From ce256cf6727dea8ebff32895bb04bf0af06946eb Mon Sep 17 00:00:00 2001 From: Changming Sun Date: Fri, 4 Oct 2024 14:30:17 -0700 Subject: [PATCH] Re-enable codesign for maven packages (#22308) ### Description PR #22217 was reverted. This PR re-enables it. ### Motivation and Context --- .../build-perf-test-binaries-pipeline.yml | 1 + .../mac-react-native-ci-pipeline.yml | 1 + .../npm-packaging-pipeline.yml | 1 + .../stages/java-cuda-packaging-stage.yml | 4 ++ .../templates/android-java-api-aar.yml | 9 +++ .../azure-pipelines/templates/c-api-cpu.yml | 6 ++ .../templates/jar-maven-signing-linux.yml | 56 +++++++++++++++ .../templates/jar-maven-signing-win.yml | 70 +++++++++++++++++++ ...device-training-cpu-packaging-pipeline.yml | 2 + .../templates/react-native-ci.yml | 5 ++ 10 files changed, 155 insertions(+) create mode 100644 tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml create mode 100644 tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml diff --git a/tools/ci_build/github/azure-pipelines/build-perf-test-binaries-pipeline.yml b/tools/ci_build/github/azure-pipelines/build-perf-test-binaries-pipeline.yml index d37e9bdc5da4c..50d4d8a912585 100644 --- a/tools/ci_build/github/azure-pipelines/build-perf-test-binaries-pipeline.yml +++ b/tools/ci_build/github/azure-pipelines/build-perf-test-binaries-pipeline.yml @@ -29,6 +29,7 @@ stages: job_name_suffix: 'Full' publish_executables: '1' pool_name: 'onnxruntime-Ubuntu2204-AMD-CPU' + enable_code_sign: false # build Python packages # Linux GPU only diff --git a/tools/ci_build/github/azure-pipelines/mac-react-native-ci-pipeline.yml b/tools/ci_build/github/azure-pipelines/mac-react-native-ci-pipeline.yml index 310f6a81a54da..ba9610ffee793 100644 --- a/tools/ci_build/github/azure-pipelines/mac-react-native-ci-pipeline.yml +++ b/tools/ci_build/github/azure-pipelines/mac-react-native-ci-pipeline.yml @@ -64,3 +64,4 @@ stages: NpmPackagingMode: ${{ variables.NpmPackagingMode }} BuildConfig: 'Release' PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU' + enable_code_sign: false diff --git a/tools/ci_build/github/azure-pipelines/npm-packaging-pipeline.yml b/tools/ci_build/github/azure-pipelines/npm-packaging-pipeline.yml index 9d5628fd36505..e7034b563a0fc 100644 --- a/tools/ci_build/github/azure-pipelines/npm-packaging-pipeline.yml +++ b/tools/ci_build/github/azure-pipelines/npm-packaging-pipeline.yml @@ -57,6 +57,7 @@ stages: PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU' PackageName: 'onnxruntime-react-native' InitialStageDependsOn: 'Precheck_and_extract_commit' + enable_code_sign: false - stage: Download_Node_Package_And_Publish_Validation_Script dependsOn: diff --git a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml index 430dc89b5b097..61e181a6004e9 100644 --- a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml +++ b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml @@ -58,6 +58,10 @@ stages: showWarnings: true workingDirectory: '$(Build.BinariesDirectory)\java-artifact' + - template: ../templates/jar-maven-signing-win.yml + parameters: + JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' + - task: CopyFiles@2 displayName: 'Copy Java Files to Artifact Staging Directory' inputs: diff --git a/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml b/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml index 8ce0e09dce605..73f4620440a6c 100644 --- a/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml +++ b/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml @@ -39,6 +39,9 @@ parameters: displayName: Package Name type: string default: 'onnxruntime-android' +- name: enable_code_sign + displayName: Use GPG to sign the jars + type: boolean jobs: - job: Android_Java_API_AAR_Packaging_${{ parameters.job_name_suffix }} @@ -102,6 +105,12 @@ jobs: /bin/bash /onnxruntime_src/tools/ci_build/github/android/build_aar_and_copy_artifacts.sh workingDirectory: $(Build.SourcesDirectory) + + - ${{ if eq(parameters['enable_code_sign'], 'true') }}: + - template: jar-maven-signing-linux.yml + parameters: + JarFileDirectory: '$(artifacts_directory)' + - task: PublishBuildArtifacts@1 inputs: pathtoPublish: '$(artifacts_directory)' diff --git a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml index 3e90a401d4deb..e99538a595f69 100644 --- a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml +++ b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml @@ -71,6 +71,8 @@ stages: artifactName: 'onnxruntime-android-full-aar' job_name_suffix: 'Full' publish_executables: '1' + enable_code_sign: ${{ parameters.DoEsrp }} + - template: android-java-api-aar-test.yml parameters: artifactName: 'onnxruntime-android-full-aar' @@ -236,6 +238,10 @@ stages: showWarnings: true workingDirectory: '$(Build.BinariesDirectory)\java-artifact' + - template: jar-maven-signing-win.yml + parameters: + JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' + - task: CopyFiles@2 displayName: 'Copy Java Files to Artifact Staging Directory' inputs: diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml new file mode 100644 index 0000000000000..ca7e3f6148e26 --- /dev/null +++ b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml @@ -0,0 +1,56 @@ +parameters: + - name: JarFileDirectory + type: string + +steps: + - task: AzureKeyVault@2 + displayName: 'Get GnuPG signing keys' + inputs: + #The value below is the name of an ADO service connection. + azureSubscription: 'OnnxrunTimeCodeSign_20240611' + KeyVaultName: 'ort-release' + SecretsFilter: 'java-pgp-pwd,java-pgp-key' + RunAsPreJob: false + + - task: CmdLine@2 + displayName: 'Sign jar files: GnuPG and sha256' + inputs: + workingDirectory: '$(Build.SourcesDirectory)' + script: | + #!/bin/bash + set -e + + jar_file_directory='${{ parameters.JarFileDirectory }}' + working_directory='$(Build.SourcesDirectory)' + original_private_key='$(java-pgp-key)' + original_passphrase='$(java-pgp-pwd)' + + private_key_file=$working_directory/private_key.txt + passphrase_file=$working_directory/passphrase.txt + + echo "Generating GnuPG key files." + printf "%s" "$original_private_key" >$private_key_file + printf "%s" "$original_passphrase" >$passphrase_file + echo "Generated GnuPG key files." + + echo "Importing GnuPG private key file." + gpg --batch --import $private_key_file + echo "Imported GnuPG private key file." + + for file in $(find $jar_file_directory -type f); do + echo "GnuPG signing to file: $file" + gpg --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file + echo "GnuPG signed to file: $file" + done + + for file in $(find $jar_file_directory -type f); do + echo "Adding checksum of sha256 to file: $file" + sha256sum $file | awk '{print $1}' >$file.sha256 + echo "Added checksum of sha256 to file: $file" + done + + echo "GnuPG and sha256 signing to files completed." + echo "Deleting GnuPG key files." + rm -f $private_key_file + rm -f $passphrase_file + echo "Deleted GnuPG key files." diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml new file mode 100644 index 0000000000000..182a2ebe3b4c9 --- /dev/null +++ b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml @@ -0,0 +1,70 @@ +parameters: + - name: JarFileDirectory + type: string + +steps: + - task: AzureKeyVault@2 + displayName: 'Get GnuPG signing keys' + inputs: + azureSubscription: 'OnnxrunTimeCodeSign_20240611' + KeyVaultName: 'ort-release' + SecretsFilter: 'java-pgp-pwd,java-pgp-key' + RunAsPreJob: false + + - task: PowerShell@2 + displayName: 'Sign jar files: GnuPG and sha256' + inputs: + targetType: 'inline' + workingDirectory: '$(Build.SourcesDirectory)' + script: | + $jar_file_directory = '${{ parameters.JarFileDirectory }}' + $working_directory = '$(Build.SourcesDirectory)' + + $original_passphrase='$(java-pgp-pwd)' + $original_private_key='$(java-pgp-key)' + + $gpg_exe_path = "C:\Program Files (x86)\gnupg\bin\gpg.exe" + + $passphrase_file = Join-Path -Path $working_directory -ChildPath "passphrase.txt" + $private_key_file = Join-Path -Path $working_directory -ChildPath "private_key.txt" + + Write-Host "Generating GnuPG key files." + Out-File -FilePath $passphrase_file -InputObject $original_passphrase -NoNewline -Encoding ascii + Out-File -FilePath $private_key_file -InputObject $original_private_key -NoNewline -Encoding ascii + Write-Host "Generated GnuPG key files." + + Write-Host "Importing GnuPG private key file." + & $gpg_exe_path --batch --import $private_key_file + if ($lastExitCode -ne 0) { + Write-Host -Object "GnuPG importing private key command failed. Exitcode: $exitCode" + exit $lastExitCode + } + Write-Host "Imported GnuPG private key file." + + $targeting_original_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name + foreach ($file in $targeting_original_files) { + $file_path = Join-Path $jar_file_directory -ChildPath $file + Write-Host "GnuPG signing to file: "$file_path + & $gpg_exe_path --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file_path + if ($lastExitCode -ne 0) { + Write-Host -Object "GnuPG signing file command failed. Exitcode: $exitCode" + exit $lastExitCode + } + Write-Host "GnuPG signed to file: "$file_path + } + + $targeting_asc_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name + foreach ($file in $targeting_asc_files) { + $file_path = Join-Path $jar_file_directory -ChildPath $file + Write-Host "Adding checksum of sha256 to file: "$file_path + $file_path_sha256 = $file_path + ".sha256" + CertUtil -hashfile $file_path SHA256 + CertUtil -hashfile $file_path SHA256 | find /v `"hash`" | Out-File -FilePath $file_path_sha256 + Write-Host "Added checksum of sha256 to file: "$file_path + } + + Write-Host "GnuPG and sha256 signing to files completed." + Write-Host "Deleting GnuPG key files." + Remove-Item -Path $passphrase_file + Remove-Item -Path $private_key_file + Write-Host "Deleted GnuPG key files." diff --git a/tools/ci_build/github/azure-pipelines/templates/ondevice-training-cpu-packaging-pipeline.yml b/tools/ci_build/github/azure-pipelines/templates/ondevice-training-cpu-packaging-pipeline.yml index 022f85cc0a463..5cfa135135dca 100644 --- a/tools/ci_build/github/azure-pipelines/templates/ondevice-training-cpu-packaging-pipeline.yml +++ b/tools/ci_build/github/azure-pipelines/templates/ondevice-training-cpu-packaging-pipeline.yml @@ -100,6 +100,8 @@ stages: job_name_suffix: 'Training_Full' publish_executables: '1' packageName: onnxruntime-training-android + enable_code_sign: true + - template: android-java-api-aar-test.yml parameters: artifactName: 'onnxruntime-training-android-full-aar' diff --git a/tools/ci_build/github/azure-pipelines/templates/react-native-ci.yml b/tools/ci_build/github/azure-pipelines/templates/react-native-ci.yml index 5fea265d59392..8593aa2d821fa 100644 --- a/tools/ci_build/github/azure-pipelines/templates/react-native-ci.yml +++ b/tools/ci_build/github/azure-pipelines/templates/react-native-ci.yml @@ -23,6 +23,10 @@ parameters: displayName: 'Stage that the initial stage of react-native-ci depends on' type: string default: '' + +- name: enable_code_sign + displayName: Use GPG to sign the jars + type: boolean stages: - stage: Build_Packages @@ -36,6 +40,7 @@ stages: buildSettings: '$(Build.SourcesDirectory)/tools/ci_build/github/js/react_native_e2e_full_aar_build_settings.json' artifactName: 'onnxruntime-android-full-aar' job_name_suffix: 'For_React_Native' + enable_code_sign: '${{parameters.enable_code_sign}}' pool_name: '${{parameters.PoolName}}' packageName: 'onnxruntime-android'