From b81e76b9a69b9b943a1ee4a08c880eba5d6867bd Mon Sep 17 00:00:00 2001 From: Kyle <92152685+idiskyle@users.noreply.github.com> Date: Fri, 27 Sep 2024 17:50:06 +0800 Subject: [PATCH] Jar Maven Signing - GnuPG and sha256 (#22217) ### Description Jar maven signing: - GnuPG - sha256. Jar packages artifacts: - onnxruntime-android-full-aar - onnxruntime-java - onnxruntime-java-gpu ### Motivation and Context Previously, it is manually signed. Goal: make it automatically. --- .../stages/java-cuda-packaging-stage.yml | 4 ++ .../templates/android-java-api-aar.yml | 4 ++ .../azure-pipelines/templates/c-api-cpu.yml | 4 ++ .../templates/jar-maven-signing-linux.yml | 55 +++++++++++++++ .../templates/jar-maven-signing-win.yml | 70 +++++++++++++++++++ 5 files changed, 137 insertions(+) create mode 100644 tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml create mode 100644 tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml diff --git a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml index 430dc89b5b097..61e181a6004e9 100644 --- a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml +++ b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml @@ -58,6 +58,10 @@ stages: showWarnings: true workingDirectory: '$(Build.BinariesDirectory)\java-artifact' + - template: ../templates/jar-maven-signing-win.yml + parameters: + JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' + - task: CopyFiles@2 displayName: 'Copy Java Files to Artifact Staging Directory' inputs: diff --git a/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml b/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml index 8ce0e09dce605..ecc0a53f028a4 100644 --- a/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml +++ b/tools/ci_build/github/azure-pipelines/templates/android-java-api-aar.yml @@ -102,6 +102,10 @@ jobs: /bin/bash /onnxruntime_src/tools/ci_build/github/android/build_aar_and_copy_artifacts.sh workingDirectory: $(Build.SourcesDirectory) + - template: jar-maven-signing-linux.yml + parameters: + JarFileDirectory: '$(artifacts_directory)' + - task: PublishBuildArtifacts@1 inputs: pathtoPublish: '$(artifacts_directory)' diff --git a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml index 3e90a401d4deb..a483db2f9688e 100644 --- a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml +++ b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml @@ -236,6 +236,10 @@ stages: showWarnings: true workingDirectory: '$(Build.BinariesDirectory)\java-artifact' + - template: jar-maven-signing-win.yml + parameters: + JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' + - task: CopyFiles@2 displayName: 'Copy Java Files to Artifact Staging Directory' inputs: diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml new file mode 100644 index 0000000000000..96be3b7b0746e --- /dev/null +++ b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-linux.yml @@ -0,0 +1,55 @@ +parameters: + - name: JarFileDirectory + type: string + +steps: + - task: AzureKeyVault@2 + displayName: 'Get GnuPG signing keys' + inputs: + azureSubscription: 'OnnxrunTimeCodeSign_20240611' + KeyVaultName: 'ort-release' + SecretsFilter: 'java-pgp-pwd,java-pgp-key' + RunAsPreJob: false + + - task: CmdLine@2 + displayName: 'Sign jar files: GnuPG and sha256' + inputs: + workingDirectory: '$(Build.SourcesDirectory)' + script: | + #!/bin/bash + set -ex + + jar_file_directory='${{ parameters.JarFileDirectory }}' + working_directory='$(Build.SourcesDirectory)' + original_private_key='$(java-pgp-key)' + original_passphrase='$(java-pgp-pwd)' + + private_key_file=$working_directory/private_key.txt + passphrase_file=$working_directory/passphrase.txt + + echo "Generating GnuPG key files." + printf "%s" "$original_private_key" >$private_key_file + printf "%s" "$original_passphrase" >$passphrase_file + echo "Generated GnuPG key files." + + echo "Importing GnuPG private key file." + gpg --batch --import $private_key_file + echo "Imported GnuPG private key file." + + for file in $(find $jar_file_directory -type f); do + echo "GnuPG signing to file: $file" + gpg --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file + echo "GnuPG signed to file: $file" + done + + for file in $(find $jar_file_directory -type f); do + echo "Adding checksum of sha256 to file: $file" + sha256sum $file | awk '{print $1}' >$file.sha256 + echo "Added checksum of sha256 to file: $file" + done + + echo "GnuPG and sha256 signing to files completed." + echo "Deleting GnuPG key files." + rm -f $private_key_file + rm -f $passphrase_file + echo "Deleted GnuPG key files." diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml new file mode 100644 index 0000000000000..182a2ebe3b4c9 --- /dev/null +++ b/tools/ci_build/github/azure-pipelines/templates/jar-maven-signing-win.yml @@ -0,0 +1,70 @@ +parameters: + - name: JarFileDirectory + type: string + +steps: + - task: AzureKeyVault@2 + displayName: 'Get GnuPG signing keys' + inputs: + azureSubscription: 'OnnxrunTimeCodeSign_20240611' + KeyVaultName: 'ort-release' + SecretsFilter: 'java-pgp-pwd,java-pgp-key' + RunAsPreJob: false + + - task: PowerShell@2 + displayName: 'Sign jar files: GnuPG and sha256' + inputs: + targetType: 'inline' + workingDirectory: '$(Build.SourcesDirectory)' + script: | + $jar_file_directory = '${{ parameters.JarFileDirectory }}' + $working_directory = '$(Build.SourcesDirectory)' + + $original_passphrase='$(java-pgp-pwd)' + $original_private_key='$(java-pgp-key)' + + $gpg_exe_path = "C:\Program Files (x86)\gnupg\bin\gpg.exe" + + $passphrase_file = Join-Path -Path $working_directory -ChildPath "passphrase.txt" + $private_key_file = Join-Path -Path $working_directory -ChildPath "private_key.txt" + + Write-Host "Generating GnuPG key files." + Out-File -FilePath $passphrase_file -InputObject $original_passphrase -NoNewline -Encoding ascii + Out-File -FilePath $private_key_file -InputObject $original_private_key -NoNewline -Encoding ascii + Write-Host "Generated GnuPG key files." + + Write-Host "Importing GnuPG private key file." + & $gpg_exe_path --batch --import $private_key_file + if ($lastExitCode -ne 0) { + Write-Host -Object "GnuPG importing private key command failed. Exitcode: $exitCode" + exit $lastExitCode + } + Write-Host "Imported GnuPG private key file." + + $targeting_original_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name + foreach ($file in $targeting_original_files) { + $file_path = Join-Path $jar_file_directory -ChildPath $file + Write-Host "GnuPG signing to file: "$file_path + & $gpg_exe_path --pinentry-mode loopback --passphrase-file $passphrase_file -ab $file_path + if ($lastExitCode -ne 0) { + Write-Host -Object "GnuPG signing file command failed. Exitcode: $exitCode" + exit $lastExitCode + } + Write-Host "GnuPG signed to file: "$file_path + } + + $targeting_asc_files = Get-ChildItem $jar_file_directory -Recurse -Force -File -Name + foreach ($file in $targeting_asc_files) { + $file_path = Join-Path $jar_file_directory -ChildPath $file + Write-Host "Adding checksum of sha256 to file: "$file_path + $file_path_sha256 = $file_path + ".sha256" + CertUtil -hashfile $file_path SHA256 + CertUtil -hashfile $file_path SHA256 | find /v `"hash`" | Out-File -FilePath $file_path_sha256 + Write-Host "Added checksum of sha256 to file: "$file_path + } + + Write-Host "GnuPG and sha256 signing to files completed." + Write-Host "Deleting GnuPG key files." + Remove-Item -Path $passphrase_file + Remove-Item -Path $private_key_file + Write-Host "Deleted GnuPG key files."