From cdebf3710524d37d2d34090be929c360fac5e922 Mon Sep 17 00:00:00 2001 From: Kyle <92152685+idiskyle@users.noreply.github.com> Date: Sat, 12 Oct 2024 03:14:03 +0800 Subject: [PATCH] Add Digital Signature to DLLs in Maven Build (#22401) ### Description * Add digital signature to dll files in jar files. * Jar file names: onnxruntime-{version}.jar, onnxruntime_gpu-{version}.jar ### Motivation and Context #19204 --- .../stages/java-cuda-packaging-stage.yml | 5 +++ .../azure-pipelines/templates/c-api-cpu.yml | 5 +++ .../templates/jar-esrp-dll.yml | 30 ++++++++++++++ .../ci_build/github/windows/jar_esrp_dll.ps1 | 41 +++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 tools/ci_build/github/azure-pipelines/templates/jar-esrp-dll.yml create mode 100644 tools/ci_build/github/windows/jar_esrp_dll.ps1 diff --git a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml index 7bc61268805f2..5bd87c58b186f 100644 --- a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml +++ b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml @@ -58,6 +58,11 @@ stages: showWarnings: true workingDirectory: '$(Build.BinariesDirectory)\java-artifact' + - template: ../templates/jar-esrp-dll.yml + parameters: + JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' + JarFileName: 'onnxruntime_gpu-$(OnnxRuntimeVersion).jar' + - template: ../templates/jar-maven-signing-win.yml parameters: JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' diff --git a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml index 1dae18d2c1735..e933e1e70ff76 100644 --- a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml +++ b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml @@ -260,6 +260,11 @@ stages: showWarnings: true workingDirectory: '$(Build.BinariesDirectory)\java-artifact' + - template: jar-esrp-dll.yml + parameters: + JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' + JarFileName: 'onnxruntime-$(OnnxRuntimeVersion).jar' + - template: jar-maven-signing-win.yml parameters: JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64' diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-esrp-dll.yml b/tools/ci_build/github/azure-pipelines/templates/jar-esrp-dll.yml new file mode 100644 index 0000000000000..b59ba551c222f --- /dev/null +++ b/tools/ci_build/github/azure-pipelines/templates/jar-esrp-dll.yml @@ -0,0 +1,30 @@ +parameters: +- name: JarFileDirectory + type: string + default: '' + +- name: JarFileName + type: string + default: '' + +steps: + - task: PowerShell@2 + displayName: 'ESRP Jar - Extract Jar File' + inputs: + targetType: filePath + filePath: $(Build.SourcesDirectory)\tools\ci_build\github\windows\jar_esrp_dll.ps1 + arguments: extract '${{ parameters.JarFileDirectory }}' '${{ parameters.JarFileName }}' + workingDirectory: '$(Build.BinariesDirectory)' + + - template: win-esrp-dll.yml + parameters: + FolderPath: '${{ parameters.JarFileDirectory }}\jar_extracted_full_files' + DisplayName: 'ESRP Jar - Sign Dlls' + + - task: PowerShell@2 + displayName: 'ESRP Jar - Repack Jar File' + inputs: + targetType: filePath + filePath: $(Build.SourcesDirectory)\tools\ci_build\github\windows\jar_esrp_dll.ps1 + arguments: repack '${{ parameters.JarFileDirectory }}' '${{ parameters.JarFileName }}' + workingDirectory: '$(Build.BinariesDirectory)' diff --git a/tools/ci_build/github/windows/jar_esrp_dll.ps1 b/tools/ci_build/github/windows/jar_esrp_dll.ps1 new file mode 100644 index 0000000000000..8492d7591271b --- /dev/null +++ b/tools/ci_build/github/windows/jar_esrp_dll.ps1 @@ -0,0 +1,41 @@ +$instruction = $args[0] # extract or repack +$original_jar_file_directory = $args[1] # The directory where the original jar file is located +$original_jar_file_name = $args[2] # The name of the original jar file + +$original_jar_file_full_path = "$original_jar_file_directory\$original_jar_file_name" +$extracted_file_directory = "$original_jar_file_directory\jar_extracted_full_files" + +if ($instruction -eq "extract") { + Write-Host "Extracting the jar file $original_jar_file_full_path..." + & 7z x $original_jar_file_full_path -o"$extracted_file_directory" + if ($lastExitCode -ne 0) { + Write-Host -Object "7z extracting the jar file command failed. Exitcode: $exitCode" + exit $lastExitCode + } + Write-Host "Extracted files directory: $extracted_file_directory" + + Write-Host "Removing the original jar file..." + Remove-Item -Path "$original_jar_file_full_path" -Force + Write-Host "Removed the original jar file." +} +elseif ($instruction -eq "repack") { + Write-Host "Removing ESRP's CodeSignSummary file..." + # It is the summary generated by ESRP tool. It is not needed in the jar file. + Remove-Item -Path "$extracted_file_directory/CodeSignSummary*.*" -Force + Write-Host "Removed ESRP's CodeSignSummary file." + + Write-Host "Repacking the jar file from directory $extracted_file_directory..." + & 7z a "$original_jar_file_full_path" "$extracted_file_directory\*" + if ($lastExitCode -ne 0) { + Write-Host -Object "7z repacking the jar file command failed. Exitcode: $exitCode" + exit $lastExitCode + } + Write-Host "Repacked the jar file $original_jar_file_full_path." + + Write-Host "Removing the extracted files..." + Remove-Item -Path "$extracted_file_directory" -Recurse -Force + Write-Host "Removed the extracted files." +} +else { + Write-Host "Invalid instruction: $instruction" +}