Improve Resilience Of Signing Checks For MacOS (adoptium#3431)

* Improve codesigning * Retry zip signing. * Add debug * Fix formatting. * Fix case of variables. * Fix errcount check * Add retry logic for zip signing * fix syntax error * Debugging zip signing * Debugging * Debug zip signing * Debug zip file signing * Debug zip signing * Debug zip signing * Fix zip signing check * Fix zip signing test * Fix zip file name * Debug zip sign checks * Debug zip signing * Debug zip signing * Debugging Zip Signing * Remove zip signing check with strings * Remove debugs * Linter fixes. * Linter fix * Fix formatting * Linter fix * Linter fixes * Linter fixes * Linter fix * Linter fixes * Fix unbound var * Fix exit loop
steelhead31 · Jul 12, 2023 · 4ac0543 · 4ac0543
1 parent a00cf35
commit 4ac0543
Showing 1 changed file with 42 additions and 3 deletions.
diff --git a/sign.sh b/sign.sh
@@ -119,6 +119,10 @@ signRelease()
  echo "Signing OSX release"
 
  ENTITLEMENTS="$WORKSPACE/entitlements.plist"
+
+ MACSIGNSTRING="Apple Certification Authority"
+
+
  # Sign all files with the executable permission bit set.
  FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib' -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib' -type f)
 
@@ -132,11 +136,46 @@ signRelease()
  file=$(basename "$f")
  mv "$f" "${dir}/unsigned_${file}"
  curl --fail --silent --show-error -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign
- chmod --reference="${dir}/unsigned_${file}" "$f"
- rm -rf "${dir}/unsigned_${file}"
+ echo File = "$f"
+ TESTMACSIGN=$(grep -ic "$MACSIGNSTRING" "$f")
+ echo Sign Result = "$TESTMACSIGN"
+ if [ "$TESTMACSIGN" -gt 0 ]
+ then
+ echo "Code Signed For File $f"
+ chmod --reference="${dir}/unsigned_${file}" "$f"
+ rm -rf "${dir}/unsigned_${file}"
+ else
+ max_iterations=20
+ iteration=1
+ success=false
+ echo "Code Not Signed For File $f"
+ while [ $iteration -le $max_iterations ] && [ $success = false ]; do
+ echo $iteration Of $max_iterations
+ sleep 1
+ curl --fail -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign
+ TESTMACSIGN2=$(grep -ic "$MACSIGNSTRING" "$f")
+ echo TESTMACSIGN2 = "$TESTMACSIGN2"
+ if [ "$TESTMACSIGN2" -gt 0 ]
+ then
+ echo "$f Signed OK On Attempt $iteration"
+ chmod --reference="${dir}/unsigned_${file}" "$f"
+ rm -rf "${dir}/unsigned_${file}"
+ success=true
+ else
+ echo "$f Failed Signing On Attempt $iteration"
+ success=false
+ iteration=$((iteration+1))
+ if [ $iteration -gt $max_iterations ]
+ then
+ echo "Errors Encountered During Signing"
+ exit 1
+ fi
+ fi
+ done
+ fi
  done
  JDK_DIR=$(ls -d "${TMP_DIR}"/jdk*)
- JDK=$(basename "${JDK_DIR}") 
+ JDK=$(basename "${JDK_DIR}")
  cd "${TMP_DIR}"
  zip -q -r "${TMP_DIR}/unsigned.zip" "${JDK}"
  cd -