adoptium · andrew-m-leonard · Dec 1, 2023 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023
diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -905,6 +905,42 @@ class Build {
                 flatten: true)
     }
 
+    // For Windows and Mac verify that all necessary executables are Signed and Notarized(mac)
+    private void verifySigning() {
+        if (buildConfig.TARGET_OS == "windows" || buildConfig.TARGET_OS == "mac") {
+            try {
+                context.println "RUNNING sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
+
+                // Determine suitable node to run on
+                def verifyNode
+                if (buildConfig.TARGET_OS == "windows") {
+                    verifyNode = "ci.role.test&&sw.os.windows"
+                } else {
+                    verifyNode = "ci.role.test&&(sw.os.osx||sw.os.mac)"
+                }
+                if (buildConfig.ARCHITECTURE == "aarch64") {
+                    verifyNode = verifyNode + "&&hw.arch.aarch64"
+                } else {
+                    verifyNode = verifyNode + "&&hw.arch.x86"
+                }
+
+                // Execute sign verification job
+                context.build job: 'build-scripts/release/sign_verification',
+                    propagate: true,
+                    parameters: [
+                            context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
+                            context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
+                            context.string(name: 'TARGET_OS', value: "${buildConfig.TARGET_OS}"),
+                            context.string(name: 'TARGET_ARCH', value: "${buildConfig.ARCHITECTURE}"),
+                            context.string(name: 'NODE_LABEL', value: "${verifyNode}")
+                    ]
+            } catch (e) { 
+                context.println("Failed to sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ${e}")
+                currentBuild.result = 'FAILURE'
+            } 
+        }
+    }
+
     private void gpgSign() {
         context.stage('GPG sign') {
             context.println "RUNNING sign_temurin_gpg for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
@@ -2052,6 +2088,17 @@ class Build {
                     }
                 }
 
+                if (!env.JOB_NAME.contains('pr-tester')) { // pr-tester does not sign the binaries
+                    // Verify Windows and Mac Signing for Temurin
+                    if (buildConfig.VARIANT == 'temurin') {
+                        try {
+                            verifySigning()
+                        } catch (Exception e) {
+                            context.println(e.message)
+                        }
+                    }
+                }
+
                 // Compare reproducible build if needed
                 if (enableReproducibleCompare) {
                     compareReproducibleBuild(nonDockerNodeName)