JBR-7800 Fix notarization of jbrsdk (sign libs and execs inside jmod files)

Author: sshelomentsev

jb/project/tools/mac/scripts/notarize.sh

@@ -30,11 +30,34 @@ trap "rm -f \"$PWD/tmp_key\"" INT EXIT RETURN
 echo -n "${APPLE_PRIVATE_KEY}" > tmp_key
 
 log "Notarizing $APP_PATH..."
-xcrun notarytool submit --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" "$APP_PATH" 2>&1 | tee "notarytool.submit.out"
+xcrun notarytool submit --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" "$APP_PATH" 2>&1 --wait| tee "notarytool.submit.out"
 REQUEST_ID="$(grep -e " id: " "notarytool.submit.out" | grep -oE '([0-9a-f-]{36})'| head -n1)"
 
-xcrun notarytool wait "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" --timeout 6h ||:
-xcrun notarytool log  "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" developer_log.json ||:
-xcrun notarytool info "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}"
+waitOutput=$(xcrun notarytool wait "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" --timeout 6h)
+if [ $? -ne 0 ]; then
+  log "Notarizing failed (wait command)"
+  echo "$waitOutput"
+  exit 1
+else
+  echo "$waitOutput"
+fi
+
+logOutout=$(xcrun notarytool log  "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}" developer_log.json)
+if [ $? -ne 0 ]; then
+  log "Notarizing failed (log command)"
+  echo "$logOutout"
+  exit 1
+else
+  echo "$logOutout"
+fi
+
+infoOUtput=$(xcrun notarytool info "$REQUEST_ID" --key tmp_key --key-id "${APPLE_KEY_ID}" --issuer "${APPLE_ISSUER_ID}")
+if [ $? -ne 0 ]; then
+  log "Notarizing failed (info command)"
+  echo "$infoOUtput"
+  exit 1
+else
+  echo "$infoOUtput"
+fi
 
 log "Notarizing finished"

jb/project/tools/mac/scripts/sign.sh

@@ -55,6 +55,51 @@ for f in \
   fi
 done
 
+log "Signing jmod files"
+JMODS_DIR="$APPLICATION_PATH/Contents/Home/jmods"
+if [ -d "$JMODS_DIR" ]; then
+  for jmod_file in "$JMODS_DIR"/*.jmod; do
+    log "Processing $jmod_file"
+
+    TMP_DIR="$JMODS_DIR/tmp"
+    rm -rf "$TMP_DIR"
+    mkdir "$TMP_DIR"
+
+    log "Unzipping $jmod_file"    
+    "$BOOT_JDK/bin/jmod" extract --dir "$TMP_DIR" "$jmod_file" >/dev/null
+    log "Removing $jmod_file"
+    rm -f "$jmod_file"
+
+    log "Signing dylibs in $TMP_DIR"
+    find "$TMP_DIR" \
+      -type f \( -name "*.dylib" -o -name "*.so"-o -perm +111 -o -name jarsigner -o -name jdeps -o -name jpackageapplauncher -o -name jspawnhelper -o -name jar -o -name javap -o -name jdeprscan -o -name jfr -o -name rmiregistry -o -name java -o -name jhsdb  -o -name jstatd  -o -name jstatd -o -name jpackage -o -name keytool -o -name jmod -o -name jlink -o -name jimage -o -name jstack -o -name jcmd -o -name jps -o -name jmap -o -name jstat -o -name jinfo -o -name jshell -o -name jwebserver -o -name javac -o -name serialver -o -name jrunscript -o -name jdb -o -name jconsole -o -name javadoc \) \
+      -exec "$SIGN_UTILITY" --timestamp \
+      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
+      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+
+    cmd="$BOOT_JDK/bin/jmod create --class-path $TMP_DIR/classes"
+
+    # Check each directory and add to the command if it exists
+    [ -d "$TMP_DIR/bin" ] && cmd="$cmd --cmds $TMP_DIR/bin"
+    [ -d "$TMP_DIR/conf" ] && cmd="$cmd --config $TMP_DIR/conf"
+    [ -d "$TMP_DIR/lib" ] && cmd="$cmd --libs $TMP_DIR/lib"
+    [ -d "$TMP_DIR/include" ] && cmd="$cmd --header-files $TMP_DIR/include"
+    [ -d "$TMP_DIR/legal" ] && cmd="$cmd --legal-notices $TMP_DIR/legal"
+    [ -d "$TMP_DIR/man" ] && cmd="$cmd --man-pages $TMP_DIR/man"
+
+    # Add the output file
+    cmd="$cmd $jmod_file"
+
+    # Execute the command
+    eval $cmd
+
+    log "Removing $TMP_DIR"
+    rm -rf "$TMP_DIR"
+  done
+else
+  echo "Directory '$JMODS_DIR' does not exist. Skipping signing of jmod files."
+fi
+
 log "Signing libraries in jars in $APPLICATION_PATH"
 
 # todo: add set -euo pipefail; into the inner sh -c

jb/project/tools/mac/scripts/signapp.sh

@@ -38,9 +38,6 @@ BUILD_NAME="$(ls "$EXPLODED")"
 #sed -i '' s/BNDL/APPL/ $EXPLODED/$BUILD_NAME/Contents/Info.plist
 rm -f $EXPLODED/$BUILD_NAME/Contents/CodeResources
 rm "$INPUT_FILE"
-if test -d $EXPLODED/$BUILD_NAME/Contents/Home/jmods; then
-  mv $EXPLODED/$BUILD_NAME/Contents/Home/jmods $BACKUP_JMODS
-fi
 
 log "$INPUT_FILE extracted and removed"
 
@@ -108,21 +105,44 @@ set -e
 if [ "$NOTARIZE" = "yes" ]; then
   log "Notarizing..."
   "$SCRIPT_DIR/notarize.sh" "$PKG_NAME"
+
   log "Stapling..."
-  xcrun stapler staple "$APPLICATION_PATH" ||:
-  xcrun stapler staple "$PKG_NAME" ||:
+  appStaplerOutput=$(xcrun stapler staple "$APPLICATION_PATH")
+  if [ $? -ne 0 ]; then
+    log "Stapling application failed"
+    echo "$appStaplerOutput"
+    exit 1
+  else
+    echo "$appStaplerOutput"
+  fi
+
+  log "Stapling package..."
+  pkgStaplerOutput=$(xcrun stapler staple "$PKG_NAME")
+  if [ $? -ne 0 ]; then
+    log "Stapling package failed"
+    echo "$pkgStaplerOutput"
+    exit 1
+  else
+    echo "$pkgStaplerOutput"
+  fi
+
+  # Verify stapling
+  log "Verifying stapling..."
+  if ! stapler validate "$APPLICATION_PATH"; then
+    log "Stapling verification failed for application"
+    exit 1
+  fi
+  if ! stapler validate "$PKG_NAME"; then
+    log "Stapling verification failed for package"
+    exit 1
+  fi
 else
   log "Notarization disabled"
   log "Stapling disabled"
 fi
 
 log "Zipping $BUILD_NAME to $INPUT_FILE ..."
 (
-  #cd "$EXPLODED"
-  #ditto -c -k --sequesterRsrc --keepParent "$BUILD_NAME" "../$INPUT_FILE"
-  if test -d $BACKUP_JMODS/jmods; then
-    mv $BACKUP_JMODS/jmods $APPLICATION_PATH/Contents/Home
-  fi
   if [[ "$APPLICATION_PATH" != "$EXPLODED/$BUILD_NAME" ]]; then
     mv $APPLICATION_PATH $EXPLODED/$BUILD_NAME
   else
@@ -133,4 +153,4 @@ log "Zipping $BUILD_NAME to $INPUT_FILE ..."
   log "Finished zipping"
 )
 rm -rf "$EXPLODED"
-log "Done"
+log "Done"