev/null", returnStatus:true)
+                if (rc == 0) {
+                    rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
                     if (rc != 0) {
                         println "Error: executable not Signed: ${bin}"
                         currentBuild.result = 'FAILURE'

From 8650152dbae5f89024be14bac52d80786073acaa Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 20:34:25 +0000
Subject: [PATCH 46/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 9e6298061..dbb03a063 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -116,7 +116,7 @@ def verifyExecutables(String unpack_dir) {
         bins.each { bin ->
             if (bin.trim() != "") {
                 // Is file a Mac 64 bit executable or dylib ?
-                def rc = sh(script:"file ${bin} | grep \"Mach-O 64-bit executable\|Mach-O 64-bit dynamically linked shared library\" >/dev/null", returnStatus:true)
+                def rc = sh(script:"file ${bin} | grep \"Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library\" >/dev/null", returnStatus:true)
                 if (rc == 0) {
                     rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
                     if (rc != 0) {

From 8dc607934c2a25c8103dcb47a24b736abc8ebad4 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 20:42:40 +0000
Subject: [PATCH 47/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index dbb03a063..0b6fc23e7 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -111,7 +111,7 @@ def verifyExecutables(String unpack_dir) {
         //def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
         //#                      find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
         //#              returnStdout:true).split("\\r?\\n|\\r")
-        def bins = sh(script:"find ${unpack_dir}",  \
+        def bins = sh(script:"find ${unpack_dir} -type f -not -name '.*' -o -name '*.dylib'",  \
                       returnStdout:true).split("\\r?\\n|\\r")
         bins.each { bin ->
             if (bin.trim() != "") {

From 7afd732014cd0a80d7d65e23b32eadeef51aa46c Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 20:49:31 +0000
Subject: [PATCH 48/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 0b6fc23e7..ed8fd0e7e 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -111,7 +111,7 @@ def verifyExecutables(String unpack_dir) {
         //def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
         //#                      find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
         //#              returnStdout:true).split("\\r?\\n|\\r")
-        def bins = sh(script:"find ${unpack_dir} -type f -not -name '.*' -o -name '*.dylib'",  \
+        def bins = sh(script:"find ${unpack_dir} -type f -not -name \".*\" -o -name \"*.dylib\"",  \
                       returnStdout:true).split("\\r?\\n|\\r")
         bins.each { bin ->
             if (bin.trim() != "") {

From 195ec0821b62ae7cfde871b9f552e0baff34afe0 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Mon, 27 Nov 2023 20:56:24 +0000
Subject: [PATCH 49/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index ed8fd0e7e..f50a4cb27 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -111,7 +111,7 @@ def verifyExecutables(String unpack_dir) {
         //def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
         //#                      find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
         //#              returnStdout:true).split("\\r?\\n|\\r")
-        def bins = sh(script:"find ${unpack_dir} -type f -not -name \".*\" -o -name \"*.dylib\"",  \
+        def bins = sh(script:"find ${unpack_dir} -type f -not -name '*.*' -o -type f -name '*.dylib'",  \
                       returnStdout:true).split("\\r?\\n|\\r")
         bins.each { bin ->
             if (bin.trim() != "") {

From 6d3efb5a18997f205dd10bdcfd11706473373ee5 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 09:21:51 +0000
Subject: [PATCH 50/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f50a4cb27..e9ac23c0b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -107,10 +107,7 @@ void unpackArchives(String unpack_dir, String[] archives) {
 // Verify executables for Signatures
 def verifyExecutables(String unpack_dir) {
     if (params.TARGET_OS == "mac") {
-        // On Mac find all dylib's and binaries marked as "executable",
-        //def bins = sh(script:"find ${unpack_dir} -perm +111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher' || \
-        //#                      find ${unpack_dir} -perm /111 -type f -not -name '.*' -o -name '*.dylib' -o -name 'jpackageapplauncher'",  \
-        //#              returnStdout:true).split("\\r?\\n|\\r")
+        // On Mac find all dylib's and "executable" binaries
         def bins = sh(script:"find ${unpack_dir} -type f -not -name '*.*' -o -type f -name '*.dylib'",  \
                       returnStdout:true).split("\\r?\\n|\\r")
         bins.each { bin ->
@@ -123,7 +120,14 @@ def verifyExecutables(String unpack_dir) {
                         println "Error: executable not Signed: ${bin}"
                         currentBuild.result = 'FAILURE'
                     } else {
-                        println "Signed correctly: ${bin}"
+                        // Verify it is not "adhoc" signed
+                        rc = sh(script:"codesign --display --verbose ${bin} 2>&1 | grep Signature=adhoc", returnStatus:true)
+                        if (rc != 0) {
+                            println "Signed correctly: ${bin}"
+                        } else {
+                            println "Error: executable is 'adhoc' Signed: ${bin}"
+                            currentBuild.result = 'FAILURE'
+                        }
                     }
                 }
             }

From 0f851e0d5531a19efd5d2ec7e6a67bfab5afbe32 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 09:45:06 +0000
Subject: [PATCH 51/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 32 +++++++++++++++++---
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index e9ac23c0b..91cb5bdc2 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -105,7 +105,9 @@ void unpackArchives(String unpack_dir, String[] archives) {
 }
 
 // Verify executables for Signatures
-def verifyExecutables(String unpack_dir) {
+List<String> verifyExecutables(String unpack_dir) {
+    List<String> unsigned = []
+
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and "executable" binaries
         def bins = sh(script:"find ${unpack_dir} -type f -not -name '*.*' -o -type f -name '*.dylib'",  \
@@ -119,6 +121,7 @@ def verifyExecutables(String unpack_dir) {
                     if (rc != 0) {
                         println "Error: executable not Signed: ${bin}"
                         currentBuild.result = 'FAILURE'
+                        unsigned.add(bin)
                     } else {
                         // Verify it is not "adhoc" signed
                         rc = sh(script:"codesign --display --verbose ${bin} 2>&1 | grep Signature=adhoc", returnStatus:true)
@@ -127,6 +130,7 @@ def verifyExecutables(String unpack_dir) {
                         } else {
                             println "Error: executable is 'adhoc' Signed: ${bin}"
                             currentBuild.result = 'FAILURE'
+                            unsigned.add(bin)
                         }
                     }
                 }
@@ -144,16 +148,21 @@ def verifyExecutables(String unpack_dir) {
                 if (rc != 0) {
                     println "Error: executable not Signed: ${bin}"
                     currentBuild.result = 'FAILURE'
+                    unsigned.add(bin)
                 } else {
                     println "Signed correctly: ${bin}"
                 }
             }
         }
     }
+
+    return unsigned
 }
 
 // Verify installers for Signatures and Notarization(mac only)
-def verifyInstallers() {
+List<String> verifyInstallers() {
+    List<String> unsigned = []
+
     if (params.TARGET_OS == "mac") {
         // Find all pkg's that need to be Signed and Notarized
         def pkgs = sh(script:"find . -type f -name '*.pkg'", \
@@ -164,6 +173,7 @@ def verifyInstallers() {
                 if (rc != 0) {
                     println "Error: pkg not Signed: ${pkg}"
                     currentBuild.result = 'FAILURE'
+                    unsigned.add(pkg)
                 } else {
                     println "Signed correctly: ${pkg}"
                 }
@@ -172,6 +182,7 @@ def verifyInstallers() {
                 if (rc != 0) {
                     println "Error: pkg not Notarized: ${pkg}"
                     currentBuild.result = 'FAILURE'
+                    unsigned.add(pkg)
                 } else {
                     println "Notarized correctly: ${pkg}"
                 }
@@ -189,12 +200,15 @@ def verifyInstallers() {
                 if (rc != 0) {
                     println "Error: installer not Signed: ${msi}"
                     currentBuild.result = 'FAILURE'
+                    unsigned.add(pkg)
                 } else {
                     println "Signed correctly: ${msi}"
                 }
             }
         }
     }
+
+    return unsigned
 }
 
 //
@@ -259,10 +273,20 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 unpackArchives(unpack_dir, archives)
 
                 // Verify all executables for Signatures
-                verifyExecutables(unpack_dir)
+                def unsigned = verifyExecutables(unpack_dir)
 
                 // Verify installers (if built) are Signed and Notarized(mac only)
-                verifyInstallers()
+                unsigned.addAll(verifyInstallers())
+
+                def num = unsigned.size()
+                if (num > 0) {
+                    println "[ERROR] The following ${num} files are unsigned, 'adhoc' signed or not Notarized(Mac only):"
+                    unsigned.each { file ->
+                        println "    ${file}"
+                    }
+                } else {
+                    println "[INFO] Success, all executables are signed"
+                }
             } finally {
                 // Clean workspace afterwards
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true

From 74979f5113c40427a534cde23bfd6204e7863bd3 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 15:44:16 +0000
Subject: [PATCH 52/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 91cb5bdc2..b76566602 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
+    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1"
 
     def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")

From d3aaaf756ca33e42bf6088af674119cb3fa9050a Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 15:54:31 +0000
Subject: [PATCH 53/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index b76566602..91370990b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1"
+    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
 
     def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim()
+        def signtool = files[0].trim().replaceAll("(","\\(").replaceAll(" ","\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }

From 53b093927727bea004c2cfc9ab4c390400ca06fa Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 15:56:40 +0000
Subject: [PATCH 54/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 91370990b..40e6c61da 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
+    def windowsKitPath = "/cygdrive/c/Program Files\ \(x86\)/Windows\ Kits"
 
     def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")

From 66d40286f6d58e929256dbbff1e396cdd3b9b8f0 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 15:57:40 +0000
Subject: [PATCH 55/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 40e6c61da..51df0e92e 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/Program Files\ \(x86\)/Windows\ Kits"
+    def windowsKitPath = "/cygdrive/c/'Program Files \(x86\)'/'Windows Kits'"
 
     def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")

From 27c9d088c15c953cc53e0a518a612ce72ebb0ce9 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 15:59:07 +0000
Subject: [PATCH 56/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 51df0e92e..ac20a5c8d 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/'Program Files \(x86\)'/'Windows Kits'"
+    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
 
     def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim().replaceAll("(","\\(").replaceAll(" ","\\ ")
+        def signtool = files[0].trim().replaceAll("\(","\\\(").replaceAll(" ","\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }

From c0e14ce326c6d66556256d1a7ca96d9a397a66f8 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 16:00:08 +0000
Subject: [PATCH 57/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index ac20a5c8d..415520bcf 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim().replaceAll("\(","\\\(").replaceAll(" ","\\ ")
+        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll(" ","\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }

From 35e4b4dbf5a6ca6869aa89b1156255ffce30679a Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 16:01:35 +0000
Subject: [PATCH 58/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 415520bcf..0ce23b087 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll(" ","\\ ")
+        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)").replaceAll(" ","\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }

From a190efce0ff1bfe8fa4b52837560774c9ee15676 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 16:06:05 +0000
Subject: [PATCH 59/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 0ce23b087..c8a1f7405 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)").replaceAll(" ","\\ ")
+        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)").replaceAll("\\ ","\\\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }

From 4a62e1d36f1bf15d92dc5bfae49d9ac66f337eb3 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Tue, 28 Nov 2023 16:16:50 +0000
Subject: [PATCH 60/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index c8a1f7405..482622770 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -32,7 +32,7 @@ String find_signtool() {
     switch (params.TARGET_ARCH) {
         case "aarch64": arch = "arm64"; break
         case "x64":     arch = "x64"; break
-        case "x86-32":  arch = "x86-32"; break
+        case "x86-32":  arch = "x86"; break
         default:
             println "ERROR: Unknown architecture: ${params.TARGET_ARCH}"
             exit 1

From 17d30f0eefe342ff428eea54e805034d857ba94b Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 09:22:52 +0000
Subject: [PATCH 61/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/openjdk_build_pipeline.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
index f7bc5260d..a66b60bc0 100644
--- a/pipelines/build/common/openjdk_build_pipeline.groovy
+++ b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -925,7 +925,7 @@ class Build {
                 }
 
                 // Execute sign verification job
-                def signVerifyJob = context.build job: 'build-scripts/release/sign_verification',
+                context.build job: 'build-scripts/release/sign_verification',
                     propagate: true,
                     parameters: [
                             context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),

From 6b6fa1ea8404b7a25311b86721de6c079ebbebe7 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 09:56:50 +0000
Subject: [PATCH 62/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 482622770..911b1d691 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -110,7 +110,8 @@ List<String> verifyExecutables(String unpack_dir) {
 
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and "executable" binaries
-        def bins = sh(script:"find ${unpack_dir} -type f -not -name '*.*' -o -type f -name '*.dylib'",  \
+        // Ignore "legal" text folder to reduce the number of non-extension files it finds...
+        def bins = sh(script:"find ${unpack_dir} -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib'",  \
                       returnStdout:true).split("\\r?\\n|\\r")
         bins.each { bin ->
             if (bin.trim() != "") {

From a13702ec4f0af595e04ac140a636d05145ad742f Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 10:41:10 +0000
Subject: [PATCH 63/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 53 +++++++++++---------
 1 file changed, 29 insertions(+), 24 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 911b1d691..a76bfbcc3 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -54,7 +54,7 @@ String find_signtool() {
     }
 }
 
-// Unpack the archives so the signartures can be checked
+// Unpack the archives so the signatures can be checked
 void unpackArchives(String unpack_dir, String[] archives) {
     archives.each { archive ->
         def dir = "${unpack_dir}/${archive}"
@@ -76,30 +76,35 @@ void unpackArchives(String unpack_dir, String[] archives) {
     // Expand the JMODs and modules image to test binaries within
     archives.each { archive ->
         def dir = "${unpack_dir}/${archive}"
-        // Expand JMODs
-        println "Expanding JMODS under ${dir}"
-        def jmods = sh(script:"find ${dir} -type f -name '*.jmod'", \
-                       returnStdout:true).split("\\r?\\n|\\r")
-        jmods.each { jmod ->
-            if (jmod.trim() != "") {
-                def expand_dir = "expanded_" + sh(script:"basename ${jmod}", returnStdout:true)
-                expand_dir = "${dir}/${expand_dir}".trim()
-                sh("mkdir ${expand_dir}")
-                sh("${jdk_bin}/jmod extract --dir ${expand_dir} ${jmod}")
-            }
-        }
 
-        // Expand "modules" compress image containing jmods
-        println "Expanding 'modules' compressed image file under ${dir}"
-        def modules = sh(script:"find ${dir} -type f -name 'modules'", \
-                         returnStdout:true).split("\\r?\\n|\\r")
-        modules.each { module ->
-            if (module.trim() != "") {
-                def expand_dir = "expanded_" + sh(script:"basename ${module}", returnStdout:true)
-                expand_dir = "${dir}/${expand_dir}".trim()
-                sh("mkdir ${expand_dir}")
-                sh("${jdk_bin}/jimage extract --dir ${expand_dir} ${module}")
-            }
+        // Expand JMODs
+        println "Expanding JMODS and 'modules' under ${dir}"
+
+        context.withEnv(['dir='+dir, 'jdk_bin='+jdk_bin]) {
+            // groovylint-disable
+            context.sh '''
+                #!/bin/bash
+                set -eu
+                FILES=$(find "${dir}" -type f -name '*.jmod')
+                for f in $FILES
+                do
+                    expand_dir=$(basename ${f})
+                    expand_dir="${dir}/${expand_dir}"
+                    mkdir "${expand_dir}"
+                    echo "Expanding JMOD ${f}"
+                    "${jdk_bin}/jmod extract --dir ${expand_dir} ${f}"
+                done
+
+                FILES=$(find "${dir}" -type f -name 'modules')
+                for f in $FILES
+                do  
+                    expand_dir=$(basename ${f})
+                    expand_dir="${dir}/${expand_dir}"
+                    mkdir "${expand_dir}"
+                    echo "Expanding compressed image file ${f}"
+                    "${jdk_bin}/jimage extract --dir ${expand_dir} ${f}"
+                done
+            '''
         }
     }
 }

From 49a73244a785743adf7fa499d752e1259d3f090c Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 10:42:44 +0000
Subject: [PATCH 64/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index a76bfbcc3..9943c9300 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -80,9 +80,9 @@ void unpackArchives(String unpack_dir, String[] archives) {
         // Expand JMODs
         println "Expanding JMODS and 'modules' under ${dir}"
 
-        context.withEnv(['dir='+dir, 'jdk_bin='+jdk_bin]) {
+        withEnv(['dir='+dir, 'jdk_bin='+jdk_bin]) {
             // groovylint-disable
-            context.sh '''
+            sh '''
                 #!/bin/bash
                 set -eu
                 FILES=$(find "${dir}" -type f -name '*.jmod')

From aa7379e2465bf6c67fbdc68c861a73e55a1129ed Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 10:48:19 +0000
Subject: [PATCH 65/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 9943c9300..8b8966e2a 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -85,11 +85,12 @@ void unpackArchives(String unpack_dir, String[] archives) {
             sh '''
                 #!/bin/bash
                 set -eu
+                pwd
                 FILES=$(find "${dir}" -type f -name '*.jmod')
                 for f in $FILES
                 do
                     expand_dir=$(basename ${f})
-                    expand_dir="${dir}/${expand_dir}"
+                    expand_dir="${dir}/expanded_${expand_dir}"
                     mkdir "${expand_dir}"
                     echo "Expanding JMOD ${f}"
                     "${jdk_bin}/jmod extract --dir ${expand_dir} ${f}"

From aafe20648ee1da00de2ff2b4c74a35a0b47782c3 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 11:06:40 +0000
Subject: [PATCH 66/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 8b8966e2a..447c0a748 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -85,7 +85,6 @@ void unpackArchives(String unpack_dir, String[] archives) {
             sh '''
                 #!/bin/bash
                 set -eu
-                pwd
                 FILES=$(find "${dir}" -type f -name '*.jmod')
                 for f in $FILES
                 do
@@ -93,17 +92,17 @@ void unpackArchives(String unpack_dir, String[] archives) {
                     expand_dir="${dir}/expanded_${expand_dir}"
                     mkdir "${expand_dir}"
                     echo "Expanding JMOD ${f}"
-                    "${jdk_bin}/jmod extract --dir ${expand_dir} ${f}"
+                    ${jdk_bin}/jmod extract --dir ${expand_dir} ${f}
                 done
 
                 FILES=$(find "${dir}" -type f -name 'modules')
                 for f in $FILES
                 do  
                     expand_dir=$(basename ${f})
-                    expand_dir="${dir}/${expand_dir}"
+                    expand_dir="${dir}/expanded_${expand_dir}"
                     mkdir "${expand_dir}"
                     echo "Expanding compressed image file ${f}"
-                    "${jdk_bin}/jimage extract --dir ${expand_dir} ${f}"
+                    ${jdk_bin}/jimage extract --dir ${expand_dir} ${f}
                 done
             '''
         }

From 1f3e18fdf41b67679593e5af5f49c28916abfb09 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 11:32:00 +0000
Subject: [PATCH 67/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 61 ++++++++++++--------
 1 file changed, 36 insertions(+), 25 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 447c0a748..108feeadd 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -116,31 +116,42 @@ List<String> verifyExecutables(String unpack_dir) {
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and "executable" binaries
         // Ignore "legal" text folder to reduce the number of non-extension files it finds...
-        def bins = sh(script:"find ${unpack_dir} -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib'",  \
-                      returnStdout:true).split("\\r?\\n|\\r")
-        bins.each { bin ->
-            if (bin.trim() != "") {
-                // Is file a Mac 64 bit executable or dylib ?
-                def rc = sh(script:"file ${bin} | grep \"Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library\" >/dev/null", returnStatus:true)
-                if (rc == 0) {
-                    rc = sh(script:"codesign --verify --verbose ${bin}", returnStatus:true)
-                    if (rc != 0) {
-                        println "Error: executable not Signed: ${bin}"
-                        currentBuild.result = 'FAILURE'
-                        unsigned.add(bin)
-                    } else {
-                        // Verify it is not "adhoc" signed
-                        rc = sh(script:"codesign --display --verbose ${bin} 2>&1 | grep Signature=adhoc", returnStatus:true)
-                        if (rc != 0) {
-                            println "Signed correctly: ${bin}"
-                        } else {
-                            println "Error: executable is 'adhoc' Signed: ${bin}"
-                            currentBuild.result = 'FAILURE'
-                            unsigned.add(bin)
-                        }
-                    }
-                }
-            }
+
+        withEnv(['unpack_dir='+unpack_dir]) {
+            // groovylint-disable
+            sh '''
+                #!/bin/bash
+                set -eu
+                unsigned=""
+                FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
+                for f in $FILES
+                do
+                    # Is file a Mac 64 bit executable or dylib ?
+                    if file ${f} | grep "Mach-O 64-bit executable\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
+                        if ! codesign --verify --verbose ${f}; then
+                            echo "Error: executable not Signed: ${bin}"
+                            unsigned="$unsigned $f"
+                        else
+                            # Verify it is not "adhoc" signed
+                            if ! codesign --display --verbose ${f} 2>&1 | grep Signature=adhoc; then
+                                echo "Signed correctly: ${bin}"
+                            else
+                                echo "Error: executable is 'adhoc' Signed: ${f}"
+                                unsigned="$unsigned $f"
+                            fi
+                        fi
+                    fi
+                done
+
+                if [ "x${unsigned}" != "x" ]; then
+                    echo "FAILURE: The following executables are not signed correctly:"
+                    for f in $unsigned
+                    do
+                        echo "    ${f}"
+                    done
+                    exit 1
+                fi
+            '''
         }
     } else { // Windows
         def signtool = find_signtool()

From efbb935f33deae1eddf3c79c751dde209d754325 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 11:32:43 +0000
Subject: [PATCH 68/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 108feeadd..3b1dbae80 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -127,7 +127,7 @@ List<String> verifyExecutables(String unpack_dir) {
                 for f in $FILES
                 do
                     # Is file a Mac 64 bit executable or dylib ?
-                    if file ${f} | grep "Mach-O 64-bit executable\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
+                    if file ${f} | grep "Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
                         if ! codesign --verify --verbose ${f}; then
                             echo "Error: executable not Signed: ${bin}"
                             unsigned="$unsigned $f"

From 0c4bafc7da84be43ee74c748b8f764d89326d7d6 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 11:34:56 +0000
Subject: [PATCH 69/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 3b1dbae80..06ef8e0bc 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -129,12 +129,12 @@ List<String> verifyExecutables(String unpack_dir) {
                     # Is file a Mac 64 bit executable or dylib ?
                     if file ${f} | grep "Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
                         if ! codesign --verify --verbose ${f}; then
-                            echo "Error: executable not Signed: ${bin}"
+                            echo "Error: executable not Signed: ${f}"
                             unsigned="$unsigned $f"
                         else
                             # Verify it is not "adhoc" signed
                             if ! codesign --display --verbose ${f} 2>&1 | grep Signature=adhoc; then
-                                echo "Signed correctly: ${bin}"
+                                echo "Signed correctly: ${f}"
                             else
                                 echo "Error: executable is 'adhoc' Signed: ${f}"
                                 unsigned="$unsigned $f"

From 5c473aa1ba6ab5a563c255108166b20ebe4e0df6 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:00:25 +0000
Subject: [PATCH 70/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 189 ++++++++++++-------
 1 file changed, 119 insertions(+), 70 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 06ef8e0bc..f61045171 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -110,9 +110,7 @@ void unpackArchives(String unpack_dir, String[] archives) {
 }
 
 // Verify executables for Signatures
-List<String> verifyExecutables(String unpack_dir) {
-    List<String> unsigned = []
-
+void verifyExecutables(String unpack_dir) {
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and "executable" binaries
         // Ignore "legal" text folder to reduce the number of non-extension files it finds...
@@ -123,6 +121,8 @@ List<String> verifyExecutables(String unpack_dir) {
                 #!/bin/bash
                 set -eu
                 unsigned=""
+                cc_signed=0
+                cc_unsigned=0
                 FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
                 for f in $FILES
                 do
@@ -131,25 +131,30 @@ List<String> verifyExecutables(String unpack_dir) {
                         if ! codesign --verify --verbose ${f}; then
                             echo "Error: executable not Signed: ${f}"
                             unsigned="$unsigned $f"
+                            cc_unsigned=$((cc_unsigned+1))
                         else
                             # Verify it is not "adhoc" signed
                             if ! codesign --display --verbose ${f} 2>&1 | grep Signature=adhoc; then
                                 echo "Signed correctly: ${f}"
+                                cc_signed=$((cc_signed+1))
                             else
                                 echo "Error: executable is 'adhoc' Signed: ${f}"
                                 unsigned="$unsigned $f"
+                                cc_unsigned=$((cc_unsigned+1))
                             fi
                         fi
                     fi
                 done
 
                 if [ "x${unsigned}" != "x" ]; then
-                    echo "FAILURE: The following executables are not signed correctly:"
+                    echo "FAILURE: The following ${cc_unsigned} executables are not signed correctly:"
                     for f in $unsigned
                     do
                         echo "    ${f}"
                     done
                     exit 1
+                else
+                    echo "SUCCESS: ${cc_signed} executables are correctly signed"
                 fi
             '''
         }
@@ -157,75 +162,127 @@ List<String> verifyExecutables(String unpack_dir) {
         def signtool = find_signtool()
 
         // Find all exe/dll's that must be Signed
-        def bins = sh(script:"find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'", \
-                      returnStdout:true).split("\\r?\\n|\\r")
-        bins.each { bin ->
-            if (bin.trim() != "") {
-                def rc = sh(script:"${signtool} verify /pa /v ${bin}", returnStatus:true)
-                if (rc != 0) {
-                    println "Error: executable not Signed: ${bin}"
-                    currentBuild.result = 'FAILURE'
-                    unsigned.add(bin)
-                } else {
-                    println "Signed correctly: ${bin}"
-                }
-            }
+
+        withEnv(['unpack_dir='+unpack_dir]) {
+            // groovylint-disable
+            sh '''
+                #!/bin/bash
+                set -eu
+                unsigned=""
+                cc_signed=0
+                cc_unsigned=0
+                FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
+                for f in $FILES
+                do
+                    if ! ${signtool} verify /pa /v ${f}; then
+                        echo "Error: executable not Signed: ${f}"
+                        unsigned="$unsigned $f"
+                        cc_unsigned=$((cc_unsigned+1))
+                    else
+                        echo "Signed correctly: ${f}"
+                        cc_signed=$((cc_signed+1))
+                    fi
+                done
+
+                if [ "x${unsigned}" != "x" ]; then
+                    echo "FAILURE: The following ${cc_unsigned} executables are not signed correctly:"
+                    for f in $unsigned
+                    do
+                        echo "    ${f}"
+                    done
+                    exit 1
+                else
+                    echo "SUCCESS: ${cc_signed} executables are correctly signed"
+                fi
+            '''
         }
     }
-
-    return unsigned
 }
 
 // Verify installers for Signatures and Notarization(mac only)
-List<String> verifyInstallers() {
-    List<String> unsigned = []
-
+void verifyInstallers() {
     if (params.TARGET_OS == "mac") {
         // Find all pkg's that need to be Signed and Notarized
-        def pkgs = sh(script:"find . -type f -name '*.pkg'", \
-                      returnStdout:true).split("\\r?\\n|\\r")
-        pkgs.each { pkg ->
-            if (pkg.trim() != "") {
-                def rc = sh(script:"pkgutil --check-signature ${pkg}", returnStatus:true)
-                if (rc != 0) {
-                    println "Error: pkg not Signed: ${pkg}"
-                    currentBuild.result = 'FAILURE'
-                    unsigned.add(pkg)
-                } else {
-                    println "Signed correctly: ${pkg}"
-                }
 
-                rc = sh(script:"spctl -a -vvv -t install ${pkg}", returnStatus:true)
-                if (rc != 0) {
-                    println "Error: pkg not Notarized: ${pkg}"
-                    currentBuild.result = 'FAILURE'
-                    unsigned.add(pkg)
-                } else {
-                    println "Notarized correctly: ${pkg}"
-                }
-            }
+        withEnv(['unpack_dir='+unpack_dir]) {
+            // groovylint-disable
+            sh '''
+                #!/bin/bash
+                set -eu
+                unsigned=""
+                cc_signed=0
+                cc_unsigned=0
+                FILES=$(find . -type f -name '*.pkg')
+                for f in $FILES
+                do
+                    if ! pkgutil --check-signature ${f}; then
+                        echo "Error: pkg not Signed: ${f}"
+                        unsigned="$unsigned $f"
+                        cc_unsigned=$((cc_unsigned+1))
+                    else
+                        echo "Signed correctly: ${f}"
+
+                        if ! spctl -a -vvv -t install ${f}"; then
+                            echo "Error: pkg not Notarized: ${f}"
+                            unsigned="$unsigned $f"
+                            cc_unsigned=$((cc_unsigned+1))
+                        else
+                            echo "Notarized correctly: ${f}"
+                            cc_signed=$((cc_signed+1))
+                        fi
+                    fi
+                done 
+
+                if [ "x${unsigned}" != "x" ]; then
+                    echo "FAILURE: The following ${cc_unsigned} installers are not signed and notarized correctly:"
+                    for f in $unsigned
+                    do
+                        echo "    ${f}"
+                    done
+                    exit 1
+                else
+                    echo "SUCCESS: ${cc_signed} installers are correctly signed and notarized"
+                fi
+            ''' 
         }
     } else { // Windows
         // Find all msi's that need to be Signed
         def signtool = find_signtool()
 
-        def msis = sh(script:"find . -type f -name '*.msi'", \
-                      returnStdout:true).split("\\r?\\n|\\r")
-        msis.each { msi ->
-            if (msi.trim() != "") {
-                def rc = sh(script:"${signtool} verify /pa /v ${msi}", returnStatus:true)
-                if (rc != 0) {
-                    println "Error: installer not Signed: ${msi}"
-                    currentBuild.result = 'FAILURE'
-                    unsigned.add(pkg)
-                } else {
-                    println "Signed correctly: ${msi}"
-                }
-            }
+        withEnv(['unpack_dir='+unpack_dir]) {
+            // groovylint-disable
+            sh '''
+                #!/bin/bash
+                set -eu
+                unsigned=""
+                cc_signed=0
+                cc_unsigned=0
+                FILES=$(find . -type f -name '*.msi')
+                for f in $FILES
+                do
+                    if ! ${signtool} verify /pa /v ${f}; then
+                        echo "Error: installer not Signed: ${f}"
+                        unsigned="$unsigned $f"
+                        cc_unsigned=$((cc_unsigned+1))
+                    else
+                        echo "Signed correctly: ${f}"
+                        cc_signed=$((cc_signed+1))
+                    fi
+                done
+
+                if [ "x${unsigned}" != "x" ]; then
+                    echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"
+                    for f in $unsigned
+                    do
+                        echo "    ${f}"
+                    done
+                    exit 1
+                else
+                    echo "SUCCESS: ${cc_signed} installers are correctly signed"
+                fi
+            '''
         }
     }
-
-    return unsigned
 }
 
 //
@@ -290,20 +347,12 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 unpackArchives(unpack_dir, archives)
 
                 // Verify all executables for Signatures
-                def unsigned = verifyExecutables(unpack_dir)
+                verifyExecutables(unpack_dir)
 
                 // Verify installers (if built) are Signed and Notarized(mac only)
-                unsigned.addAll(verifyInstallers())
-
-                def num = unsigned.size()
-                if (num > 0) {
-                    println "[ERROR] The following ${num} files are unsigned, 'adhoc' signed or not Notarized(Mac only):"
-                    unsigned.each { file ->
-                        println "    ${file}"
-                    }
-                } else {
-                    println "[INFO] Success, all executables are signed"
-                }
+                verifyInstallers()
+
+                println "[INFO] Success, all executables are signed"
             } finally {
                 // Clean workspace afterwards
                 cleanWs notFailBuild: true, disableDeferredWipeout: true, deleteDirs: true

From 17e4f96678d86958fa9aa519621321b5b7d5484d Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:03:29 +0000
Subject: [PATCH 71/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 130 +++++++++----------
 1 file changed, 63 insertions(+), 67 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f61045171..beb329bdc 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -204,84 +204,80 @@ void verifyInstallers() {
     if (params.TARGET_OS == "mac") {
         // Find all pkg's that need to be Signed and Notarized
 
-        withEnv(['unpack_dir='+unpack_dir]) {
-            // groovylint-disable
-            sh '''
-                #!/bin/bash
-                set -eu
-                unsigned=""
-                cc_signed=0
-                cc_unsigned=0
-                FILES=$(find . -type f -name '*.pkg')
-                for f in $FILES
-                do
-                    if ! pkgutil --check-signature ${f}; then
-                        echo "Error: pkg not Signed: ${f}"
-                        unsigned="$unsigned $f"
-                        cc_unsigned=$((cc_unsigned+1))
-                    else
-                        echo "Signed correctly: ${f}"
-
-                        if ! spctl -a -vvv -t install ${f}"; then
-                            echo "Error: pkg not Notarized: ${f}"
-                            unsigned="$unsigned $f"
-                            cc_unsigned=$((cc_unsigned+1))
-                        else
-                            echo "Notarized correctly: ${f}"
-                            cc_signed=$((cc_signed+1))
-                        fi
-                    fi
-                done 
-
-                if [ "x${unsigned}" != "x" ]; then
-                    echo "FAILURE: The following ${cc_unsigned} installers are not signed and notarized correctly:"
-                    for f in $unsigned
-                    do
-                        echo "    ${f}"
-                    done
-                    exit 1
+        // groovylint-disable
+        sh '''
+            #!/bin/bash
+            set -eu
+            unsigned=""
+            cc_signed=0
+            cc_unsigned=0
+            FILES=$(find . -type f -name '*.pkg')
+            for f in $FILES
+            do
+                if ! pkgutil --check-signature ${f}; then
+                    echo "Error: pkg not Signed: ${f}"
+                    unsigned="$unsigned $f"
+                    cc_unsigned=$((cc_unsigned+1))
                 else
-                    echo "SUCCESS: ${cc_signed} installers are correctly signed and notarized"
-                fi
-            ''' 
-        }
-    } else { // Windows
-        // Find all msi's that need to be Signed
-        def signtool = find_signtool()
+                    echo "Signed correctly: ${f}"
 
-        withEnv(['unpack_dir='+unpack_dir]) {
-            // groovylint-disable
-            sh '''
-                #!/bin/bash
-                set -eu
-                unsigned=""
-                cc_signed=0
-                cc_unsigned=0
-                FILES=$(find . -type f -name '*.msi')
-                for f in $FILES
-                do
-                    if ! ${signtool} verify /pa /v ${f}; then
-                        echo "Error: installer not Signed: ${f}"
+                    if ! spctl -a -vvv -t install ${f}"; then
+                        echo "Error: pkg not Notarized: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
                     else
-                        echo "Signed correctly: ${f}"
+                        echo "Notarized correctly: ${f}"
                         cc_signed=$((cc_signed+1))
                     fi
+                fi
+            done 
+
+            if [ "x${unsigned}" != "x" ]; then
+                echo "FAILURE: The following ${cc_unsigned} installers are not signed and notarized correctly:"
+                for f in $unsigned
+                do
+                    echo "    ${f}"
                 done
+                exit 1
+            else
+                echo "SUCCESS: ${cc_signed} installers are correctly signed and notarized"
+            fi
+        ''' 
+    } else { // Windows
+        // Find all msi's that need to be Signed
+        def signtool = find_signtool()
 
-                if [ "x${unsigned}" != "x" ]; then
-                    echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"
-                    for f in $unsigned
-                    do
-                        echo "    ${f}"
-                    done
-                    exit 1
+        // groovylint-disable
+        sh '''
+            #!/bin/bash
+            set -eu
+            unsigned=""
+            cc_signed=0
+            cc_unsigned=0
+            FILES=$(find . -type f -name '*.msi')
+            for f in $FILES
+            do
+                if ! ${signtool} verify /pa /v ${f}; then
+                    echo "Error: installer not Signed: ${f}"
+                    unsigned="$unsigned $f"
+                    cc_unsigned=$((cc_unsigned+1))
                 else
-                    echo "SUCCESS: ${cc_signed} installers are correctly signed"
+                    echo "Signed correctly: ${f}"
+                    cc_signed=$((cc_signed+1))
                 fi
-            '''
-        }
+            done
+
+            if [ "x${unsigned}" != "x" ]; then
+                echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"
+                for f in $unsigned
+                do
+                    echo "    ${f}"
+                done
+                exit 1
+            else
+                echo "SUCCESS: ${cc_signed} installers are correctly signed"
+            fi
+        '''
     }
 }
 

From 2cad46ba9adec5e45a648bfeac6dfb7a07fc5481 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:07:14 +0000
Subject: [PATCH 72/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 62 ++++++++++----------
 1 file changed, 32 insertions(+), 30 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index beb329bdc..4ace657c3 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -163,7 +163,7 @@ void verifyExecutables(String unpack_dir) {
 
         // Find all exe/dll's that must be Signed
 
-        withEnv(['unpack_dir='+unpack_dir]) {
+        withEnv(['unpack_dir='+unpack_dir, 'signtool='+signtool]) {
             // groovylint-disable
             sh '''
                 #!/bin/bash
@@ -247,37 +247,39 @@ void verifyInstallers() {
         // Find all msi's that need to be Signed
         def signtool = find_signtool()
 
-        // groovylint-disable
-        sh '''
-            #!/bin/bash
-            set -eu
-            unsigned=""
-            cc_signed=0
-            cc_unsigned=0
-            FILES=$(find . -type f -name '*.msi')
-            for f in $FILES
-            do
-                if ! ${signtool} verify /pa /v ${f}; then
-                    echo "Error: installer not Signed: ${f}"
-                    unsigned="$unsigned $f"
-                    cc_unsigned=$((cc_unsigned+1))
-                else
-                    echo "Signed correctly: ${f}"
-                    cc_signed=$((cc_signed+1))
-                fi
-            done
-
-            if [ "x${unsigned}" != "x" ]; then
-                echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"
-                for f in $unsigned
+        withEnv(['signtool='+signtool]) {
+            // groovylint-disable
+            sh '''
+                #!/bin/bash
+                set -eu
+                unsigned=""
+                cc_signed=0
+                cc_unsigned=0
+                FILES=$(find . -type f -name '*.msi')
+                for f in $FILES
                 do
-                    echo "    ${f}"
+                    if ! ${signtool} verify /pa /v ${f}; then
+                        echo "Error: installer not Signed: ${f}"
+                        unsigned="$unsigned $f"
+                        cc_unsigned=$((cc_unsigned+1))
+                    else
+                        echo "Signed correctly: ${f}"
+                        cc_signed=$((cc_signed+1))
+                    fi
                 done
-                exit 1
-            else
-                echo "SUCCESS: ${cc_signed} installers are correctly signed"
-            fi
-        '''
+
+                if [ "x${unsigned}" != "x" ]; then
+                    echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"
+                    for f in $unsigned
+                    do
+                        echo "    ${f}"
+                    done
+                    exit 1
+                else
+                    echo "SUCCESS: ${cc_signed} installers are correctly signed"
+                fi
+            '''
+        }
     }
 }
 

From 5a2a75846f6e9c728945eb655c3cedf5b2333e94 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:10:45 +0000
Subject: [PATCH 73/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 4ace657c3..23f468dff 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -211,7 +211,7 @@ void verifyInstallers() {
             unsigned=""
             cc_signed=0
             cc_unsigned=0
-            FILES=$(find . -type f -name '*.pkg')
+            FILES="$(find . -type f -name '*.pkg')"
             for f in $FILES
             do
                 if ! pkgutil --check-signature ${f}; then

From 00fcb1c6f1fb5a5e734faa29379b470ec6ec0782 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:22:10 +0000
Subject: [PATCH 74/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 50 ++++++++++++--------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 23f468dff..73ec74619 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -86,24 +86,28 @@ void unpackArchives(String unpack_dir, String[] archives) {
                 #!/bin/bash
                 set -eu
                 FILES=$(find "${dir}" -type f -name '*.jmod')
-                for f in $FILES
-                do
+                if [[ -n $FILES ]]; then
+                  for f in $FILES
+                  do
                     expand_dir=$(basename ${f})
                     expand_dir="${dir}/expanded_${expand_dir}"
                     mkdir "${expand_dir}"
                     echo "Expanding JMOD ${f}"
                     ${jdk_bin}/jmod extract --dir ${expand_dir} ${f}
-                done
+                  done
+                fi
 
                 FILES=$(find "${dir}" -type f -name 'modules')
-                for f in $FILES
-                do  
+                if [[ -n $FILES ]]; then
+                  for f in $FILES
+                  do  
                     expand_dir=$(basename ${f})
                     expand_dir="${dir}/expanded_${expand_dir}"
                     mkdir "${expand_dir}"
                     echo "Expanding compressed image file ${f}"
                     ${jdk_bin}/jimage extract --dir ${expand_dir} ${f}
-                done
+                  done
+                fi
             '''
         }
     }
@@ -124,8 +128,9 @@ void verifyExecutables(String unpack_dir) {
                 cc_signed=0
                 cc_unsigned=0
                 FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
-                for f in $FILES
-                do
+                if [[ -n $FILES ]]; then
+                  for f in $FILES
+                  do
                     # Is file a Mac 64 bit executable or dylib ?
                     if file ${f} | grep "Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
                         if ! codesign --verify --verbose ${f}; then
@@ -144,7 +149,8 @@ void verifyExecutables(String unpack_dir) {
                             fi
                         fi
                     fi
-                done
+                  done
+                fi
 
                 if [ "x${unsigned}" != "x" ]; then
                     echo "FAILURE: The following ${cc_unsigned} executables are not signed correctly:"
@@ -172,8 +178,9 @@ void verifyExecutables(String unpack_dir) {
                 cc_signed=0
                 cc_unsigned=0
                 FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
-                for f in $FILES
-                do
+                if [[ -n $FILES ]]; then
+                  for f in $FILES
+                  do
                     if ! ${signtool} verify /pa /v ${f}; then
                         echo "Error: executable not Signed: ${f}"
                         unsigned="$unsigned $f"
@@ -182,7 +189,8 @@ void verifyExecutables(String unpack_dir) {
                         echo "Signed correctly: ${f}"
                         cc_signed=$((cc_signed+1))
                     fi
-                done
+                  done
+                fi
 
                 if [ "x${unsigned}" != "x" ]; then
                     echo "FAILURE: The following ${cc_unsigned} executables are not signed correctly:"
@@ -211,9 +219,10 @@ void verifyInstallers() {
             unsigned=""
             cc_signed=0
             cc_unsigned=0
-            FILES="$(find . -type f -name '*.pkg')"
-            for f in $FILES
-            do
+            FILES=$(find . -type f -name '*.pkg')
+            if [[ -n $FILES ]]; then
+              for f in $FILES
+              do
                 if ! pkgutil --check-signature ${f}; then
                     echo "Error: pkg not Signed: ${f}"
                     unsigned="$unsigned $f"
@@ -230,7 +239,8 @@ void verifyInstallers() {
                         cc_signed=$((cc_signed+1))
                     fi
                 fi
-            done 
+              done
+            fi
 
             if [ "x${unsigned}" != "x" ]; then
                 echo "FAILURE: The following ${cc_unsigned} installers are not signed and notarized correctly:"
@@ -256,8 +266,9 @@ void verifyInstallers() {
                 cc_signed=0
                 cc_unsigned=0
                 FILES=$(find . -type f -name '*.msi')
-                for f in $FILES
-                do
+                if [[ -n $FILES ]]; then
+                  for f in $FILES
+                  do
                     if ! ${signtool} verify /pa /v ${f}; then
                         echo "Error: installer not Signed: ${f}"
                         unsigned="$unsigned $f"
@@ -266,7 +277,8 @@ void verifyInstallers() {
                         echo "Signed correctly: ${f}"
                         cc_signed=$((cc_signed+1))
                     fi
-                done
+                  done
+                fi
 
                 if [ "x${unsigned}" != "x" ]; then
                     echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"

From 1a42d9445427ce2883f7358b2c10161c2984e97b Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:51:29 +0000
Subject: [PATCH 75/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 24 ++++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 73ec74619..a74d09bc7 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -85,8 +85,8 @@ void unpackArchives(String unpack_dir, String[] archives) {
             sh '''
                 #!/bin/bash
                 set -eu
-                FILES=$(find "${dir}" -type f -name '*.jmod')
-                if [[ -n $FILES ]]; then
+                if [[ -n `find "${dir}" -type f -name '*.jmod'` ]]; then
+                  FILES=$(find "${dir}" -type f -name '*.jmod')
                   for f in $FILES
                   do
                     expand_dir=$(basename ${f})
@@ -97,8 +97,8 @@ void unpackArchives(String unpack_dir, String[] archives) {
                   done
                 fi
 
-                FILES=$(find "${dir}" -type f -name 'modules')
-                if [[ -n $FILES ]]; then
+                if [[ -n `find "${dir}" -type f -name 'modules'` ]]; then
+                  FILES=$(find "${dir}" -type f -name 'modules')
                   for f in $FILES
                   do  
                     expand_dir=$(basename ${f})
@@ -127,8 +127,8 @@ void verifyExecutables(String unpack_dir) {
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
-                FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
-                if [[ -n $FILES ]]; then
+                if [[ -n `find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib'` ]]; then
+                  FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
                   for f in $FILES
                   do
                     # Is file a Mac 64 bit executable or dylib ?
@@ -177,8 +177,8 @@ void verifyExecutables(String unpack_dir) {
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
-                FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
-                if [[ -n $FILES ]]; then
+                if [[ -n `find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'` ]]; then
+                  FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
                   for f in $FILES
                   do
                     if ! ${signtool} verify /pa /v ${f}; then
@@ -219,8 +219,8 @@ void verifyInstallers() {
             unsigned=""
             cc_signed=0
             cc_unsigned=0
-            FILES=$(find . -type f -name '*.pkg')
-            if [[ -n $FILES ]]; then
+            if [[ -n `find . -type f -name '*.pkg'` ]]; then
+              FILES=$(find . -type f -name '*.pkg')
               for f in $FILES
               do
                 if ! pkgutil --check-signature ${f}; then
@@ -265,8 +265,8 @@ void verifyInstallers() {
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
-                FILES=$(find . -type f -name '*.msi')
-                if [[ -n $FILES ]]; then
+                if [[ -n `find . -type f -name '*.msi'` ]]; then
+                  FILES=$(find . -type f -name '*.msi')
                   for f in $FILES
                   do
                     if ! ${signtool} verify /pa /v ${f}; then

From 841e6ac5cd154c57e6d598d93b2bc20268a968ac Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 12:59:21 +0000
Subject: [PATCH 76/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index a74d09bc7..40db43221 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -219,7 +219,7 @@ void verifyInstallers() {
             unsigned=""
             cc_signed=0
             cc_unsigned=0
-            if [[ -n `find . -type f -name '*.pkg'` ]]; then
+ #           if [[ -n `find . -type f -name '*.pkg'` ]]; then
               FILES=$(find . -type f -name '*.pkg')
               for f in $FILES
               do
@@ -230,7 +230,7 @@ void verifyInstallers() {
                 else
                     echo "Signed correctly: ${f}"
 
-                    if ! spctl -a -vvv -t install ${f}"; then
+                    if ! spctl -a -vvv -t install ${f}; then
                         echo "Error: pkg not Notarized: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
@@ -240,7 +240,7 @@ void verifyInstallers() {
                     fi
                 fi
               done
-            fi
+  #          fi
 
             if [ "x${unsigned}" != "x" ]; then
                 echo "FAILURE: The following ${cc_unsigned} installers are not signed and notarized correctly:"

From ca574bdff2a96712f55a8243f4c53c56eed70231 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 13:00:20 +0000
Subject: [PATCH 77/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 40db43221..157c5a09b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -48,7 +48,8 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)").replaceAll("\\ ","\\\\ ")
+        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)")
+//.replaceAll("\\ ","\\\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }

From 4161fe98ee8e824d0022f9866fa490840ab784bb Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 13:36:06 +0000
Subject: [PATCH 78/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 157c5a09b..38b86f628 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -40,7 +40,7 @@ String find_signtool() {
 
     def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
 
-    def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
+    def files = sh(script:"cd ${windowsKitPath} && find . -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
 
     // Return the first one we find
@@ -48,7 +48,8 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = files[0].trim().replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)")
+        def signtool = "${windowsKitPath}/files[0].trim()"
+//.replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)")
 //.replaceAll("\\ ","\\\\ ")
         println "Found signtool: ${signtool}"
         return signtool 

From 6a8c60e0cc319fcb5eb869c9d77922c94798bddb Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 13:39:08 +0000
Subject: [PATCH 79/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 38b86f628..fb3d95fcc 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = "${windowsKitPath}/files[0].trim()"
+        def signtool = "${windowsKitPath}/"+files[0].trim()
 //.replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)")
 //.replaceAll("\\ ","\\\\ ")
         println "Found signtool: ${signtool}"

From 6ec6cc5aadf2b0bb2da9bb6d9c36c720257841d2 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 13:47:06 +0000
Subject: [PATCH 80/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index fb3d95fcc..376935c54 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
+    def windowsKitPath = "/cygdrive/c/Program\\ Files\\ \\(x86\\)/Windows\\ Kits"
 
     def files = sh(script:"cd ${windowsKitPath} && find . -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")

From 6b8f4d28c9f2ba98ef0fec9d8fac157e863222a2 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 13:51:06 +0000
Subject: [PATCH 81/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 376935c54..13374b8e6 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -183,7 +183,7 @@ void verifyExecutables(String unpack_dir) {
                   FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
                   for f in $FILES
                   do
-                    if ! ${signtool} verify /pa /v ${f}; then
+                    if ! "${signtool}" verify /pa /v ${f}; then
                         echo "Error: executable not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
@@ -271,7 +271,7 @@ void verifyInstallers() {
                   FILES=$(find . -type f -name '*.msi')
                   for f in $FILES
                   do
-                    if ! ${signtool} verify /pa /v ${f}; then
+                    if ! "${signtool}" verify /pa /v ${f}; then
                         echo "Error: installer not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))

From 13fb79c687e9a3b0c2be78ceceed44f793481659 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 13:56:37 +0000
Subject: [PATCH 82/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 13374b8e6..9af2c45d3 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,7 +38,8 @@ String find_signtool() {
             exit 1
     }
 
-    def windowsKitPath = "/cygdrive/c/Program\\ Files\\ \\(x86\\)/Windows\\ Kits"
+//    def windowsKitPath = "/cygdrive/c/Program\\ Files\\ \\(x86\\)/Windows\\ Kits"
+    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1"
 
     def files = sh(script:"cd ${windowsKitPath} && find . -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
@@ -183,7 +184,7 @@ void verifyExecutables(String unpack_dir) {
                   FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
                   for f in $FILES
                   do
-                    if ! "${signtool}" verify /pa /v ${f}; then
+                    if ! ${signtool} verify /pa /v ${f}; then
                         echo "Error: executable not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
@@ -271,7 +272,7 @@ void verifyInstallers() {
                   FILES=$(find . -type f -name '*.msi')
                   for f in $FILES
                   do
-                    if ! "${signtool}" verify /pa /v ${f}; then
+                    if ! ${signtool} verify /pa /v ${f}; then
                         echo "Error: installer not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))

From 5607b6f4f2ef432a7d118486093ce607281d247f Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:06:51 +0000
Subject: [PATCH 83/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 9af2c45d3..df9462701 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -169,6 +169,7 @@ void verifyExecutables(String unpack_dir) {
         }
     } else { // Windows
         def signtool = find_signtool()
+signtool = "'/cygdrive/c/Program Files (x86)/Windows Kits/./10/bin/10.0.15063.0/x64/signtool.exe'"
 
         // Find all exe/dll's that must be Signed
 

From 1f1d74bdbedbac78d6508de60994c572efb8cfa7 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:18:45 +0000
Subject: [PATCH 84/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index df9462701..122e023ec 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -185,7 +185,7 @@ signtool = "'/cygdrive/c/Program Files (x86)/Windows Kits/./10/bin/10.0.15063.0/
                   FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
                   for f in $FILES
                   do
-                    if ! ${signtool} verify /pa /v ${f}; then
+                    if ! "${signtool}" verify /pa /v ${f}; then
                         echo "Error: executable not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))

From a4963e8bd62c1d412157ea1a3278c54ed28cc6cd Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:21:37 +0000
Subject: [PATCH 85/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 122e023ec..215390b96 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -38,8 +38,7 @@ String find_signtool() {
             exit 1
     }
 
-//    def windowsKitPath = "/cygdrive/c/Program\\ Files\\ \\(x86\\)/Windows\\ Kits"
-    def windowsKitPath = "/cygdrive/c/progra~2/wi3cf2~1"
+    def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
 
     def files = sh(script:"cd ${windowsKitPath} && find . -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")

From 3ffea58aa895d8d156fff2617504e769dd755187 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:32:21 +0000
Subject: [PATCH 86/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 215390b96..640613c3b 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -168,7 +168,7 @@ void verifyExecutables(String unpack_dir) {
         }
     } else { // Windows
         def signtool = find_signtool()
-signtool = "'/cygdrive/c/Program Files (x86)/Windows Kits/./10/bin/10.0.15063.0/x64/signtool.exe'"
+signtool = "/cygdrive/c/Program Files (x86)/Windows Kits/10/bin/10.0.15063.0/x64/signtool.exe"
 
         // Find all exe/dll's that must be Signed
 

From 268018e6fad629bdb7945d1da0021ce0f4be7140 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:35:48 +0000
Subject: [PATCH 87/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 640613c3b..c77f68487 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -40,7 +40,7 @@ String find_signtool() {
 
     def windowsKitPath = "/cygdrive/c/'Program Files (x86)'/'Windows Kits'"
 
-    def files = sh(script:"cd ${windowsKitPath} && find . -type f -path */${arch}/signtool.exe", \
+    def files = sh(script:"find ${windowsKitPath} -type f -path */${arch}/signtool.exe", \
                    returnStdout:true).split("\\r?\\n|\\r")
 
     // Return the first one we find
@@ -48,7 +48,7 @@ String find_signtool() {
         println "ERROR: Unable to find signtool.exe in ${windowsKitPath}"
         exit 2
     } else {
-        def signtool = "${windowsKitPath}/"+files[0].trim()
+        def signtool = files[0].trim()
 //.replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)")
 //.replaceAll("\\ ","\\\\ ")
         println "Found signtool: ${signtool}"

From d81a3d8f186ed5331e80b8a0c97f0fad06ca6bdc Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:38:36 +0000
Subject: [PATCH 88/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index c77f68487..68ac2d899 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -49,8 +49,6 @@ String find_signtool() {
         exit 2
     } else {
         def signtool = files[0].trim()
-//.replaceAll("\\(","\\\\(").replaceAll("\\)","\\\\)")
-//.replaceAll("\\ ","\\\\ ")
         println "Found signtool: ${signtool}"
         return signtool 
     }
@@ -168,7 +166,6 @@ void verifyExecutables(String unpack_dir) {
         }
     } else { // Windows
         def signtool = find_signtool()
-signtool = "/cygdrive/c/Program Files (x86)/Windows Kits/10/bin/10.0.15063.0/x64/signtool.exe"
 
         // Find all exe/dll's that must be Signed
 
@@ -272,7 +269,7 @@ void verifyInstallers() {
                   FILES=$(find . -type f -name '*.msi')
                   for f in $FILES
                   do
-                    if ! ${signtool} verify /pa /v ${f}; then
+                    if ! "${signtool}" verify /pa /v ${f}; then
                         echo "Error: installer not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))

From 5d5db0313340ad494529c5e6886887382b6bfaee Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:40:30 +0000
Subject: [PATCH 89/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 36 +++++++-------------
 1 file changed, 12 insertions(+), 24 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index 68ac2d899..f820f0dfe 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -85,9 +85,8 @@ void unpackArchives(String unpack_dir, String[] archives) {
             sh '''
                 #!/bin/bash
                 set -eu
-                if [[ -n `find "${dir}" -type f -name '*.jmod'` ]]; then
-                  FILES=$(find "${dir}" -type f -name '*.jmod')
-                  for f in $FILES
+                FILES=$(find "${dir}" -type f -name '*.jmod')
+                for f in $FILES
                   do
                     expand_dir=$(basename ${f})
                     expand_dir="${dir}/expanded_${expand_dir}"
@@ -95,11 +94,9 @@ void unpackArchives(String unpack_dir, String[] archives) {
                     echo "Expanding JMOD ${f}"
                     ${jdk_bin}/jmod extract --dir ${expand_dir} ${f}
                   done
-                fi
 
-                if [[ -n `find "${dir}" -type f -name 'modules'` ]]; then
-                  FILES=$(find "${dir}" -type f -name 'modules')
-                  for f in $FILES
+                FILES=$(find "${dir}" -type f -name 'modules')
+                for f in $FILES
                   do  
                     expand_dir=$(basename ${f})
                     expand_dir="${dir}/expanded_${expand_dir}"
@@ -107,7 +104,6 @@ void unpackArchives(String unpack_dir, String[] archives) {
                     echo "Expanding compressed image file ${f}"
                     ${jdk_bin}/jimage extract --dir ${expand_dir} ${f}
                   done
-                fi
             '''
         }
     }
@@ -127,9 +123,8 @@ void verifyExecutables(String unpack_dir) {
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
-                if [[ -n `find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib'` ]]; then
-                  FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
-                  for f in $FILES
+                FILES=$(find "${unpack_dir}" -type f -not -name '*.*' -not -path '*/legal/*' -o -type f -name '*.dylib')
+                for f in $FILES
                   do
                     # Is file a Mac 64 bit executable or dylib ?
                     if file ${f} | grep "Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
@@ -150,7 +145,6 @@ void verifyExecutables(String unpack_dir) {
                         fi
                     fi
                   done
-                fi
 
                 if [ "x${unsigned}" != "x" ]; then
                     echo "FAILURE: The following ${cc_unsigned} executables are not signed correctly:"
@@ -177,9 +171,8 @@ void verifyExecutables(String unpack_dir) {
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
-                if [[ -n `find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll'` ]]; then
-                  FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
-                  for f in $FILES
+                FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
+                for f in $FILES
                   do
                     if ! "${signtool}" verify /pa /v ${f}; then
                         echo "Error: executable not Signed: ${f}"
@@ -190,7 +183,6 @@ void verifyExecutables(String unpack_dir) {
                         cc_signed=$((cc_signed+1))
                     fi
                   done
-                fi
 
                 if [ "x${unsigned}" != "x" ]; then
                     echo "FAILURE: The following ${cc_unsigned} executables are not signed correctly:"
@@ -219,9 +211,8 @@ void verifyInstallers() {
             unsigned=""
             cc_signed=0
             cc_unsigned=0
- #           if [[ -n `find . -type f -name '*.pkg'` ]]; then
-              FILES=$(find . -type f -name '*.pkg')
-              for f in $FILES
+            FILES=$(find . -type f -name '*.pkg')
+            for f in $FILES
               do
                 if ! pkgutil --check-signature ${f}; then
                     echo "Error: pkg not Signed: ${f}"
@@ -240,7 +231,6 @@ void verifyInstallers() {
                     fi
                 fi
               done
-  #          fi
 
             if [ "x${unsigned}" != "x" ]; then
                 echo "FAILURE: The following ${cc_unsigned} installers are not signed and notarized correctly:"
@@ -265,9 +255,8 @@ void verifyInstallers() {
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
-                if [[ -n `find . -type f -name '*.msi'` ]]; then
-                  FILES=$(find . -type f -name '*.msi')
-                  for f in $FILES
+                FILES=$(find . -type f -name '*.msi')
+                for f in $FILES
                   do
                     if ! "${signtool}" verify /pa /v ${f}; then
                         echo "Error: installer not Signed: ${f}"
@@ -278,7 +267,6 @@ void verifyInstallers() {
                         cc_signed=$((cc_signed+1))
                     fi
                   done
-                fi
 
                 if [ "x${unsigned}" != "x" ]; then
                     echo "FAILURE: The following ${cc_unsigned} installers are not signed correctly:"

From c118ab9162e896f685bb788fd7465e02de74e089 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:42:43 +0000
Subject: [PATCH 90/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index f820f0dfe..cef4c3aee 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -85,6 +85,8 @@ void unpackArchives(String unpack_dir, String[] archives) {
             sh '''
                 #!/bin/bash
                 set -eu
+                set +x
+
                 FILES=$(find "${dir}" -type f -name '*.jmod')
                 for f in $FILES
                   do
@@ -120,6 +122,8 @@ void verifyExecutables(String unpack_dir) {
             sh '''
                 #!/bin/bash
                 set -eu
+                set +x
+
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
@@ -168,6 +172,8 @@ void verifyExecutables(String unpack_dir) {
             sh '''
                 #!/bin/bash
                 set -eu
+                set +x
+
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0
@@ -208,6 +214,8 @@ void verifyInstallers() {
         sh '''
             #!/bin/bash
             set -eu
+            set +x
+
             unsigned=""
             cc_signed=0
             cc_unsigned=0
@@ -252,6 +260,8 @@ void verifyInstallers() {
             sh '''
                 #!/bin/bash
                 set -eu
+                set +x
+
                 unsigned=""
                 cc_signed=0
                 cc_unsigned=0

From 70cfd26121d6ae1ea569a7bfdfb2ba2171f047c0 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Wed, 29 Nov 2023 14:55:31 +0000
Subject: [PATCH 91/92] Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 pipelines/build/common/verify_signing.groovy | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
index cef4c3aee..66de76cbe 100644
--- a/pipelines/build/common/verify_signing.groovy
+++ b/pipelines/build/common/verify_signing.groovy
@@ -132,7 +132,7 @@ void verifyExecutables(String unpack_dir) {
                   do
                     # Is file a Mac 64 bit executable or dylib ?
                     if file ${f} | grep "Mach-O 64-bit executable\\|Mach-O 64-bit dynamically linked shared library" >/dev/null; then
-                        if ! codesign --verify --verbose ${f}; then
+                        if ! codesign --verify ${f}; then
                             echo "Error: executable not Signed: ${f}"
                             unsigned="$unsigned $f"
                             cc_unsigned=$((cc_unsigned+1))
@@ -180,7 +180,7 @@ void verifyExecutables(String unpack_dir) {
                 FILES=$(find ${unpack_dir} -type f -name '*.exe' -o -name '*.dll')
                 for f in $FILES
                   do
-                    if ! "${signtool}" verify /pa /v ${f}; then
+                    if ! "${signtool}" verify /pa ${f}; then
                         echo "Error: executable not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
@@ -229,7 +229,7 @@ void verifyInstallers() {
                 else
                     echo "Signed correctly: ${f}"
 
-                    if ! spctl -a -vvv -t install ${f}; then
+                    if ! spctl -a -t install ${f}; then
                         echo "Error: pkg not Notarized: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
@@ -268,7 +268,7 @@ void verifyInstallers() {
                 FILES=$(find . -type f -name '*.msi')
                 for f in $FILES
                   do
-                    if ! "${signtool}" verify /pa /v ${f}; then
+                    if ! "${signtool}" verify /pa ${f}; then
                         echo "Error: installer not Signed: ${f}"
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))

From d1ca460168a9f185d1755c85459a0c9743ab201c Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 30 Nov 2023 08:46:18 +0000
Subject: [PATCH 92/92] Don't verify pr-tester binaries as they are not signed

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 .../build/common/openjdk_build_pipeline.groovy     | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
index a66b60bc0..bcdcfbbeb 100644
--- a/pipelines/build/common/openjdk_build_pipeline.groovy
+++ b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -2088,12 +2088,14 @@ class Build {
                     }
                 }
 
-                // Verify Windows and Mac Signing for Temurin
-                if (buildConfig.VARIANT == 'temurin') {
-                    try {
-                        verifySigning()
-                    } catch (Exception e) {
-                        context.println(e.message)
+                if (!env.JOB_NAME.contains('pr-tester')) { // pr-tester does not sign the binaries
+                    // Verify Windows and Mac Signing for Temurin
+                    if (buildConfig.VARIANT == 'temurin') {
+                        try {
+                            verifySigning()
+                        } catch (Exception e) {
+                            context.println(e.message)
+                        }
                     }
                 }