From 71311f8cb6edebfff93056269b231426d4bbecce Mon Sep 17 00:00:00 2001
From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com>
Date: Wed, 11 Dec 2024 10:10:23 +0000
Subject: [PATCH] =?UTF-8?q?Prevent=20jdk11+=20from=20running=20external=20?=
 =?UTF-8?q?sign.sh=20as=20already=20signed=20during=E2=80=A6=20(#4083)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Prevent jdk11+ from running external sign.sh as already signed during build

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Prevent jdk11+ from running external sign.sh as already signed during build

Signed-off-by: Andrew Leonard <anleonar@redhat.com>

* Update comment

Co-authored-by: Severin Gehwolf <jerboaa@gmail.com>

---------

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
Co-authored-by: Severin Gehwolf <jerboaa@gmail.com>
---
 build-farm/sign-releases.sh |  1 +
 sign.sh                     | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/build-farm/sign-releases.sh b/build-farm/sign-releases.sh
index 9b6c4a02d..ef59467d2 100755
--- a/build-farm/sign-releases.sh
+++ b/build-farm/sign-releases.sh
@@ -19,6 +19,7 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 export SIGN_TOOL
 export OPERATING_SYSTEM
+export VERSION
 
 if [ "${OPERATING_SYSTEM}" == "mac" ] ; then
   EXTENSION="tar.gz"
diff --git a/sign.sh b/sign.sh
index f8d4fb5d4..618f86dfc 100755
--- a/sign.sh
+++ b/sign.sh
@@ -77,6 +77,7 @@ signRelease()
         do
           echo "Signing ${f}"
           if [ "$SIGN_TOOL" = "eclipse" ]; then
+           if [ "${VERSION}" = "8" ]; then
             echo "Signing $f using Eclipse Foundation codesign service"
             dir=$(dirname "$f")
             file=$(basename "$f")
@@ -109,6 +110,9 @@ signRelease()
             fi
             chmod --reference="${dir}/unsigned_${file}" "$f"
             rm -rf "${dir}/unsigned_${file}"
+           else
+            echo "Eclipse signing for JDK version ${VERSION} does not externally sign Windows executables post-build"
+           fi
           else
             STAMPED=false
             for SERVER in $TIMESTAMPSERVERS; do
@@ -145,7 +149,16 @@ signRelease()
 
       # Sign all files with the executable permission bit set.
 
-      FILES=$(find "${TMP_DIR}" -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find "${TMP_DIR}" -perm /111 -type f -not -name '.*' -o -name '*.dylib')
+      if [ "$SIGN_TOOL" = "eclipse" ] && [ "${VERSION}" != "8" ]; then
+        # On MacOSX, libjli.dylib is copied in two places. Once in Contents/home/lib/libjli.dylib and once in
+        # Contents/MacOS/libjli.dylib. The latter is the bundle executable entry-point and hasn't been signed by
+        # by the build in contrast to content in Contents/home. Therefore,  Eclipse jdk-11+ post-build signing should
+        # only sign the libjli.dylib bundle executable in Contents/MacOS, as there rest are already internally signed
+        # in the build
+        FILES=$(find . -name 'libjli.dylib' | grep 'Contents/MacOS' || true)
+      else
+        FILES=$(find "${TMP_DIR}" -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find "${TMP_DIR}" -perm /111 -type f -not -name '.*' -o -name '*.dylib')
+      fi
       if [ "$FILES" == "" ]; then
         echo "No files to sign"
       elif [ "$SIGN_TOOL" = "eclipse" ]; then