JBR-7867 Notarization scripts: fail build if signing of separate files are failed

sshelomentsev · mkartashev · commit f379e0dc7fbc · 2024-11-19T18:32:54.000+04:00
diff --git a/jb/project/tools/mac/scripts/codesign.sh b/jb/project/tools/mac/scripts/codesign.sh
@@ -34,7 +34,23 @@ else
   contentType=$(jetSignContentType "$pathToBeSigned")
   (
     cd "$workDir" || exit 1
-    "$JETSIGN_CLIENT" -log-format text -denoted-content-type "$contentType" -extensions "$jetSignExtensions" "$pathToBeSigned"
+    
+    max_attempts=3
+    attempt=1
+    while [ $attempt -le $max_attempts ]; do
+      if "$JETSIGN_CLIENT" -log-format text -denoted-content-type "$contentType" -extensions "$jetSignExtensions" "$pathToBeSigned"; then
+        break
+      else
+        if [ $attempt -eq $max_attempts ]; then
+          echo "Failed to sign after $max_attempts attempts"
+          exit 1
+        fi
+        echo "Attempt $attempt failed, retrying in 5 seconds..."
+        sleep 5
+        ((attempt++))
+      fi
+    done
+
     # SRE-1223 (Codesign removes execute bits in executable files) workaround
     chmod "$(stat -f %A "$pathToBeSigned")" "$pathSigned"
     if isMacOsBinary "$pathSigned"; then
diff --git a/jb/project/tools/mac/scripts/sign.sh b/jb/project/tools/mac/scripts/sign.sh
@@ -49,9 +49,7 @@ for f in \
   if [ -d "$APPLICATION_PATH/$f" ]; then
     find "$APPLICATION_PATH/$f" \
       -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "*.tbd" -o -name "*.node" -o -perm +111 \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp -v -s "$2" --options=runtime --force --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
   fi
 done
 
@@ -74,9 +72,7 @@ if [ -d "$JMODS_DIR" ]; then
     log "Signing dylibs in $TMP_DIR"
     find "$TMP_DIR" \
       -type f \( -name "*.dylib" -o -name "*.so"-o -perm +111 -o -name jarsigner -o -name jnativescan -o -name jdeps -o -name jpackageapplauncher -o -name jspawnhelper -o -name jar -o -name javap -o -name jdeprscan -o -name jfr -o -name rmiregistry -o -name java -o -name jhsdb  -o -name jstatd  -o -name jstatd -o -name jpackage -o -name keytool -o -name jmod -o -name jlink -o -name jimage -o -name jstack -o -name jcmd -o -name jps -o -name jmap -o -name jstat -o -name jinfo -o -name jshell -o -name jwebserver -o -name javac -o -name serialver -o -name jrunscript -o -name jdb -o -name jconsole -o -name javadoc \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp -v -s "$2" --options=runtime --force --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
 
     cmd="$JMOD_EXE create --class-path $TMP_DIR/classes"
 
@@ -119,10 +115,7 @@ find "$APPLICATION_PATH" -name '*.jar' \
 
     find jarfolder \
       -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "*.tbd" -o -name "jattach" \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      --force \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp --force -v -s "$2" --options=runtime --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
 
     (cd jarfolder; zip -q -r -o -0 ../jar.jar .)
     mv jar.jar "$file"
@@ -137,9 +130,7 @@ for f in \
   if [ -d "$APPLICATION_PATH/$f" ]; then
     find "$APPLICATION_PATH/$f" \
       -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "*.tbd" -o -perm +111 \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp -v -s "$2" --options=runtime --force --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
   fi
 done
 
@@ -155,7 +146,7 @@ if [ "$JB_SIGN" = true ]; then for f in \
         "$SIGN_UTILITY" --timestamp \
             -v -s "$JB_DEVELOPER_CERT" --options=runtime \
             --force \
-            --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz
+            --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz || exit 1
         rm -rf "$line"
         tar -xzf tmp-to-sign.tar.gz --directory "$(dirname "$line")"
         rm -f tmp-to-sign.tar.gz
@@ -181,15 +172,15 @@ if [ "$JB_SIGN" = true ]; then
   "$SIGN_UTILITY" --timestamp \
     -v -s "$JB_DEVELOPER_CERT" --options=runtime \
     --force \
-    --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz
+    --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz || exit 1
   rm -rf "$APPLICATION_PATH"
   tar -xzf tmp-to-sign.tar.gz --directory "$(dirname "$APPLICATION_PATH")"
   rm -f tmp-to-sign.tar.gz
 else
   "$SIGN_UTILITY" --timestamp \
     -v -s "$JB_DEVELOPER_CERT" --options=runtime \
     --force \
-    --entitlements "$SCRIPT_DIR/entitlements.xml" "$APPLICATION_PATH"
+    --entitlements "$SCRIPT_DIR/entitlements.xml" "$APPLICATION_PATH" || exit 1
 fi
 
 BUILD_NAME="$(basename "$APPLICATION_PATH")"
diff --git a/jb/project/tools/mac/scripts/signapp.sh b/jb/project/tools/mac/scripts/signapp.sh
@@ -9,7 +9,6 @@ export COPYFILE_DISABLE=true
 
 INPUT_FILE=$1
 EXPLODED=$2.exploded
-BACKUP_JMODS=$2.backup
 USERNAME=$3
 PASSWORD=$4
 CODESIGN_STRING=$5
@@ -29,8 +28,6 @@ if test -d "$EXPLODED"; then
 fi
 rm -rf "$EXPLODED"
 mkdir "$EXPLODED"
-rm -rf "$BACKUP_JMODS"
-mkdir "$BACKUP_JMODS"
 
 log "Unzipping $INPUT_FILE to $EXPLODED ..."
 tar -xzvf "$INPUT_FILE" --directory $EXPLODED
