From 919f0a008676706978e10349bf2704b009a076c4 Mon Sep 17 00:00:00 2001
From: Jonah Graham <jonah@kichwacoders.com>
Date: Thu, 15 Apr 2021 20:32:20 -0400
Subject: [PATCH] Bug 572875 and Bug 572878: Sign .jnilib/.dll in production
 builds

Because the dll/jnilib is modified in place, the natives are qualified
with their build date, rather than their git date as the checked-in
libraries are not signed.

Change-Id: I3078f5040f7ef9590bb4ab5d031dcb29b3c3bdde
---
 .../META-INF/MANIFEST.MF                      |  2 +-
 .../pom.xml                                   | 13 +++++-
 .../META-INF/MANIFEST.MF                      |  2 +-
 .../pom.xml                                   | 13 +++++-
 .../META-INF/MANIFEST.MF                      |  2 +-
 .../org.eclipse.cdt.core.linux.x86_64/pom.xml | 13 +++++-
 core/org.eclipse.cdt.core.macosx/pom.xml      | 11 +++++
 .../native_src/Makefile                       | 13 ++++++
 core/org.eclipse.cdt.core.native/pom.xml      | 26 ++++++++++++
 .../org.eclipse.cdt.core.win32.x86_64/pom.xml | 11 +++++
 .../native_src/Makefile                       |  9 ++++
 native/org.eclipse.cdt.native.serial/pom.xml  | 41 +++++++++++++++++++
 12 files changed, 150 insertions(+), 6 deletions(-)

diff --git a/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF b/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF
index 0a7de03a046..d09e011644e 100644
--- a/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF
+++ b/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: %fragmentName.linux.aarch64
 Bundle-SymbolicName: org.eclipse.cdt.core.linux.aarch64;singleton:=true
-Bundle-Version: 6.0.100.qualifier
+Bundle-Version: 6.0.200.qualifier
 Bundle-Vendor: %providerName
 Fragment-Host: org.eclipse.cdt.core.native;bundle-version="[6.0.0,7.0.0)"
 Bundle-Localization: plugin
diff --git a/core/org.eclipse.cdt.core.linux.aarch64/pom.xml b/core/org.eclipse.cdt.core.linux.aarch64/pom.xml
index e242537775d..ff4ea053015 100644
--- a/core/org.eclipse.cdt.core.linux.aarch64/pom.xml
+++ b/core/org.eclipse.cdt.core.linux.aarch64/pom.xml
@@ -21,7 +21,7 @@
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
-	<version>6.0.100-SNAPSHOT</version>
+	<version>6.0.200-SNAPSHOT</version>
 	<artifactId>org.eclipse.cdt.core.linux.aarch64</artifactId>
 	<packaging>eclipse-plugin</packaging>
 
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF b/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF
index ae80f5f3d00..e110dd20940 100644
--- a/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF
+++ b/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF
@@ -3,7 +3,7 @@ Bundle-SymbolicName: org.eclipse.cdt.core.linux.ppc64le;singleton:=true
 Bundle-ManifestVersion: 2
 Bundle-Localization: plugin
 Bundle-Name: %fragmentName.linux.ppc64le
-Bundle-Version: 6.0.100.qualifier
+Bundle-Version: 6.0.200.qualifier
 Fragment-Host: org.eclipse.cdt.core.native;bundle-version="[6.0.0,7.0.0)"
 Bundle-Vendor: %providerName
 Eclipse-PlatformFilter: (&(osgi.os=linux)(osgi.arch=ppc64le))
diff --git a/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml b/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml
index dda99c20b4e..f8f8de0ae23 100644
--- a/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml
+++ b/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml
@@ -21,7 +21,7 @@
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
-	<version>6.0.100-SNAPSHOT</version>
+	<version>6.0.200-SNAPSHOT</version>
 	<artifactId>org.eclipse.cdt.core.linux.ppc64le</artifactId>
 	<packaging>eclipse-plugin</packaging>
 
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF b/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF
index 2a9b6739dd4..d52a8d49ac7 100644
--- a/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF
+++ b/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: %fragmentName.linux.x86_64
 Bundle-SymbolicName: org.eclipse.cdt.core.linux.x86_64;singleton:=true
-Bundle-Version: 6.0.100.qualifier
+Bundle-Version: 6.0.200.qualifier
 Bundle-Vendor: %providerName
 Fragment-Host: org.eclipse.cdt.core.native;bundle-version="[6.0.0,7.0.0)"
 Bundle-Localization: plugin
diff --git a/core/org.eclipse.cdt.core.linux.x86_64/pom.xml b/core/org.eclipse.cdt.core.linux.x86_64/pom.xml
index 8d54d28652a..37d7285985e 100644
--- a/core/org.eclipse.cdt.core.linux.x86_64/pom.xml
+++ b/core/org.eclipse.cdt.core.linux.x86_64/pom.xml
@@ -21,7 +21,7 @@
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
-	<version>6.0.100-SNAPSHOT</version>
+	<version>6.0.200-SNAPSHOT</version>
 	<artifactId>org.eclipse.cdt.core.linux.x86_64</artifactId>
 	<packaging>eclipse-plugin</packaging>
 
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/core/org.eclipse.cdt.core.macosx/pom.xml b/core/org.eclipse.cdt.core.macosx/pom.xml
index 926e09966ab..c9c3002726b 100644
--- a/core/org.eclipse.cdt.core.macosx/pom.xml
+++ b/core/org.eclipse.cdt.core.macosx/pom.xml
@@ -43,6 +43,17 @@
 					</environments>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 
diff --git a/core/org.eclipse.cdt.core.native/native_src/Makefile b/core/org.eclipse.cdt.core.native/native_src/Makefile
index 914324a201b..8ba1b06f230 100644
--- a/core/org.eclipse.cdt.core.native/native_src/Makefile
+++ b/core/org.eclipse.cdt.core.native/native_src/Makefile
@@ -66,6 +66,19 @@ clean :
 
 rebuild: clean all
 
+MAC_TO_SIGN=$(OS_DIR_MACOS_X86_64)/libspawner.jnilib \
+	$(OS_DIR_MACOS_X86_64)/libpty.jnilib \
+	$(OS_DIR_MACOS_X86)/libspawner.jnilib \
+	$(OS_DIR_MACOS_X86)/libpty.jnilib
+WIN_TO_SIGN=$(OS_DIR_WIN32_X86_64)/starter.exe \
+	$(OS_DIR_WIN32_X86_64)/spawner.dll \
+	$(OS_DIR_WIN32_X86_64)/pty.dll
+production: $(MAC_TO_SIGN) $(WIN_TO_SIGN)
+	$(foreach tosign,$(MAC_TO_SIGN) $(WIN_TO_SIGN),mv $(tosign) $(tosign)-unsigned &&) true
+	$(foreach tosign,$(MAC_TO_SIGN),curl -o $(tosign) -F file=@$(tosign)-unsigned https://cbi.eclipse.org/macos/codesign/sign &&) true
+	$(foreach tosign,$(WIN_TO_SIGN),curl -o $(tosign) -F file=@$(tosign)-unsigned https://cbi.eclipse.org/authenticode/sign   &&) true
+	$(foreach tosign,$(MAC_TO_SIGN) $(WIN_TO_SIGN),rm $(tosign)-unsigned &&) true
+
 
 # Windows x86_64
 # Windows DLLs have a build timestamp in them. This makes it impossible to have reproducible builds.
diff --git a/core/org.eclipse.cdt.core.native/pom.xml b/core/org.eclipse.cdt.core.native/pom.xml
index df7d025ff41..16d05a8d4f6 100644
--- a/core/org.eclipse.cdt.core.native/pom.xml
+++ b/core/org.eclipse.cdt.core.native/pom.xml
@@ -133,5 +133,31 @@
 				</plugins>
 			</build>
 		</profile>
+		<profile>
+			<id>production</id>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>natives</id>
+								<phase>process-resources</phase>
+								<configuration>
+									<target>
+										<exec executable="make" newenvironment="false" failOnError="true" dir="./native_src">
+											<arg value="production" />
+										</exec>
+									</target>
+								</configuration>
+								<goals>
+									<goal>run</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
 	</profiles>
 </project>
diff --git a/core/org.eclipse.cdt.core.win32.x86_64/pom.xml b/core/org.eclipse.cdt.core.win32.x86_64/pom.xml
index 3e87f42408e..31c937d0409 100644
--- a/core/org.eclipse.cdt.core.win32.x86_64/pom.xml
+++ b/core/org.eclipse.cdt.core.win32.x86_64/pom.xml
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/native/org.eclipse.cdt.native.serial/native_src/Makefile b/native/org.eclipse.cdt.native.serial/native_src/Makefile
index 27d62fe8c56..a04f09bb394 100644
--- a/native/org.eclipse.cdt.native.serial/native_src/Makefile
+++ b/native/org.eclipse.cdt.native.serial/native_src/Makefile
@@ -47,6 +47,15 @@ all:	$(LIBS)
 clean :
 	$(RM) $(LIBS)
 
+MAC_TO_SIGN=$(OS_DIR)/macosx/x86_64/libserial.jnilib
+WIN_TO_SIGN=$(OS_DIR)/win32/x86_64/serial.dll
+production: $(MAC_TO_SIGN) $(WIN_TO_SIGN)
+	$(foreach tosign,$(MAC_TO_SIGN) $(WIN_TO_SIGN),mv $(tosign) $(tosign)-unsigned &&) true
+	$(foreach tosign,$(MAC_TO_SIGN),curl -o $(tosign) -F file=@$(tosign)-unsigned https://cbi.eclipse.org/macos/codesign/sign &&) true
+	$(foreach tosign,$(WIN_TO_SIGN),curl -o $(tosign) -F file=@$(tosign)-unsigned https://cbi.eclipse.org/authenticode/sign   &&) true
+	$(foreach tosign,$(MAC_TO_SIGN) $(WIN_TO_SIGN),rm $(tosign)-unsigned &&) true
+
+
 rebuild: clean all
 
 # Windows DLLs have a build timestamp in them. This makes it impossible to have reproducible builds.
diff --git a/native/org.eclipse.cdt.native.serial/pom.xml b/native/org.eclipse.cdt.native.serial/pom.xml
index 8d43ddfb040..93f5c04d0ae 100644
--- a/native/org.eclipse.cdt.native.serial/pom.xml
+++ b/native/org.eclipse.cdt.native.serial/pom.xml
@@ -227,5 +227,46 @@
 				</plugins>
 			</build>
 		</profile>
+		<profile>
+			<id>production</id>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>natives</id>
+								<phase>process-resources</phase>
+								<configuration>
+									<target>
+										<exec executable="make" newenvironment="false" failOnError="true" dir="./native_src">
+											<arg value="production" />
+										</exec>
+									</target>
+								</configuration>
+								<goals>
+									<goal>run</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
 	</profiles>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
 </project>