JBR-7867 Notarization scripts: fail build if signing of separate file…

…s are failed
JetBrains · Nov 18, 2024 · 72a8b3b · 72a8b3b
1 parent f27dcf1
commit 72a8b3b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 17 deletions.
diff --git a/jb/project/tools/mac/scripts/codesign.sh b/jb/project/tools/mac/scripts/codesign.sh
@@ -34,7 +34,23 @@ else
   contentType=$(jetSignContentType "$pathToBeSigned")
   (
     cd "$workDir" || exit 1
-    "$JETSIGN_CLIENT" -log-format text -denoted-content-type "$contentType" -extensions "$jetSignExtensions" "$pathToBeSigned"
+
+    max_attempts=3
+    attempt=1
+    while [ $attempt -le $max_attempts ]; do
+      if "$JETSIGN_CLIENT" -log-format text -denoted-content-type "$contentType" -extensions "$jetSignExtensions" "$pathToBeSigned"; then
+        break
+      else
+        if [ $attempt -eq $max_attempts ]; then
+          echo "Failed to sign after $max_attempts attempts"
+          exit 1
+        fi
+        echo "Attempt $attempt failed, retrying in 5 seconds..."
+        sleep 5
+        ((attempt++))
+      fi
+    done
+
     # SRE-1223 (Codesign removes execute bits in executable files) workaround
     chmod "$(stat -f %A "$pathToBeSigned")" "$pathSigned"
     if isMacOsBinary "$pathSigned"; then

diff --git a/jb/project/tools/mac/scripts/sign.sh b/jb/project/tools/mac/scripts/sign.sh
@@ -49,9 +49,7 @@ for f in \
   if [ -d "$APPLICATION_PATH/$f" ]; then
     find "$APPLICATION_PATH/$f" \
       -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "*.tbd" -o -name "*.node" -o -perm +111 \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp -v -s "$2" --options=runtime --force --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;      
   fi
 done
 
@@ -73,9 +71,7 @@ if [ -d "$JMODS_DIR" ]; then
     log "Signing dylibs in $TMP_DIR"
     find "$TMP_DIR" \
       -type f \( -name "*.dylib" -o -name "*.so"-o -perm +111 -o -name jarsigner -o -name jdeps -o -name jpackageapplauncher -o -name jspawnhelper -o -name jar -o -name javap -o -name jdeprscan -o -name jfr -o -name rmiregistry -o -name java -o -name jhsdb  -o -name jstatd  -o -name jstatd -o -name jpackage -o -name keytool -o -name jmod -o -name jlink -o -name jimage -o -name jstack -o -name jcmd -o -name jps -o -name jmap -o -name jstat -o -name jinfo -o -name jshell -o -name jwebserver -o -name javac -o -name serialver -o -name jrunscript -o -name jdb -o -name jconsole -o -name javadoc \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp -v -s "$2" --options=runtime --force --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
 
     cmd="$BOOT_JDK/bin/jmod create --class-path $TMP_DIR/classes"
 
@@ -118,10 +114,7 @@ find "$APPLICATION_PATH" -name '*.jar' \
 
     find jarfolder \
       -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "*.tbd" -o -name "jattach" \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      --force \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp --force -v -s "$2" --options=runtime --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
 
     (cd jarfolder; zip -q -r -o -0 ../jar.jar .)
     mv jar.jar "$file"
@@ -136,9 +129,7 @@ for f in \
   if [ -d "$APPLICATION_PATH/$f" ]; then
     find "$APPLICATION_PATH/$f" \
       -type f \( -name "*.jnilib" -o -name "*.dylib" -o -name "*.so" -o -name "*.tbd" -o -perm +111 \) \
-      -exec "$SIGN_UTILITY" --timestamp \
-      -v -s "$JB_DEVELOPER_CERT" --options=runtime --force \
-      --entitlements "$SCRIPT_DIR/entitlements.xml" {} \;
+      -exec sh -c '"$1" --timestamp -v -s "$2" --options=runtime --force --entitlements "$3" "$4" || exit 1' sh "$SIGN_UTILITY" "$JB_DEVELOPER_CERT" "$SCRIPT_DIR/entitlements.xml" {} \;
   fi
 done
 
@@ -154,7 +145,7 @@ if [ "$JB_SIGN" = true ]; then for f in \
         "$SIGN_UTILITY" --timestamp \
             -v -s "$JB_DEVELOPER_CERT" --options=runtime \
             --force \
-            --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz
+            --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz || exit 1
         rm -rf "$line"
         tar -xzf tmp-to-sign.tar.gz --directory "$(dirname "$line")"
         rm -f tmp-to-sign.tar.gz
@@ -180,15 +171,15 @@ if [ "$JB_SIGN" = true ]; then
   "$SIGN_UTILITY" --timestamp \
     -v -s "$JB_DEVELOPER_CERT" --options=runtime \
     --force \
-    --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz
+    --entitlements "$SCRIPT_DIR/entitlements.xml" tmp-to-sign.tar.gz || exit 1
   rm -rf "$APPLICATION_PATH"
   tar -xzf tmp-to-sign.tar.gz --directory "$(dirname "$APPLICATION_PATH")"
   rm -f tmp-to-sign.tar.gz
 else
   "$SIGN_UTILITY" --timestamp \
     -v -s "$JB_DEVELOPER_CERT" --options=runtime \
     --force \
-    --entitlements "$SCRIPT_DIR/entitlements.xml" "$APPLICATION_PATH"
+    --entitlements "$SCRIPT_DIR/entitlements.xml" "$APPLICATION_PATH" || exit 1
 fi
 
 BUILD_NAME="$(basename "$APPLICATION_PATH")"