Prevent jdk11+ from running external sign.sh as already signed during… (

#4083) * Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard <[email protected]> * Prevent jdk11+ from running external sign.sh as already signed during build Signed-off-by: Andrew Leonard <[email protected]> * Update comment Co-authored-by: Severin Gehwolf <[email protected]> --------- Signed-off-by: Andrew Leonard <[email protected]> Co-authored-by: Severin Gehwolf <[email protected]>
adoptium · Dec 11, 2024 · 71311f8 · 71311f8
1 parent 10376ad
commit 71311f8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/build-farm/sign-releases.sh b/build-farm/sign-releases.sh
@@ -19,6 +19,7 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 export SIGN_TOOL
 export OPERATING_SYSTEM
+export VERSION
 
 if [ "${OPERATING_SYSTEM}" == "mac" ] ; then
   EXTENSION="tar.gz"

diff --git a/sign.sh b/sign.sh
@@ -77,6 +77,7 @@ signRelease()
         do
           echo "Signing ${f}"
           if [ "$SIGN_TOOL" = "eclipse" ]; then
+           if [ "${VERSION}" = "8" ]; then
             echo "Signing $f using Eclipse Foundation codesign service"
             dir=$(dirname "$f")
             file=$(basename "$f")
@@ -109,6 +110,9 @@ signRelease()
             fi
             chmod --reference="${dir}/unsigned_${file}" "$f"
             rm -rf "${dir}/unsigned_${file}"
+           else
+            echo "Eclipse signing for JDK version ${VERSION} does not externally sign Windows executables post-build"
+           fi
           else
             STAMPED=false
             for SERVER in $TIMESTAMPSERVERS; do
@@ -145,7 +149,16 @@ signRelease()
 
       # Sign all files with the executable permission bit set.
 
-      FILES=$(find "${TMP_DIR}" -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find "${TMP_DIR}" -perm /111 -type f -not -name '.*' -o -name '*.dylib')
+      if [ "$SIGN_TOOL" = "eclipse" ] && [ "${VERSION}" != "8" ]; then
+        # On MacOSX, libjli.dylib is copied in two places. Once in Contents/home/lib/libjli.dylib and once in
+        # Contents/MacOS/libjli.dylib. The latter is the bundle executable entry-point and hasn't been signed by
+        # by the build in contrast to content in Contents/home. Therefore,  Eclipse jdk-11+ post-build signing should
+        # only sign the libjli.dylib bundle executable in Contents/MacOS, as there rest are already internally signed
+        # in the build
+        FILES=$(find . -name 'libjli.dylib' | grep 'Contents/MacOS' || true)
+      else
+        FILES=$(find "${TMP_DIR}" -perm +111 -type f -not -name '.*' -o -name '*.dylib' || find "${TMP_DIR}" -perm /111 -type f -not -name '.*' -o -name '*.dylib')
+      fi
       if [ "$FILES" == "" ]; then
         echo "No files to sign"
       elif [ "$SIGN_TOOL" = "eclipse" ]; then