Update verify_signing.groovy to check Windows exes only have one sign…

…ature Signed-off-by: Andrew Leonard <[email protected]>
adoptium · Dec 5, 2024 · fe5b0b9 · fe5b0b9
1 parent 4b16a3e
commit fe5b0b9
Showing 1 changed file with 16 additions and 6 deletions.
diff --git a/pipelines/build/common/verify_signing.groovy b/pipelines/build/common/verify_signing.groovy
@@ -22,6 +22,7 @@ Parameters:
   - TARGET_OS            : "mac" or "windows"
   - TARGET_ARCH          : "aarch64 or "x64" or "x86-32"
   - NODE_LABEL           : Jenkins label for where to run
+  - CERT_ISSUED_TO       : Issued to org name to verify Windows Signatures
 
 */
 
@@ -112,7 +113,7 @@ void unpackArchives(String unpack_dir, String[] archives) {
 }
 
 // Verify executables for Signatures
-void verifyExecutables(String unpack_dir) {
+void verifyExecutables(String unpack_dir, String issueToOrg) {
     if (params.TARGET_OS == "mac") {
         // On Mac find all dylib's and "executable" binaries
         // Ignore "legal" text folder to reduce the number of non-extension files it finds...
@@ -185,12 +186,21 @@ void verifyExecutables(String unpack_dir) {
                         unsigned="$unsigned $f"
                         cc_unsigned=$((cc_unsigned+1))
                     else
-                        num_sigs=$("${signtool}" verify /all /pa ${f} | grep -E '^[0-9][[:space:]]+sha256' | wc -l)
-                        if [[ "$num_sigs" -ne 1 ]]; then
-                            echo "Error: ${f} has ${num_sigs} Signatures, it must only have one."
+                        num_microsoft_sigs=$("${signtool}" verify /v /all /pa ${f} | grep "Issued to:" | grep "Microsoft" | wc -l)
+                        num_org_sigs=$("${signtool}" verify /v /all /pa ${f} | grep "Issued to:" | grep "${issueToOrg}" | wc -l)
+                        if [[ "$num_microsoft_sigs" -ne 0 ]] && [[ "$num_org_sigs" -ne 0 ]]; then
+                            echo "Error: ${f} should not be signed by ${issueToOrg} as it is already signed by Microsoft."
                             unsigned="$unsigned $f"
                             cc_unsigned=$((cc_unsigned+1))
-                        else
+                        elif [[ "$num_microsoft_sigs" -eq 0 ]] && [[ "$num_org_sigs" -gt 1 ]]; then
+                            echo "Error: ${f} is signed by ${issueToOrg} ${num_org_sigs} times, it must only be signed once."
+                            unsigned="$unsigned $f"
+                            cc_unsigned=$((cc_unsigned+1))
+                        elif [[ "$num_microsoft_sigs" -eq 0 ]] && [[ "$num_org_sigs" -eq 0 ]]; then
+                            echo "Error: ${f} is NOT signed by ${issueToOrg}."
+                            unsigned="$unsigned $f"
+                            cc_unsigned=$((cc_unsigned+1))
+                        elif
                             echo "Signed correctly: ${f}"
                             cc_signed=$((cc_signed+1))
                         fi
@@ -362,7 +372,7 @@ if (params.TARGET_OS != "mac" && params.TARGET_OS != "windows") {
                 unpackArchives(unpack_dir, archives)
 
                 // Verify all executables for Signatures
-                verifyExecutables(unpack_dir)
+                verifyExecutables(unpack_dir, "${params.CERT_ISSUED_TO}")
 
                 // Verify installers (if built) are Signed and Notarized(mac only)
                 verifyInstallers()