Bug 548431 - Produce signed Windows launcher bundles in the platform repo
Summary: Produce signed Windows launcher bundles in the platform repo
Status: RESOLVED FIXED
Alias: None
Product: Platform
Classification: Eclipse Project
Component: Releng (show other bugs)
Version: 4.12   Edit
Hardware: PC Windows 10
: P3 enhancement (vote)
Target Milestone: 4.16   Edit
Assignee: Sravan Kumar Lakkimsetti CLA
QA Contact:
URL:
Whiteboard:
Keywords: plan
Depends on: 548893
Blocks: 548443
  Show dependency tree
 
Reported: 2019-06-19 09:07 EDT by Sravan Kumar Lakkimsetti CLA
Modified: 2020-08-10 00:30 EDT (History)
12 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sravan Kumar Lakkimsetti CLA 2019-06-19 09:07:07 EDT 
in the platform repo the launcher executables for windows are not signed. This is causing problems with windows defender.

Need to publish signed executables for windows in platform repo.
Comment 1 Sravan Kumar Lakkimsetti CLA 2019-06-19 09:21:37 EDT 
We use winsigner plugin(https://www.eclipse.org/cbi/sitedocs/eclipse-winsigner-plugin/sign-mojo.html) to sign windows executables this is done as part of building Platform, sdk and equinox products.

Here is pom.xml for SDK producthttps://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/tree/eclipse.platform.releng.tychoeclipsebuilder/sdk/pom.xml

In this case we have tied winsigner plugin to package phase. The problem is there are multiple goals tied to package phase

like 
tycho-p2-repository:assemble-repository
tycho-p2-repository:archive-repository
tycho-p2-director:materialize-products
tycho-p2-director:archive-products

we need to run eclipse-winsigner-plugin:sign before tycho-p2-repository:archive-repository. currently it is running before tycho-p2-director:archive-products

Need to rationalize maven phase selection with these goals.

@mat
Can you please help in this?
Comment 2 Sravan Kumar Lakkimsetti CLA 2019-06-19 10:05:47 EDT 
This not required for now. Closing.
Comment 3 Ed Merks CLA 2019-06-19 10:13:12 EDT 
But it's something that should be done for Eclipse 4.13 and for SimRel 2019-09, so I'm not sure how it makes sense to close this?
Comment 4 Dani Megert CLA 2019-06-19 10:28:34 EDT 
(In reply to Ed Merks from comment #3)
> But it's something that should be done for Eclipse 4.13
What is the problem exactly, I mean the visible problem and not just "it's not signed"? Are you sure it doesn't break clients that rebrand and sign again? Do we sign it for the other platforms?

I suggest someone who has a concrete issue reports that bug and we can then use that bug or reopen this one. I'd prefer the latter.
Comment 5 Ed Merks CLA 2019-06-19 11:02:06 EDT 
The visible problem is that it's not signed.  That's visible to any user running this executable.  You only have look at the properties of the file to see (visibly) that there is no digital signature. 

So I must ask, why do we bother sign the *.exe that's in the zip file is it's not a problem for it not to be signed? 

In the end, *I* have a concrete issue with this.  The installer (and p2 director) does not (and cannot) produce an installation with signed executables. I.e., it doesn't produce something that's equivalent to the distributed zipped packages. I'm not comfortable that and I'm a user too, so it seems odd that I am not permitted to report it as a problem.

So I don't get this attitude at all.  Resolving this as invalid when that flies in the fact of the reality seems totally inappropriate to me. 

This may well require downstream changes in the build processes, but now is the time to make sure that all works properly.

Please don't return this as invalid.
Comment 6 Matthias Sohn CLA 2019-06-19 11:17:10 EDT 
(In reply to Ed Merks from comment #5)
> The visible problem is that it's not signed.  That's visible to any user
> running this executable.  You only have look at the properties of the file
> to see (visibly) that there is no digital signature. 
> 
> So I must ask, why do we bother sign the *.exe that's in the zip file is
> it's not a problem for it not to be signed? 
> 
> In the end, *I* have a concrete issue with this.  The installer (and p2
> director) does not (and cannot) produce an installation with signed
> executables. I.e., it doesn't produce something that's equivalent to the
> distributed zipped packages. I'm not comfortable that and I'm a user too, so
> it seems odd that I am not permitted to report it as a problem.
> 
> So I don't get this attitude at all.  Resolving this as invalid when that
> flies in the fact of the reality seems totally inappropriate to me. 
> 
> This may well require downstream changes in the build processes, but now is
> the time to make sure that all works properly.
> 
> Please don't return this as invalid.

I second Ed's opinion. What we ship should be signed not regarding through which channel it's shipped (packager, installer or remote update). If an artefact is not signed users can't be sure if it's really originating from Eclipse.
Comment 7 Dani Megert CLA 2019-06-19 11:35:02 EDT 
Ed and Matthias: can you confirm that signing them won't impact projects that want to brand and sign the executable? Also, do you know whether this is Windows only?
Comment 8 Ed Merks CLA 2019-06-19 11:42:22 EDT 
No, we cannot (In reply to Dani Megert from comment #7)
> Ed and Matthias: can you confirm that signing them won't impact projects
> that want to brand and sign the executable? Also, do you know whether this
> is Windows only?

Let's assume this does impact projects that want to rebrand and therefore (presumably) will need to resign.  Is that then a reason not to do it?  It would seem to me to be "simply" a problem that would also need to be solved. I.e., a signature remover or a signing service that can resign...

I don't understand the signing processes for other platforms.  I'm not a Tycho/Maven expert.  I suspect that Linux is very similar and that Mac is quite different, but I don't know.

Has this reverted to invalid state again?  I'll reopen again assuming that I forgot to do that the last time.
Comment 9 Denis Roy CLA 2019-06-19 11:43:07 EDT 
IMHO, any binary/executable produced by the foundation should be signed and sealed, for security and authenticity purposes. If another project or third-party consumer wants to rebrand/resign a binary, they should rebuild from source.
Comment 10 Ed Merks CLA 2019-06-19 11:47:32 EDT 
(In reply to Denis Roy from comment #9)
> IMHO, any binary/executable produced by the foundation should be signed and
> sealed, for security and authenticity purposes. If another project or
> third-party consumer wants to rebrand/resign a binary, they should rebuild
> from source.

Denis, I tend to agree, but note that Dani's very legitimate concern is that the EPP packages also rebrand the executable(s) provided by the platform.  Similarly the Oomph installer also does that.  So we can't realistically tell anyone (downstream projects and other downstream consumers) that they should rebuild from source, especially given that build native executables is a nightmare!

So I share Dani's concern about the downstream impact of signing the executables but I think that's something "we" collectively need to investigate because signing is a certification of origin and that's seems to me always to be important...
Comment 11 Dani Megert CLA 2019-06-19 12:48:11 EDT 
OK, so let's sign the executables as a first step. Maybe clients will have to find a way to consume those afterwards.

Sravan, please also check the current state for Mac and Linux executables.
Comment 12 Ed Merks CLA 2019-06-19 12:51:29 EDT 
I can assess the impact of any of such changes relatively quickly when building the installer against platform 4.13 I build.  Of course I'll need to figure out what needs to change in the pom.xml so that we do the same thing as the platform to make sure that our branded executables are also signed.
Comment 13 Sravan Kumar Lakkimsetti CLA 2019-06-19 13:26:11 EDT 
(In reply to Dani Megert from comment #11)
> OK, so let's sign the executables as a first step. Maybe clients will have
> to find a way to consume those afterwards.
> 
> Sravan, please also check the current state for Mac and Linux executables.

Dani,

Here is the status of signing

Linux:
We do not sign launcher either in the p2 repo or products (SDK, platform and equinox)

Mac:
Individual launcher executables are not signed. We layout products in mac app layout format and sign whole product folder. then we create a dmg and sign dmg again.

Widows:
Launcher is not signed in p2 repo. Signed in products
Comment 14 Dani Megert CLA 2019-06-19 17:49:28 EDT 
(In reply to Ed Merks from comment #12)
> I can assess the impact of any of such changes relatively quickly when
> building the installer against platform 4.13 I build.  Of course I'll need
> to figure out what needs to change in the pom.xml so that we do the same
> thing as the platform to make sure that our branded executables are also
> signed.
Two questions:

1) As you mentioned, the installer is signed. Is this because you don't brand it and just use the eclipse.exe from a platform binary, or do you actually sign it?

2) If you say "branded executable", do you mean your installer, or the thing that the installer produces? If the latter, how is it signed today? Or is it currently not signed?
Comment 15 Dani Megert CLA 2019-06-19 17:50:19 EDT 
(In reply to Sravan Kumar Lakkimsetti from comment #13)
> Mac:
> Individual launcher executables are not signed. We layout products in mac
> app layout format and sign whole product folder. then we create a dmg and
> sign dmg again.
That could be a tough one.

 
> Widows:
> Launcher is not signed in p2 repo. Signed in products
Let's start with this one.
Comment 16 Ed Merks CLA 2019-06-19 19:56:24 EDT 
(In reply to Dani Megert from comment #14)
> Two questions:
> 
> 1) As you mentioned, the installer is signed. Is this because you don't
> brand it and just use the eclipse.exe from a platform binary, or do you
> actually sign it?
> 

It's complicated by the different platforms.  On Windows, "the installer" is distributed as a native executable that is signed (this is similar to the *.dmg on the Mac).  That executable effectively embeds a zip file of an installer RCP application/product (this is similar to the zipped downloads of the platform SDK on an EPP package/product). We don't do anything explicit to sign the executable in that zip, but I tested and it is definitely signed, so on Windows both the wrapping executable and the embedded RCP/product executable are signed).  On Linux we just deliver a tar.gz, but I believe (though can't verify because I don't know how) that it too has a signed executable (just like on Windows) because Tycho just does that for us.  And on the Mac, it's exactly like what is described for the platform, we build a Mac executable format, sign the App, and then DMG it (though I don't know about signing the DMG itself).  Again, I don't know how to verify that any of this is actually working correctly on the Mac, though I suspect on the Mac would refuse to run it if all the things aren't already properly done.

> 2) If you say "branded executable", do you mean your installer, or the thing
> that the installer produces?

I mean this in exactly the same way as the EPP packages often/typically brand the executable.  Note again that the installer, in the end, is effectively just p2 director and it just installs/copies things from p2 repos onto the local filesystem.  It does not brand and it does not sign, it merely installs what's specified in/by the p2 repo.

> If the latter, how is it signed today? Or is it
> currently not signed?

What the installer produces, i.e., the installation it creates (or what p2 director creates) is purely based on what's in the p2 repository.  Clearly the installer (p2 director) cannot and do not provide a signing service, nor a branding service.  Signing is a certification or origin and must be done at the origin. Branding is also done at the origin.  So if the installer is to produce signed results (where all the jars are signed and the executables are signed), it must get those in signed form from the origin.
Comment 17 Ed Merks CLA 2019-06-24 09:54:52 EDT 
Note that I just got my first integration build

https://ci.eclipse.org/oomph/job/integration/

running against the 4.13-I-builds, and this signing does not appear to have caused any problems.  But I don't know the underlying Tycho behavior either.  I.e., where does Tycho get the eclipse.exe and eclipsec.exe that it uses to build a *.product?  

Does anyone know this.

Of course the (branded) executable in my repo isn't signed either.

https://ci.eclipse.org/oomph/job/integration/ws/products/repository/binary/org.eclipse.oomph.setup.installer.product.executable.win32.win32.x86_64_1.14.0.v20190624-1329

What changed did you change in the platform's build (pom files?) to ensure that the executable in the repository is actually signed now?  I will need to make that same change and so will the EPP builds.

But looking at /home/data/httpd/download.eclipse.org/eclipse/updates/4.13-I-builds/I20190607-0725/binary/org.eclipse.platform.sdk.executable.win32.win32.x86_64_4.13.0.I20190607-0725 I don't see that this or any of the other ones actually are signed.

So, which executables are being signed before they are published into the repository and how are you doing that?
Comment 18 Sravan Kumar Lakkimsetti CLA 2019-06-24 23:12:28 EDT 
(In reply to Ed Merks from comment #17)
> Note that I just got my first integration build
> 
> https://ci.eclipse.org/oomph/job/integration/
> 
> running against the 4.13-I-builds, and this signing does not appear to have
> caused any problems.  But I don't know the underlying Tycho behavior either.
> I.e., where does Tycho get the eclipse.exe and eclipsec.exe that it uses to
> build a *.product?  
> 
> Does anyone know this.
> 
> Of course the (branded) executable in my repo isn't signed either.
> 
> https://ci.eclipse.org/oomph/job/integration/ws/products/repository/binary/
> org.eclipse.oomph.setup.installer.product.executable.win32.win32.x86_64_1.14.
> 0.v20190624-1329
> 
> What changed did you change in the platform's build (pom files?) to ensure
> that the executable in the repository is actually signed now?  I will need
> to make that same change and so will the EPP builds.
> 
> But looking at
> /home/data/httpd/download.eclipse.org/eclipse/updates/4.13-I-builds/
> I20190607-0725/binary/org.eclipse.platform.sdk.executable.win32.win32.
> x86_64_4.13.0.I20190607-0725 I don't see that this or any of the other ones
> actually are signed.
> 
> So, which executables are being signed before they are published into the
> repository and how are you doing that?

We haven't signed the executables yet. We are still trying to figure out exactly where to put signing code. Hope fully by thursday we should get this out.
Comment 19 Mat Booth CLA 2019-06-25 06:19:54 EDT 
(In reply to Sravan Kumar Lakkimsetti from comment #1)
> We use winsigner
> plugin(https://www.eclipse.org/cbi/sitedocs/eclipse-winsigner-plugin/sign-
> mojo.html) to sign windows executables this is done as part of building
> Platform, sdk and equinox products.
> 
> Here is pom.xml for SDK
> producthttps://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.
> git/tree/eclipse.platform.releng.tychoeclipsebuilder/sdk/pom.xml
> 
> In this case we have tied winsigner plugin to package phase. The problem is
> there are multiple goals tied to package phase
> 
> like 
> tycho-p2-repository:assemble-repository
> tycho-p2-repository:archive-repository
> tycho-p2-director:materialize-products
> tycho-p2-director:archive-products
> 
> we need to run eclipse-winsigner-plugin:sign before
> tycho-p2-repository:archive-repository. currently it is running before
> tycho-p2-director:archive-products
> 
> Need to rationalize maven phase selection with these goals.
> 
> @mat
> Can you please help in this?

If we simply need to ensure that the sign goal executes before anything in the "package" phase, you can simply bind it to the "prepare-package" phase instead.
Comment 20 Eclipse Genie CLA 2019-06-26 05:05:02 EDT 
New Gerrit change created: https://git.eclipse.org/r/144909
Comment 21 Sravan Kumar Lakkimsetti CLA 2019-06-26 07:04:26 EDT 
I modified the launcher build process to sign windows executable while building the launcher.

Created new windows launcher though https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/commit/?id=8f4c91e1e3ff65c82e8b176c35f13555fcfe4ff7

Tonight's build should have signed executables in p2 repositories.
Comment 22 Eclipse Genie CLA 2019-06-26 07:11:26 EDT 
New Gerrit change created: https://git.eclipse.org/r/144920
Comment 23 Sravan Kumar Lakkimsetti CLA 2019-06-27 00:49:35 EDT 
There are some version issues after launcher rebuild. Patch to follow
Comment 24 Eclipse Genie CLA 2019-06-27 01:18:12 EDT 
New Gerrit change created: https://git.eclipse.org/r/144962
Comment 26 Sravan Kumar Lakkimsetti CLA 2019-06-27 01:34:47 EDT 
merged version updates to master
Comment 27 Sravan Kumar Lakkimsetti CLA 2019-06-27 02:39:23 EDT 
During verification noticed eclipse.exe has invalid signature. Rebuilt launchers with https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/commit/?id=a286f5865744ce59cafc4c2ec3e763856316121f

Need to verify in tonight's build
Comment 28 Sravan Kumar Lakkimsetti CLA 2019-06-28 02:10:24 EDT 
Reopening as we are still getting "Verified:       The digital signature of the object did not verify." error for eclipse.exe. eclipsec.exe does not have this problem.

Investigating
Comment 29 Sravan Kumar Lakkimsetti CLA 2019-06-28 02:49:39 EDT 
The executables available at source(https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/tree/org.eclipse.equinox.executable/bin/win32/win32/x86_64) are signed. 

There is some problem during the repo build which is causing the signature to invalid.
Comment 30 Eclipse Genie CLA 2019-07-02 05:49:27 EDT 
New Gerrit change created: https://git.eclipse.org/r/145281
Comment 32 Eclipse Genie CLA 2019-07-02 09:19:20 EDT 
New Gerrit change created: https://git.eclipse.org/r/145300
Comment 34 Eclipse Genie CLA 2019-07-02 11:52:52 EDT 
New Gerrit change created: https://git.eclipse.org/r/145318
Comment 36 Eclipse Genie CLA 2019-07-02 11:53:19 EDT 
New Gerrit change created: https://git.eclipse.org/r/145319
Comment 38 Eclipse Genie CLA 2019-07-03 01:06:35 EDT 
New Gerrit change created: https://git.eclipse.org/r/145347
Comment 40 Sravan Kumar Lakkimsetti CLA 2019-07-03 02:05:26 EDT 
After investigation the following is my observations on solving this issue. We do have signing service available from cbi(https://www.eclipse.org/cbi/sitedocs/eclipse-winsigner-plugin/sign-mojo.html). Most of the parameters mentioned here are to be passed to signing service

1. tycho-p2-publisher-plugin::publish-products needs to be updated to accept three more parameters
  * sign true/false (sign the launcher executables)
  * signer url      (signer service url)
  * timeout         (timeout for the signing service)
  * retry limit     (number of times the signing should be tried)
  * retry timer     (waiting time before retry)
2. PDE product packager needs to be enhanced to sign windows executables after the replacement of icons in the launcher. for signing one can use windows signing service from CBI. The parameter mentioned in tycho would be required for signing.

Currently I am working on a workaround.
Comment 41 Eclipse Genie CLA 2019-07-03 05:36:33 EDT 
New Gerrit change created: https://git.eclipse.org/r/145362
Comment 43 Sravan Kumar Lakkimsetti CLA 2019-07-03 11:09:12 EDT 
The latest workaround of signing binaries after the repository is built failed as the checksums in artefacts.xml won't match.

Reverting this workaround

The only workaround I can think of now is to remove icon file from the product files. The drawback is rt.exe will show eclipse icon instead of equinox icon.

I think this would be acceptable workaround till 548893 is fixed.
Comment 44 Eclipse Genie CLA 2019-07-03 11:11:49 EDT 
New Gerrit change created: https://git.eclipse.org/r/145402
Comment 46 Eclipse Genie CLA 2019-07-03 11:25:53 EDT 
New Gerrit change created: https://git.eclipse.org/r/145406
Comment 48 Ed Merks CLA 2019-07-03 12:03:17 EDT 
Personally I would simply wait until https://bugs.eclipse.org/bugs/show_bug.cgi?id=548893 is fixed because workarounds are painful and time consuming.  Furthermore, everyone downstream also will have these same problems so really need to be properly addressed by the "normal" Tycho build.  In particular the EPP builds will have this same issue (as will Oomph with the installer executable) so it would seem best to solve this problem once and for all in a reusable way for all of the projects build and/or branding executables...

But that's just my opinion...
Comment 49 Sravan Kumar Lakkimsetti CLA 2019-07-04 02:45:04 EDT 
workaround added in comment 46 worked. 

This problem needs to be addressed by PDE project builder. Tycho would be a conduit between user and PDE project builder.

As of now epp packages do not replace launcher icon so there should be no problem in epp pakages or in upgrades. Oomph installer does have icon replacement so eclipse installer will have problems.

I agree with ed on fixing 548893 and 548894 to properly fix this issue. Till that time only available workaround I have is to remove windows icon replacement from product configuration.
Comment 50 Ed Merks CLA 2019-07-04 08:33:03 EDT 
I can confirm that installing the latest platform SDK product with Oomph now results in an installation with both the eclipse.exe and the eclipsec.exe being signed.  I've not noticed any problems in the Oomph nightly build from last night; I'll check those results again tomorrow, but our self-extracting installer is still branded and signed and the eclipse-inst.exe embedded in that is also still branded and signed...
Comment 51 Ed Merks CLA 2019-07-05 01:38:39 EDT 
It seems odd, but when I look in the repo for the most recent Oomph build, in particular at

https://ci.eclipse.org/oomph/job/integration/lastBuild/artifact/products/repository/binary/

The eclipse-inst.exe in the binary 

org.eclipse.oomph.setup.installer.product.executable.win32.win32.x86_64_*

is signed.

And when I use the installer to create an installer from this repository the results on the file system are also signed and branded.  And that installer's installation launches and runs fine..

I'm not sure why this all just works, but it does appears to be working properly.

Likely the EPP packages will just work too, especially if they just reuse the signed executables provided by the platform...

What is still not the case is that any of the *.dll files are signed by anyone.  At least in the case of Oomph's one *.dll, I believe we just need to commit a signed version rather than the current unsigned version to address this remaining issue.
Comment 52 Sravan Kumar Lakkimsetti CLA 2019-07-05 02:43:13 EDT 
(In reply to Ed Merks from comment #51)
> It seems odd, but when I look in the repo for the most recent Oomph build,
> in particular at
> 
> https://ci.eclipse.org/oomph/job/integration/lastBuild/artifact/products/
> repository/binary/
> 
> The eclipse-inst.exe in the binary 
> 
> org.eclipse.oomph.setup.installer.product.executable.win32.win32.x86_64_*
> 
> is signed.
> 
> And when I use the installer to create an installer from this repository the
> results on the file system are also signed and branded.  And that
> installer's installation launches and runs fine..
> 
> I'm not sure why this all just works, but it does appears to be working
> properly.
> 
> Likely the EPP packages will just work too, especially if they just reuse
> the signed executables provided by the platform...
> 
> What is still not the case is that any of the *.dll files are signed by
> anyone.  At least in the case of Oomph's one *.dll, I believe we just need
> to commit a signed version rather than the current unsigned version to
> address this remaining issue.

When I ran signature check tool from sysinternals(https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck) on the binary from https://ci.eclipse.org/oomph/job/integration/lastBuild/artifact/products/repository/binary/

I get
C:\Users\IBM_ADMIN\Desktop\eclipse-inst.exe:
	Verified:	The digital signature of the object did not verify.
	Link date:	12:03 PM 27-Jun-19
	Publisher:	n/a
	Company:	n/a
	Description:	n/a
	Product:	n/a
	Prod version:	n/a
	File version:	n/a
	MachineType:	64-bit

C:\Users\IBM_ADMIN\Desktop\eclipsec.exe:
	Verified:	Signed
	Signing date:	12:03 PM 27-Jun-19
	Publisher:	Eclipse.org Foundation, Inc.
	Company:	n/a
	Description:	n/a
	Product:	n/a
	Prod version:	n/a
	File version:	n/a
	MachineType:	64-bit

This means the file is signed but the signature is not valid any more.

To resolve this we need 548893 fixed.

The reason why it happens is the exe files are signed when thy are built in the launcher build process. And during product build the icon for launcher(eclipse.exe/eclipse-inst.exe) gets replaced with icon specified in the product configuration rendering the signature invalid. This launcher is added to the repository. So when we use repository to build a new product or upgrade existing product we get launcher with invalid signature.

In the product build process we do layout eclipse product and sign the executables again. this creates a new signature on the executable. We make this available as eclipse-installer.exe  or as platform product or SDK product. So these do not have invalid signature problem.
Comment 53 Ed Merks CLA 2019-07-05 03:20:37 EDT 
Thanks so much for this detailed information and the links!  And also for all the effort you invested in this so far!!

Note that I created this job to sign Oomph's one DLL

https://ci.eclipse.org/oomph/job/dll-signer/

It produces this result:

https://ci.eclipse.org/oomph/job/dll-signer/lastSuccessfulBuild/artifact/jreinfo.dll

And that appears to pass the sigcheck64 test.  I've also tested locally that it still actually works. :-)

Do you think that the right approach is to commit such a signed DLL to the Git repo? We currently have the unsigned version committed so it seems sensible just to commit a signed version of it rather than to try to do signing during the build.  But I would be happy to know your thoughts on such an approach.
Comment 54 Sravan Kumar Lakkimsetti CLA 2019-07-05 04:14:08 EDT 
(In reply to Ed Merks from comment #53)
> Thanks so much for this detailed information and the links!  And also for
> all the effort you invested in this so far!!
> 
> Note that I created this job to sign Oomph's one DLL
> 
> https://ci.eclipse.org/oomph/job/dll-signer/
> 
> It produces this result:
> 
> https://ci.eclipse.org/oomph/job/dll-signer/lastSuccessfulBuild/artifact/
> jreinfo.dll
> 
> And that appears to pass the sigcheck64 test.  I've also tested locally that
> it still actually works. :-)
> 
> Do you think that the right approach is to commit such a signed DLL to the
> Git repo? We currently have the unsigned version committed so it seems
> sensible just to commit a signed version of it rather than to try to do
> signing during the build.  But I would be happy to know your thoughts on
> such an approach.

IMHO this would be correct approach. I would add signing to dll build process itself rather than running it separately. You can use exec-maven-plugin to run this command from maven. 

This is exactly what I am doing in the launcher build. I commit signed executables into launcher binaries repo https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/tree/org.eclipse.equinox.executable/bin/win32/win32/x86_64
Comment 55 Ed Merks CLA 2019-07-05 04:43:24 EDT 
Yes, if we had a process to build the DLL, it would of course make sense to add signing to that process, but the DLL is built manually locally and that result is committed after the manual process.

Thanks again!
Comment 56 Sravan Kumar Lakkimsetti CLA 2019-07-15 05:52:57 EDT 
Added signed launcher bundles (.exe and .dll files) through https://git.eclipse.org/c/equinox/rt.equinox.binaries.git/commit/?id=7333db54bc8f4ec6f43079346c9f8f287b6d4c7f
Comment 57 Sravan Kumar Lakkimsetti CLA 2019-07-15 07:10:11 EDT 
Modified swt build process to build signed native libraries for windows
Comment 58 Ed Merks CLA 2019-07-15 07:49:33 EDT 
Sravan,

Do you know if there a tool that can run on Linux (i.e.,the build server) that can verify the validity of a signed *.exe/*.dll?
Comment 59 Mikaël Barbero CLA 2019-07-15 09:53:48 EDT 
(In reply to Ed Merks from comment #58)
> Sravan,
> 
> Do you know if there a tool that can run on Linux (i.e.,the build server)
> that can verify the validity of a signed *.exe/*.dll?

The tool that is used to sign the exe (https://github.com/develar/osslsigncode) says:

"You can check that the signed file is correct by right-clicking
on it in Windows and choose Properties --> Digital Signatures,
and then choose the signature from the list, and click on
Details. You should then be presented with a dialog that says
amongst other things that "This digital signature is OK"."

So I guess that there is no such CLI Linux tool.
Comment 60 Ed Merks CLA 2019-07-15 10:01:47 EDT 
(In reply to Mikaël Barbero from comment #59)
> (In reply to Ed Merks from comment #58)
> > Sravan,
> > 
> > Do you know if there a tool that can run on Linux (i.e.,the build server)
> > that can verify the validity of a signed *.exe/*.dll?
> 
> The tool that is used to sign the exe
> (https://github.com/develar/osslsigncode) says:
> 
> "You can check that the signed file is correct by right-clicking
> on it in Windows and choose Properties --> Digital Signatures,
> and then choose the signature from the list, and click on
> Details. You should then be presented with a dialog that says
> amongst other things that "This digital signature is OK"."
> 
> So I guess that there is no such CLI Linux tool.

Of course if the process of validating signatures is going to be a manual one, I imagine it's really not going to get done at all. :-(

Is there a possibility to build a service that uses this tool:

https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck

and farms such a checking process out to a Windows machine?  

Then we'd be able to automate the validation of a repository's contents...
Comment 61 Mikaël Barbero CLA 2019-07-15 10:07:51 EDT 
Even though we try to avoid running CBI services on non linux hosts (it really is complicated to provide a reliable service on mac/windows), I can see the value of such a tool. Could you please open a ticket against CBI? Also, please, keep your expectations low on when this can be done. Still, I'd like such a request to be tracked. Thanks.
Comment 62 Sravan Kumar Lakkimsetti CLA 2019-07-16 05:09:11 EDT 
(In reply to Mikaël Barbero from comment #59)
> (In reply to Ed Merks from comment #58)
> > Sravan,
> > 
> > Do you know if there a tool that can run on Linux (i.e.,the build server)
> > that can verify the validity of a signed *.exe/*.dll?
> 
> The tool that is used to sign the exe
> (https://github.com/develar/osslsigncode) says:
> 
> "You can check that the signed file is correct by right-clicking
> on it in Windows and choose Properties --> Digital Signatures,
> and then choose the signature from the list, and click on
> Details. You should then be presented with a dialog that says
> amongst other things that "This digital signature is OK"."
> 
> So I guess that there is no such CLI Linux tool.

looks like we can use same tool to verify as well

ref https://unix.stackexchange.com/questions/269906/how-can-i-extract-signatures-data-from-a-windows-exe-file-under-linux-using-cl
Comment 63 Mikaël Barbero CLA 2019-07-16 06:21:47 EDT 
Even better. No need for additional service. 

/opt/public/common/osslsigncode-1.6 is available on all JIPP (old infra). Feel free to use it to check the signatures.
Comment 64 Sravan Kumar Lakkimsetti CLA 2019-07-16 06:36:01 EDT 
(In reply to Mikaël Barbero from comment #63)
> Even better. No need for additional service. 
> 
> /opt/public/common/osslsigncode-1.6 is available on all JIPP (old infra).
> Feel free to use it to check the signatures.

We are getting this error when we try in the job

/opt/public/common/osslsigncode-1.6: error while loading shared libraries: libgsf-1.so.114: cannot open shared object file: No such file or directory

Can please have a look?
Comment 65 Mikaël Barbero CLA 2019-07-16 06:37:01 EDT 
I guess it's when you run the job on centos agents? Please try to run it on Jenkins master.
Comment 66 Mikaël Barbero CLA 2019-07-16 06:39:06 EDT 
My bad, it happens also on masters.

This binary has been compiled on build and is not runnable on hipps machine. 

I guess you will have to compile it by yourself and use the output binary.
Comment 67 Rolf Theunissen CLA 2019-08-06 09:49:05 EDT 
It seems that the changes for this bug had as side-effect that also the SWT-DLLs are signed now, see Bug 529428.

However there are some more DLLs in the Eclipse environment, will the automatically be singed when re-compiled or is more configuration needed?
At least: 
- jnicrypt64.dll (org.eclipse.equinox.security)
- win32refresh.dll (org.eclipse.core.resources)
- localfile_1_0_0.dll (org.eclipse.core.filesystem)
- jWinHttp-1.0.0.dll (org.eclipse.core.net)
Comment 68 Sravan Kumar Lakkimsetti CLA 2019-08-07 03:09:30 EDT 
(In reply to Rolf Theunissen from comment #67)
> It seems that the changes for this bug had as side-effect that also the
> SWT-DLLs are signed now, see Bug 529428.
> 
> However there are some more DLLs in the Eclipse environment, will the
> automatically be singed when re-compiled or is more configuration needed?
> At least: 
> - jnicrypt64.dll (org.eclipse.equinox.security)
> - win32refresh.dll (org.eclipse.core.resources)
> - localfile_1_0_0.dll (org.eclipse.core.filesystem)
> - jWinHttp-1.0.0.dll (org.eclipse.core.net)

Signing of dlls is expected change they were achieved by making changes to respective build jobs.
The expectation is to sign all dlls used in eclipse environment. 

Thank you for providing list of unsigned dlls. I will sign them shortly.
Comment 69 Eclipse Genie CLA 2019-08-12 04:47:13 EDT 
New Gerrit change created: https://git.eclipse.org/r/147534
Comment 70 Eclipse Genie CLA 2019-08-12 04:47:37 EDT 
New Gerrit change created: https://git.eclipse.org/r/147535
Comment 71 Eclipse Genie CLA 2019-08-12 04:49:51 EDT 
New Gerrit change created: https://git.eclipse.org/r/147536
Comment 75 Sravan Kumar Lakkimsetti CLA 2019-08-19 00:07:53 EDT 
We have a workaround in place for 4.13. Moving to 4.14 as the dependent bugs are not completed yet
Comment 76 Dani Megert CLA 2019-10-16 08:41:56 EDT 
What's the status here?
Comment 77 Sravan Kumar Lakkimsetti CLA 2019-10-17 02:17:23 EDT 
(In reply to Dani Megert from comment #76)
> What's the status here?

We are waiting for Bug 548893 and 548894 to be closed.
Comment 78 Dani Megert CLA 2019-10-17 05:24:13 EDT 
(In reply to Sravan Kumar Lakkimsetti from comment #77)
> (In reply to Dani Megert from comment #76)
> > What's the status here?
> 
> We are waiting for Bug 548893 and 548894 to be closed.
Let's not just "wait". Please push on the other bugs and bring this to an end.
Comment 79 Sravan Kumar Lakkimsetti CLA 2019-12-02 01:22:17 EST 
Moving out of 4.14
Comment 80 Sravan Kumar Lakkimsetti CLA 2020-02-28 01:40:05 EST 
Dependent bugs are not yet worked on. Removing target
Comment 81 Dani Megert CLA 2020-04-18 10:07:13 EDT 
(In reply to Sravan Kumar Lakkimsetti from comment #80)
> Dependent bugs are not yet worked on. Removing target
Please push on this.
Comment 82 Dani Megert CLA 2020-07-13 04:18:07 EDT 
This did not get fully delivered for 4.16. The work continues in plan bug 564820.
Comment 83 Sravan Kumar Lakkimsetti CLA 2020-08-10 00:30:45 EDT 
Complete dthe required work in bug 564820