Skip to content

Commit

Permalink
Verify Windows and Mac Signing signatures in all executables and inst…
Browse files Browse the repository at this point in the history 
…allers (adoptium#848)

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Signing verifier job

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Don't verify pr-tester binaries as they are not signed

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

---------

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
  • Loading branch information
@andrew-m-leonard @luhenry
andrew-m-leonard authored and luhenry committed Feb 3, 2024
1 parent 36dced9 commit 23bcc9b
Show file tree
Hide file tree
Showing 2 changed files with 418 additions and 0 deletions.
47 changes: 47 additions & 0 deletions pipelines/build/common/openjdk_build_pipeline.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -905,6 +905,42 @@ class Build {
flatten: true)
}

// For Windows and Mac verify that all necessary executables are Signed and Notarized(mac)
private void verifySigning() {
if (buildConfig.TARGET_OS == "windows" || buildConfig.TARGET_OS == "mac") {
try {
context.println "RUNNING sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."

// Determine suitable node to run on
def verifyNode
if (buildConfig.TARGET_OS == "windows") {
verifyNode = "ci.role.test&&sw.os.windows"
} else {
verifyNode = "ci.role.test&&(sw.os.osx||sw.os.mac)"
}
if (buildConfig.ARCHITECTURE == "aarch64") {
verifyNode = verifyNode + "&&hw.arch.aarch64"
} else {
verifyNode = verifyNode + "&&hw.arch.x86"
}

// Execute sign verification job
context.build job: 'build-scripts/release/sign_verification',
propagate: true,
parameters: [
context.string(name: 'UPSTREAM_JOB_NUMBER', value: "${env.BUILD_NUMBER}"),
context.string(name: 'UPSTREAM_JOB_NAME', value: "${env.JOB_NAME}"),
context.string(name: 'TARGET_OS', value: "${buildConfig.TARGET_OS}"),
context.string(name: 'TARGET_ARCH', value: "${buildConfig.ARCHITECTURE}"),
context.string(name: 'NODE_LABEL', value: "${verifyNode}")
]
} catch (e) {
context.println("Failed to sign_verification for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ${e}")
currentBuild.result = 'FAILURE'
}
}
}

private void gpgSign() {
context.stage('GPG sign') {
context.println "RUNNING sign_temurin_gpg for ${buildConfig.TARGET_OS}/${buildConfig.ARCHITECTURE} ..."
Expand Down Expand Up @@ -2052,6 +2088,17 @@ class Build {
}
}

if (!env.JOB_NAME.contains('pr-tester')) { // pr-tester does not sign the binaries
// Verify Windows and Mac Signing for Temurin
if (buildConfig.VARIANT == 'temurin') {
try {
verifySigning()
} catch (Exception e) {
context.println(e.message)
}
}
}

// Compare reproducible build if needed
if (enableReproducibleCompare) {
compareReproducibleBuild(nonDockerNodeName)
Expand Down
Loading

0 comments on commit 23bcc9b

Please sign in to comment.