Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mac codesign signing using eclipse-codesign does not check for success #596

Closed
andrew-m-leonard opened this issue Jan 20, 2023 · 8 comments · Fixed by #810
Closed

Mac codesign signing using eclipse-codesign does not check for success #596

andrew-m-leonard opened this issue Jan 20, 2023 · 8 comments · Fixed by #810
Assignees

Comments

@andrew-m-leonard
Copy link
Contributor

The Signing of Mac binaries by the eclipse-codesign service does not check each individual signing is successful

curl -o "$f" -F file="@${dir}/unsigned_${file}" -F entitlements="@$ENTITLEMENTS" https://cbi.eclipse.org/macos/codesign/sign

@steelhead31
Copy link
Contributor

Think I have a potential fix for this, by examining each signed binary for the string "Apple Certification Authority" , built and unsigned binaries don't contain it...

@steelhead31
Copy link
Contributor

is this also an issue with https://github.com/adoptium/temurin-build/blob/master/sign.sh#L134

https://github.com/adoptium/temurin-build/blob/master/sign.sh#L86 ?

@sophia-guo I dont think we have seen the same error in the above two jobs ( but I think the underlying cause is volume related, in submitting a large number of requests in a short time ), however both of those curl requests use the --fail switch , so would likely fail "properly", and not carry on regardless. I will have a further look at those 2 scripts, and see if they could use the "retry" resilience. I've also added the --fail switch to the mac signing PR :)

@steelhead31
Copy link
Contributor

Closed as Mac signing PR is now merged.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Adoptium 3Q 2023 Plan Jul 7, 2023
@adamfarley
Copy link
Contributor

adamfarley commented Aug 9, 2023

Heya @steelhead31 - Can I ask if the unannounced failures seen here (or more accurately the apparent failure to sign them here, sans any report of failure) are being worked somewhere?

@steelhead31
Copy link
Contributor

Hi @adamfarley  this fix has been implemented into the sign.sh script, but needs reflecting into the pipeline script, it doesn't guarantee success, but will loop numerous times in order to try again. The failure detailed here appears to be a genuine fault with the notarisation service, and I'd expect it to have failed. The job on mac platforms has complete successfully since the linked build (e.g https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9315/ & https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9309/ , so its just a case of improving the pipeline script to match sign.sh ... this is on my to do list, so I've re-opened this, and will try and get to it as soon as Im able!

@steelhead31 steelhead31 reopened this Aug 9, 2023
@steelhead31 steelhead31 moved this from Done to In Progress in Adoptium 3Q 2023 Plan Aug 9, 2023
@adamfarley
Copy link
Contributor

Thanks Scott!

@steelhead31
Copy link
Contributor

steelhead31 commented Aug 10, 2023

Not related to Mac, but this shows a good example of the code signing service encountering an issue whilst doing the code signing..

https://ci.adoptium.net/job/build-scripts/job/release/job/sign_build/26029/console

Signing ./bin/jfr.exe
Signing ./bin/jfr.exe using Eclipse Foundation codesign service
Signing ./bin/jhat.exe
Signing ./bin/jhat.exe using Eclipse Foundation codesign service curl: (22) The requested URL returned error: 502 Build step 'Execute shell' marked build as failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Status: Done
Development

Successfully merging a pull request may close this issue.

4 participants