Re-enable codesign for maven packages

tools/ci_build/github/azure-pipelines/build-perf-test-binaries-pipeline.yml

@@ -29,6 +29,7 @@ stages:
         job_name_suffix: 'Full'
         publish_executables: '1'
         pool_name: 'onnxruntime-Ubuntu2204-AMD-CPU'
+        enable_code_sign: false
 
 # build Python packages
 # Linux GPU only

tools/ci_build/github/azure-pipelines/mac-react-native-ci-pipeline.yml

@@ -64,3 +64,4 @@ stages:
     NpmPackagingMode: ${{ variables.NpmPackagingMode }}
     BuildConfig: 'Release'
     PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
+    enable_code_sign: false

tools/ci_build/github/azure-pipelines/npm-packaging-pipeline.yml

@@ -57,6 +57,7 @@ stages:
     PoolName: 'onnxruntime-Ubuntu2204-AMD-CPU'
     PackageName: 'onnxruntime-react-native'
     InitialStageDependsOn: 'Precheck_and_extract_commit'
+    enable_code_sign: false
 
 - stage: Download_Node_Package_And_Publish_Validation_Script
   dependsOn:

tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml

@@ -58,6 +58,10 @@ stages:
         showWarnings: true
         workingDirectory: '$(Build.BinariesDirectory)\java-artifact'
 
+    - template: ../templates/jar-maven-signing-win.yml
+      parameters:
+        JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
+
     - task: CopyFiles@2
       displayName: 'Copy Java Files to Artifact Staging Directory'
       inputs:

tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml

@@ -39,6 +39,9 @@ parameters:
   displayName: Package Name
   type: string
   default: 'onnxruntime-android'
+- name: enable_code_sign
+  displayName: Use GPG to sign the jars
+  type: boolean
 
 jobs:
 - job: Android_Java_API_AAR_Packaging_${{ parameters.job_name_suffix }}
@@ -102,6 +105,12 @@ jobs:
             /bin/bash /onnxruntime_src/tools/ci_build/github/android/build_aar_and_copy_artifacts.sh
       workingDirectory: $(Build.SourcesDirectory)
 
+
+  - ${{ if eq(parameters['enable_code_sign'], 'true') }}:
+    - template: jar-maven-signing-linux.yml
+      parameters:
+        JarFileDirectory: '$(artifacts_directory)'
+
   - task: PublishBuildArtifacts@1
     inputs:
       pathtoPublish: '$(artifacts_directory)'

tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml

@@ -71,6 +71,8 @@ stages:
       artifactName: 'onnxruntime-android-full-aar'
       job_name_suffix: 'Full'
       publish_executables: '1'
+      enable_code_sign: ${{ parameters.DoEsrp }}
+
   - template: android-java-api-aar-test.yml
     parameters:
       artifactName: 'onnxruntime-android-full-aar'
@@ -236,6 +238,10 @@ stages:
         showWarnings: true
         workingDirectory: '$(Build.BinariesDirectory)\java-artifact'
 
+    - template: jar-maven-signing-win.yml
+      parameters:
+        JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
+
     - task: CopyFiles@2
       displayName: 'Copy Java Files to Artifact Staging Directory'
       inputs:

tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml

@@ -0,0 +1,55 @@
+parameters:
+  - name: JarFileDirectory
+    type: string
+
+steps:
+  - task: AzureKeyVault@2
+    displayName: 'Get GnuPG signing keys'
+    inputs:
+      azureSubscription: 'OnnxrunTimeCodeSign_20240611'
+      KeyVaultName: 'ort-release'
+      SecretsFilter: 'java-pgp-pwd,java-pgp-key'
+      RunAsPreJob: false
+
+  - task: CmdLine@2
+    displayName: 'Sign jar files: GnuPG and sha256'
+    inputs:
+      workingDirectory: '$(Build.SourcesDirectory)'
+      script: |
+        #!/bin/bash
+        set -x
+
+        jar_file_directory='${{ parameters.JarFileDirectory }}'
+        working_directory='$(Build.SourcesDirectory)'
+        original_private_key='$(java-pgp-key)'
+        original_passphrase='$(java-pgp-pwd)'
+
+        private_key_file=$working_directory/private_key.txt
+        passphrase_file=$working_directory/passphrase.txt
+
+        echo "Generating GnuPG key files."
+        printf "%s" "$original_private_key" >$private_key_file
+        printf "%s" "$original_passphrase" >$passphrase_file
+        echo "Generated GnuPG key files."
+
+        echo "Importing GnuPG private key file."
+        gpg --batch --import $private_key_file
+        echo "Imported GnuPG private key file."
+
+        for file in $(find $jar_file_directory -type f); do
+            echo "GnuPG signing to file: $file"
+            gpg --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file
+            echo "GnuPG signed to file: $file"
+        done
+
+        for file in $(find $jar_file_directory -type f); do
+            echo "Adding checksum of sha256 to file: $file"
+            sha256sum $file | awk '{print $1}' >$file.sha256
+            echo "Added checksum of sha256 to file: $file"
+        done
+
+        echo "GnuPG and sha256 signing to files completed."
+        echo "Deleting GnuPG key files."
+        rm -f $private_key_file
+        rm -f $passphrase_file
+        echo "Deleted GnuPG key files."

tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml

@@ -0,0 +1,70 @@
+parameters:
+  - name: JarFileDirectory
+    type: string
+
+steps:
+  - task: AzureKeyVault@2
+    displayName: 'Get GnuPG signing keys'
+    inputs:
+      azureSubscription: 'OnnxrunTimeCodeSign_20240611'
+      KeyVaultName: 'ort-release'
+      SecretsFilter: 'java-pgp-pwd,java-pgp-key'
+      RunAsPreJob: false
+
+  - task: PowerShell@2
+    displayName: 'Sign jar files: GnuPG and sha256'
+    inputs:
+      targetType: 'inline'
+      workingDirectory: '$(Build.SourcesDirectory)'
+      script: |
+        $jar_file_directory = '${{ parameters.JarFileDirectory }}'
+        $working_directory = '$(Build.SourcesDirectory)'
+
+        $original_passphrase='$(java-pgp-pwd)'
+        $original_private_key='$(java-pgp-key)'
+
+        $gpg_exe_path = "C:\Program Files (x86)\gnupg\bin\gpg.exe"
+
+        $passphrase_file = Join-Path -Path $working_directory -ChildPath "passphrase.txt"
+        $private_key_file = Join-Path -Path $working_directory -ChildPath "private_key.txt"
+
+        Write-Host "Generating GnuPG key files."
+        Out-File -FilePath $passphrase_file -InputObject $original_passphrase -NoNewline -Encoding ascii
+        Out-File -FilePath $private_key_file -InputObject $original_private_key -NoNewline -Encoding ascii
+        Write-Host "Generated GnuPG key files."
+
+        Write-Host "Importing GnuPG private key file."
+        & $gpg_exe_path --batch --import $private_key_file
+        if ($lastExitCode -ne 0) {
+            Write-Host -Object "GnuPG importing private key command failed. Exitcode: $exitCode"
+            exit $lastExitCode
+        }
+        Write-Host "Imported GnuPG private key file."
+
+        $targeting_original_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name
+        foreach ($file in $targeting_original_files) {
+            $file_path = Join-Path $jar_file_directory -ChildPath $file
+            Write-Host "GnuPG signing to file: "$file_path
+            & $gpg_exe_path --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file_path
+            if ($lastExitCode -ne 0) {
+                Write-Host -Object "GnuPG signing file command failed. Exitcode: $exitCode"
+                exit $lastExitCode
+            }
+            Write-Host "GnuPG signed to file: "$file_path
+        }
+
+        $targeting_asc_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name
+        foreach ($file in $targeting_asc_files) {
+            $file_path = Join-Path $jar_file_directory -ChildPath $file
+            Write-Host "Adding checksum of sha256 to file: "$file_path
+            $file_path_sha256 = $file_path + ".sha256"
+            CertUtil -hashfile $file_path SHA256
+            CertUtil -hashfile $file_path SHA256 | find /v `"hash`" | Out-File -FilePath $file_path_sha256
+            Write-Host "Added checksum of sha256 to file: "$file_path
+        }
+
+        Write-Host "GnuPG and sha256 signing to files completed."
+        Write-Host "Deleting GnuPG key files."
+        Remove-Item -Path $passphrase_file
+        Remove-Item -Path $private_key_file
+        Write-Host "Deleted GnuPG key files."

tools/ci_build/github/azure-pipelines/templates/ondevice-training-cpu-packaging-pipeline.yml

@@ -100,6 +100,8 @@ stages:
       job_name_suffix: 'Training_Full'
       publish_executables: '1'
       packageName: onnxruntime-training-android
+      enable_code_sign: true
+
   - template: android-java-api-aar-test.yml
     parameters:
       artifactName: 'onnxruntime-training-android-full-aar'

tools/ci_build/github/azure-pipelines/templates/react-native-ci.yml

@@ -23,6 +23,10 @@ parameters:
   displayName: 'Stage that the initial stage of react-native-ci depends on'
   type: string
   default: ''
+
+- name: enable_code_sign
+  displayName: Use GPG to sign the jars
+  type: boolean
 
 stages:
 - stage: Build_Packages
@@ -36,6 +40,7 @@ stages:
       buildSettings: '$(Build.SourcesDirectory)/tools/ci_build/github/js/react_native_e2e_full_aar_build_settings.json'
       artifactName: 'onnxruntime-android-full-aar'
       job_name_suffix: 'For_React_Native'
+      enable_code_sign: '${{parameters.enable_code_sign}}'
       pool_name: '${{parameters.PoolName}}'
       packageName: 'onnxruntime-android'