diff --git a/build-farm/sign-releases.sh b/build-farm/sign-releases.sh index 77ff6cf83..d4ffab7a0 100755 --- a/build-farm/sign-releases.sh +++ b/build-farm/sign-releases.sh @@ -14,6 +14,7 @@ # limitations under the License. ################################################################################ +set -eu BUILD_ARGS=${BUILD_ARGS:-""} SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" @@ -40,6 +41,7 @@ do case "${file}" in *debugimage*) echo "Skipping ${file} because it's a debug image" ;; *testimage*) echo "Skipping ${file} because it's a test image" ;; + *sbom*) echo "Skipping ${file} because it's an sbom archive" ;; *) echo "signing ${file}" @@ -47,4 +49,4 @@ do bash "${SCRIPT_DIR}/../sign.sh" ${CERTIFICATE} "${file}" ;; esac -done \ No newline at end of file +done diff --git a/sbin/build.sh b/sbin/build.sh index 86c928256..0718ed689 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -928,19 +928,21 @@ getStaticLibsArchivePath() { } getSbomArchivePath(){ - # cannot use absolute path because the check in createOpenJDKArchive() - echo "../../../../../target/metadata/sbom.json" + local jdkArchivePath=$(getJdkArchivePath) + echo "${jdkArchivePath}-sbom" } -# Clean up -removingUnnecessaryFiles() { +# This function moves the archive files to their intended archive paths +# and cleans unneeded files +cleanAndMoveArchiveFiles() { local jdkTargetPath=$(getJdkArchivePath) local jreTargetPath=$(getJreArchivePath) local testImageTargetPath=$(getTestImageArchivePath) local debugImageTargetPath=$(getDebugImageArchivePath) local staticLibsImageTargetPath=$(getStaticLibsArchivePath) + local sbomTargetPath=$(getSbomArchivePath) - echo "Removing unnecessary files now..." + echo "Moving archive content to target archive paths and cleaning unnecessary files..." stepIntoTheWorkingDirectory @@ -976,6 +978,15 @@ removingUnnecessaryFiles() { mv "${testImagePath}" "${testImageTargetPath}" fi + # If creating SBOM, move it to the target Sbom archive path + if [[ "${BUILD_CONFIG[CREATE_SBOM]}" == "true" ]]; then + local sbomJson="${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/sbom.json" + echo "moving ${sbomJson} to ${sbomTargetPath}/sbom.json" + rm -rf "${sbomTargetPath}" || true + mkdir "${sbomTargetPath}" + mv "${sbomJson}" "${sbomTargetPath}" + fi + # Static libs image - check if the directory exists local staticLibsImagePath="${BUILD_CONFIG[STATIC_LIBS_IMAGE_PATH]}" local osArch @@ -1077,7 +1088,7 @@ removingUnnecessaryFiles() { deleteDebugSymbols fi - echo "Finished removing unnecessary files from ${jdkTargetPath}" + echo "Finished cleaning and moving archive files from ${jdkTargetPath}" } deleteDebugSymbols() { @@ -1352,7 +1363,7 @@ getFirstTagFromOpenJDKGitRepo() { # Save current directory of caller so we can return to that directory at the end of this function. # Some callers are not in the git repo root, but instead build/*/images directory like the archive functions - # and any function called after removingUnnecessaryFiles(). + # and any function called after cleanAndMoveArchiveFiles(). local savePwd="${PWD}" # Change to openjdk git repo root to find build tag. @@ -1441,7 +1452,7 @@ createOpenJDKTarArchive() { local testImageTargetPath=$(getTestImageArchivePath) local debugImageTargetPath=$(getDebugImageArchivePath) local staticLibsImageTargetPath=$(getStaticLibsArchivePath) - local sbomFilePath=$(getSbomArchivePath) + local sbomTargetPath=$(getSbomArchivePath) echo "OpenJDK JDK path will be ${jdkTargetPath}. JRE path will be ${jreTargetPath}" @@ -1482,10 +1493,13 @@ createOpenJDKTarArchive() { echo "OpenJDK static libs archive file name will be ${staticLibsImageName}." createArchive "${staticLibsImageTargetPath}" "${staticLibsImageName}" fi - echo "OpenJDK SBOM file is ${sbomFilePath}." - if [ -f "${sbomFilePath}" ]; then - local sbomTargetName=$(echo "${BUILD_CONFIG[TARGET_FILE_NAME]//-jdk/-sbom}") - createArchive "${sbomFilePath}" "${sbomTargetName}" + if [ -d "${sbomTargetPath}" ]; then + # SBOM archive artifact as a .json file + local sbomTargetName=$(echo "${BUILD_CONFIG[TARGET_FILE_NAME]//-jdk/-sbom}.json") + sbomTargetName="${sbomTargetName//\.tar\.gz/}" + local sbomArchiveTarget=${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/${sbomTargetName} + echo "OpenJDK SBOM will be ${sbomTargetName}." + cp "${sbomTargetPath}/sbom.json" "${sbomArchiveTarget}" fi # for macOS system, code sign directory before creating tar.gz file if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "darwin" ] && [ -n "${BUILD_CONFIG[MACOSX_CODESIGN_IDENTITY]}" ]; then @@ -1781,7 +1795,7 @@ if [[ "${BUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]}" == "true" ]]; then buildCyclonedxLib generateSBoM fi - removingUnnecessaryFiles + cleanAndMoveArchiveFiles copyFreeFontForMacOS setPlistForMacOS addNoticeFile @@ -1812,7 +1826,7 @@ if [[ "${BUILD_CONFIG[MAKE_EXPLODED]}" != "true" ]]; then buildCyclonedxLib generateSBoM fi - removingUnnecessaryFiles + cleanAndMoveArchiveFiles copyFreeFontForMacOS setPlistForMacOS addNoticeFile diff --git a/sign.sh b/sign.sh index 6116f497e..8442d72eb 100755 --- a/sign.sh +++ b/sign.sh @@ -72,42 +72,46 @@ signRelease() # Sign .exe files FILES=$(find . -type f -name '*.exe' -o -name '*.dll') - for f in $FILES - do - echo "Signing ${f}" - if [ "$SIGN_TOOL" = "eclipse" ]; then - echo "Signing $f using Eclipse Foundation codesign service" - dir=$(dirname "$f") - file=$(basename "$f") - mv "$f" "${dir}/unsigned_${file}" - curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign - chmod --reference="${dir}/unsigned_${file}" "$f" - rm -rf "${dir}/unsigned_${file}" - else - STAMPED=false - for SERVER in $TIMESTAMPSERVERS; do - if [ "$STAMPED" = "false" ]; then - echo "Signing $f using $SERVER" - if [ "$SIGN_TOOL" = "ucl" ]; then - ucl sign-code --file "$f" -n WindowsSHA -t "${SERVER}" --hash SHA256 - else - "$signToolPath" sign /f "${SIGNING_CERTIFICATE}" /p "$SIGN_PASSWORD" /fd SHA256 /t "${SERVER}" "$f" - fi - RC=$? - if [ $RC -eq 0 ]; then - STAMPED=true - else - echo "RETRYWARNING: Failed to sign ${f} at $(date +%T): Possible timestamp server error at ${SERVER} - Trying new server in 5 seconds" - sleep 2 + if [ "$FILES" == "" ]; then + echo "No files to sign" + else + for f in $FILES + do + echo "Signing ${f}" + if [ "$SIGN_TOOL" = "eclipse" ]; then + echo "Signing $f using Eclipse Foundation codesign service" + dir=$(dirname "$f") + file=$(basename "$f") + mv "$f" "${dir}/unsigned_${file}" + curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" https://cbi.eclipse.org/authenticode/sign + chmod --reference="${dir}/unsigned_${file}" "$f" + rm -rf "${dir}/unsigned_${file}" + else + STAMPED=false + for SERVER in $TIMESTAMPSERVERS; do + if [ "$STAMPED" = "false" ]; then + echo "Signing $f using $SERVER" + if [ "$SIGN_TOOL" = "ucl" ]; then + ucl sign-code --file "$f" -n WindowsSHA -t "${SERVER}" --hash SHA256 + else + "$signToolPath" sign /f "${SIGNING_CERTIFICATE}" /p "$SIGN_PASSWORD" /fd SHA256 /t "${SERVER}" "$f" + fi + RC=$? + if [ $RC -eq 0 ]; then + STAMPED=true + else + echo "RETRYWARNING: Failed to sign ${f} at $(date +%T): Possible timestamp server error at ${SERVER} - Trying new server in 5 seconds" + sleep 2 + fi fi + done + if [ "$STAMPED" = "false" ]; then + echo "Failed to sign ${f} using any time server - aborting" + exit 1 fi - done - if [ "$STAMPED" = "false" ]; then - echo "Failed to sign ${f} using any time server - aborting" - exit 1 fi - fi - done + done + fi ;; "mac"*) @@ -118,7 +122,9 @@ signRelease() # Sign all files with the executable permission bit set. FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f) - if [ "$SIGN_TOOL" = "eclipse" ]; then + if [ "$FILES" == "" ]; then + echo "No files to sign" + elif [ "$SIGN_TOOL" = "eclipse" ]; then for f in $FILES do echo "Signing $f using Eclipse Foundation codesign service"