Update sbom archiving for just sbom.json and fix sign_release sbom an…

…d exception handling (#2955) * Update sbom archiving and signing exception handling Signed-off-by: Andrew Leonard <[email protected]> * Update sbom archiving and signing exception handling Signed-off-by: Andrew Leonard <[email protected]> * Update sbom archiving and signing exception handling Signed-off-by: Andrew Leonard <[email protected]> * Update sbom archiving and signing exception handling Signed-off-by: Andrew Leonard <[email protected]> * Update sbom archiving and signing exception handling Signed-off-by: Andrew Leonard <[email protected]> * Update sbom archiving and signing exception handling Signed-off-by: Andrew Leonard <[email protected]>
adoptium · May 28, 2022 · 04227aa · 04227aa
1 parent 8ee138c
commit 04227aa
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 49 deletions.
diff --git a/build-farm/sign-releases.sh b/build-farm/sign-releases.sh
@@ -14,6 +14,7 @@
 # limitations under the License.
 ################################################################################
 
+set -eu
 
 BUILD_ARGS=${BUILD_ARGS:-""}
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -40,11 +41,12 @@ do
   case "${file}" in
     *debugimage*) echo "Skipping ${file} because it's a debug image" ;;
     *testimage*) echo "Skipping ${file} because it's a test image" ;;
+    *sbom*) echo "Skipping ${file} because it's an sbom archive" ;; 
     *)
       echo "signing ${file}"
 
       # shellcheck disable=SC2086
       bash "${SCRIPT_DIR}/../sign.sh" ${CERTIFICATE} "${file}"
     ;;
   esac
-done
+done
diff --git a/sbin/build.sh b/sbin/build.sh
@@ -928,19 +928,21 @@ getStaticLibsArchivePath() {
 }
 
 getSbomArchivePath(){
-  # cannot use absolute path because the check in createOpenJDKArchive()
-  echo "../../../../../target/metadata/sbom.json"
+  local jdkArchivePath=$(getJdkArchivePath)
+  echo "${jdkArchivePath}-sbom"
 }
 
-# Clean up
-removingUnnecessaryFiles() {
+# This function moves the archive files to their intended archive paths
+# and cleans unneeded files
+cleanAndMoveArchiveFiles() {
   local jdkTargetPath=$(getJdkArchivePath)
   local jreTargetPath=$(getJreArchivePath)
   local testImageTargetPath=$(getTestImageArchivePath)
   local debugImageTargetPath=$(getDebugImageArchivePath)
   local staticLibsImageTargetPath=$(getStaticLibsArchivePath)
+  local sbomTargetPath=$(getSbomArchivePath)
 
-  echo "Removing unnecessary files now..."
+  echo "Moving archive content to target archive paths and cleaning unnecessary files..."
 
   stepIntoTheWorkingDirectory
 
@@ -976,6 +978,15 @@ removingUnnecessaryFiles() {
     mv "${testImagePath}" "${testImageTargetPath}"
   fi
 
+  # If creating SBOM, move it to the target Sbom archive path
+  if [[ "${BUILD_CONFIG[CREATE_SBOM]}" == "true" ]]; then
+    local sbomJson="${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/sbom.json"
+    echo "moving ${sbomJson} to ${sbomTargetPath}/sbom.json"
+    rm -rf "${sbomTargetPath}" || true
+    mkdir "${sbomTargetPath}"
+    mv "${sbomJson}" "${sbomTargetPath}"
+  fi
+
   # Static libs image - check if the directory exists
   local staticLibsImagePath="${BUILD_CONFIG[STATIC_LIBS_IMAGE_PATH]}"
   local osArch
@@ -1077,7 +1088,7 @@ removingUnnecessaryFiles() {
     deleteDebugSymbols
   fi
 
-  echo "Finished removing unnecessary files from ${jdkTargetPath}"
+  echo "Finished cleaning and moving archive files from ${jdkTargetPath}"
 }
 
 deleteDebugSymbols() {
@@ -1352,7 +1363,7 @@ getFirstTagFromOpenJDKGitRepo() {
 
   # Save current directory of caller so we can return to that directory at the end of this function.
   # Some callers are not in the git repo root, but instead build/*/images directory like the archive functions
-  # and any function called after removingUnnecessaryFiles().
+  # and any function called after cleanAndMoveArchiveFiles().
   local savePwd="${PWD}"
 
   # Change to openjdk git repo root to find build tag.
@@ -1441,7 +1452,7 @@ createOpenJDKTarArchive() {
   local testImageTargetPath=$(getTestImageArchivePath)
   local debugImageTargetPath=$(getDebugImageArchivePath)
   local staticLibsImageTargetPath=$(getStaticLibsArchivePath)
-  local sbomFilePath=$(getSbomArchivePath)
+  local sbomTargetPath=$(getSbomArchivePath)
 
   echo "OpenJDK JDK path will be ${jdkTargetPath}. JRE path will be ${jreTargetPath}"
 
@@ -1482,10 +1493,13 @@ createOpenJDKTarArchive() {
     echo "OpenJDK static libs archive file name will be ${staticLibsImageName}."
     createArchive "${staticLibsImageTargetPath}" "${staticLibsImageName}"
   fi
-  echo "OpenJDK SBOM file is ${sbomFilePath}."
-  if [ -f "${sbomFilePath}" ]; then
-    local sbomTargetName=$(echo "${BUILD_CONFIG[TARGET_FILE_NAME]//-jdk/-sbom}")
-    createArchive "${sbomFilePath}" "${sbomTargetName}"
+  if [ -d "${sbomTargetPath}" ]; then
+    # SBOM archive artifact as a .json file
+    local sbomTargetName=$(echo "${BUILD_CONFIG[TARGET_FILE_NAME]//-jdk/-sbom}.json")
+    sbomTargetName="${sbomTargetName//\.tar\.gz/}"
+    local sbomArchiveTarget=${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/${sbomTargetName}
+    echo "OpenJDK SBOM will be ${sbomTargetName}."
+    cp "${sbomTargetPath}/sbom.json" "${sbomArchiveTarget}"
   fi
   # for macOS system, code sign directory before creating tar.gz file
   if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "darwin" ] && [ -n "${BUILD_CONFIG[MACOSX_CODESIGN_IDENTITY]}" ]; then
@@ -1781,7 +1795,7 @@ if [[ "${BUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]}" == "true" ]]; then
     buildCyclonedxLib
     generateSBoM
   fi
-  removingUnnecessaryFiles
+  cleanAndMoveArchiveFiles
   copyFreeFontForMacOS
   setPlistForMacOS
   addNoticeFile
@@ -1812,7 +1826,7 @@ if [[ "${BUILD_CONFIG[MAKE_EXPLODED]}" != "true" ]]; then
     buildCyclonedxLib
     generateSBoM
   fi
-  removingUnnecessaryFiles
+  cleanAndMoveArchiveFiles
   copyFreeFontForMacOS
   setPlistForMacOS
   addNoticeFile

diff --git a/sign.sh b/sign.sh
@@ -72,42 +72,46 @@ signRelease()
 
       # Sign .exe files
       FILES=$(find . -type f -name '*.exe' -o -name '*.dll')
-      for f in $FILES
-      do
-        echo "Signing ${f}"
-        if [ "$SIGN_TOOL" = "eclipse" ]; then
-          echo "Signing $f using Eclipse Foundation codesign service"
-          dir=$(dirname "$f")
-          file=$(basename "$f")
-          mv "$f" "${dir}/unsigned_${file}"
-          curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign
-          chmod --reference="${dir}/unsigned_${file}" "$f"
-          rm -rf "${dir}/unsigned_${file}"
-        else
-          STAMPED=false
-          for SERVER in $TIMESTAMPSERVERS; do
-            if [ "$STAMPED" = "false" ]; then
-              echo "Signing $f using $SERVER"
-              if [ "$SIGN_TOOL" = "ucl" ]; then
-                ucl sign-code --file "$f" -n WindowsSHA -t "${SERVER}" --hash SHA256
-              else
-                "$signToolPath" sign /f "${SIGNING_CERTIFICATE}" /p "$SIGN_PASSWORD" /fd SHA256 /t "${SERVER}" "$f"
-              fi
-              RC=$?
-              if [ $RC -eq 0 ]; then
-                STAMPED=true
-              else
-                echo "RETRYWARNING: Failed to sign ${f} at $(date +%T): Possible timestamp server error at ${SERVER} - Trying new server in 5 seconds"
-                sleep 2
+      if [ "$FILES" == "" ]; then
+        echo "No files to sign"
+      else
+        for f in $FILES
+        do
+          echo "Signing ${f}"
+          if [ "$SIGN_TOOL" = "eclipse" ]; then
+            echo "Signing $f using Eclipse Foundation codesign service"
+            dir=$(dirname "$f")
+            file=$(basename "$f")
+            mv "$f" "${dir}/unsigned_${file}"
+            curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign
+            chmod --reference="${dir}/unsigned_${file}" "$f"
+            rm -rf "${dir}/unsigned_${file}"
+          else
+            STAMPED=false
+            for SERVER in $TIMESTAMPSERVERS; do
+              if [ "$STAMPED" = "false" ]; then
+                echo "Signing $f using $SERVER"
+                if [ "$SIGN_TOOL" = "ucl" ]; then
+                  ucl sign-code --file "$f" -n WindowsSHA -t "${SERVER}" --hash SHA256
+                else
+                  "$signToolPath" sign /f "${SIGNING_CERTIFICATE}" /p "$SIGN_PASSWORD" /fd SHA256 /t "${SERVER}" "$f"
+                fi
+                RC=$?
+                if [ $RC -eq 0 ]; then
+                  STAMPED=true
+                else
+                  echo "RETRYWARNING: Failed to sign ${f} at $(date +%T): Possible timestamp server error at ${SERVER} - Trying new server in 5 seconds"
+                  sleep 2
+                fi
               fi
+            done
+            if [ "$STAMPED" = "false" ]; then
+              echo "Failed to sign ${f} using any time server - aborting"
+              exit 1
             fi
-          done
-          if [ "$STAMPED" = "false" ]; then
-            echo "Failed to sign ${f} using any time server - aborting"
-            exit 1
           fi
-        fi
-      done
+        done
+      fi
     ;;
 
     "mac"*)
@@ -118,7 +122,9 @@ signRelease()
       # Sign all files with the executable permission bit set.
       FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib'  -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib'  -type f)
 
-      if [ "$SIGN_TOOL" = "eclipse" ]; then
+      if [ "$FILES" == "" ]; then
+        echo "No files to sign"
+      elif [ "$SIGN_TOOL" = "eclipse" ]; then
         for f in $FILES
         do
           echo "Signing $f using Eclipse Foundation codesign service"