Skip to content

fix: sign only idf repo plugins and simplifying the P2 metadata #1368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kolipakakondal merged 1 commit into from
Dec 10, 2025
Merged

fix: sign only idf repo plugins and simplifying the P2 metadata #1368

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 34 additions & 25 deletions .github/workflows/ci_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,28 +72,41 @@ jobs:
echo "Using certificate chain file"
fi

# Find and sign JAR files using jarsigner with Jsign's JCA provider
find releng/com.espressif.idf.update/target/repository -type f -name "*.jar" | while read -r file; do
echo "Signing JAR: $file"

jarsigner \
-J-cp -Jjsign-7.4.jar \
-J--add-modules -Jjava.sql \
-providerClass net.jsign.jca.JsignJcaProvider \
-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-keystore NONE \
-storetype AZUREKEYVAULT \
-storepass "$AZURE_TOKEN" \
-tsa http://timestamp.digicert.com \
$CERTCHAIN_ARG \
"$file" \
"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"

if [ $? -eq 0 ]; then
echo "Successfully signed: $file"
REPO_DIR="releng/com.espressif.idf.update/target/repository"
SIGFILE="ECLIPSE"

echo "Signing IDF plugin JARs in $REPO_DIR..."
echo "Only signing JARs matching com.espressif.* pattern..."

find "$REPO_DIR" -type f -name "*.jar" | while read -r file; do
if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
echo "Signing IDF plugin/feature JAR: $file"

jarsigner \
-J-cp -Jjsign-7.4.jar \
-J--add-modules -Jjava.sql \
-providerClass net.jsign.jca.JsignJcaProvider \
-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-keystore NONE \
-storetype AZUREKEYVAULT \
-storepass "$AZURE_TOKEN" \
-sigfile "$SIGFILE" \
-digestalg SHA-256 \
-tsa http://timestamp.digicert.com \
$CERTCHAIN_ARG \
-certs \
-verbose \
"$file" \
"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"

if [ $? -eq 0 ]; then
echo "Successfully signed: $file"
else
echo "Failed to sign: $file"
exit 1
fi
else
echo "Failed to sign: $file"
exit 1
echo "Skipping non-IDF JAR: $file"
fi
done
Comment on lines +81 to 111
Copy link

@coderabbitai coderabbitai bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Error handling broken in piped loop—signing failures won't fail the workflow.

The find ... | while read pattern creates a subshell. The exit 1 on line 106 exits the subshell, not the parent workflow step, so signing failures silently succeed. Additionally, $? -eq 0 on line 102 evaluates the exit status of the preceding echo command (due to piping), not the jarsigner command.

Restructure the loop to properly propagate errors:

- find "$REPO_DIR" -type f -name "*.jar" | while read -r file; do
-   if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
-     echo "Signing IDF plugin/feature JAR: $file"
-     
-     jarsigner \
-       -J-cp -Jjsign-7.4.jar \
-       -J--add-modules -Jjava.sql \
-       -providerClass net.jsign.jca.JsignJcaProvider \
-       -providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-       -keystore NONE \
-       -storetype AZUREKEYVAULT \
-       -storepass "$AZURE_TOKEN" \
-       -sigfile "$SIGFILE" \
-       -digestalg SHA-256 \
-       -tsa http://timestamp.digicert.com \
-       $CERTCHAIN_ARG \
-       -certs \
-       -verbose \
-       "$file" \
-       "${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"
-     
-     if [ $? -eq 0 ]; then
-       echo "Successfully signed: $file"
-     else
-       echo "Failed to sign: $file"
-       exit 1
-     fi
-   else
-     echo "Skipping non-IDF JAR: $file"
-   fi
- done
+ set -e
+ while IFS= read -r file; do
+   if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
+     echo "Signing IDF plugin/feature JAR: $file"
+     
+     jarsigner \
+       -J-cp -Jjsign-7.4.jar \
+       -J--add-modules -Jjava.sql \
+       -providerClass net.jsign.jca.JsignJcaProvider \
+       -providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
+       -keystore NONE \
+       -storetype AZUREKEYVAULT \
+       -storepass "$AZURE_TOKEN" \
+       -sigfile "$SIGFILE" \
+       -digestalg SHA-256 \
+       -tsa http://timestamp.digicert.com \
+       $CERTCHAIN_ARG \
+       -certs \
+       -verbose \
+       "$file" \
+       "${{ secrets.AZURE_KEYVAULT_CERT_NAME }}" || { echo "Failed to sign: $file"; exit 1; }
+     
+     echo "Successfully signed: $file"
+   else
+     echo "Skipping non-IDF JAR: $file"
+   fi
+ done < <(find "$REPO_DIR" -type f -name "*.jar")

This uses process substitution < <(...) to avoid subshell context and set -e with inline error handling to ensure failures propagate.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
find "$REPO_DIR" -type f -name "*.jar" | while read -r file; do
if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
echo "Signing IDF plugin/feature JAR: $file"
jarsigner \
-J-cp -Jjsign-7.4.jar \
-J--add-modules -Jjava.sql \
-providerClass net.jsign.jca.JsignJcaProvider \
-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-keystore NONE \
-storetype AZUREKEYVAULT \
-storepass "$AZURE_TOKEN" \
-sigfile "$SIGFILE" \
-digestalg SHA-256 \
-tsa http://timestamp.digicert.com \
$CERTCHAIN_ARG \
-certs \
-verbose \
"$file" \
"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"
if [ $? -eq 0 ]; then
echo "Successfully signed: $file"
else
echo "Failed to sign: $file"
exit 1
fi
else
echo "Failed to sign: $file"
exit 1
echo "Skipping non-IDF JAR: $file"
fi
done
set -e
while IFS= read -r file; do
if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
echo "Signing IDF plugin/feature JAR: $file"
jarsigner \
-J-cp -Jjsign-7.4.jar \
-J--add-modules -Jjava.sql \
-providerClass net.jsign.jca.JsignJcaProvider \
-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-keystore NONE \
-storetype AZUREKEYVAULT \
-storepass "$AZURE_TOKEN" \
-sigfile "$SIGFILE" \
-digestalg SHA-256 \
-tsa http://timestamp.digicert.com \
$CERTCHAIN_ARG \
-certs \
-verbose \
"$file" \
"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}" || { echo "Failed to sign: $file"; exit 1; }
echo "Successfully signed: $file"
else
echo "Skipping non-IDF JAR: $file"
fi
done < <(find "$REPO_DIR" -type f -name "*.jar")
🤖 Prompt for AI Agents 
.github/workflows/ci_release.yml around lines 81 to 111: the current "find ... |
while read" pipeline runs the loop in a subshell so any "exit 1" or failures
inside won't stop the parent job, and the "$? -eq 0" check after the echo
inspects the echo's exit status instead of jarsigner's. Replace the piped loop
with a loop that reads from process substitution (or otherwise avoids a
subshell) so exits propagate to the parent, and check jarsigner's exit
immediately (or use "set -e" plus "|| exit 1") right after the jarsigner
invocation instead of using "$?" after an intervening command; ensure signing
failures call "exit 1" in the same shell and that logs reflect jarsigner's
actual exit code.


Expand All @@ -112,17 +125,13 @@ jobs:
env:
MAVEN_OPTS: "-Djdk.xml.maxGeneralEntitySizeLimit=0 -Djdk.xml.maxParameterEntitySizeLimit=0 -Djdk.xml.totalEntitySizeLimit=0 -Djdk.xml.entityExpansionLimit=0"
run: |
# Regenerate P2 metadata to update hashes for signed JARs
# This ensures the SHA-512 hashes in metadata match the signed JAR files
# Use Tycho's fix-artifacts-metadata goal to update metadata without rebuilding artifacts
REPO_DIR="releng/com.espressif.idf.update/target/repository"

echo "Updating P2 metadata for signed JARs in $REPO_DIR..."
mvn -f releng/com.espressif.idf.update/pom.xml \
org.eclipse.tycho:tycho-p2-repository-plugin:fix-artifacts-metadata \
-DrepositoryPath="$REPO_DIR" \
-DskipTests=true || \
# Fallback: try without explicit path (auto-detect)
mvn -f releng/com.espressif.idf.update/pom.xml \
org.eclipse.tycho:tycho-p2-repository-plugin:fix-artifacts-metadata \
-DskipTests=true
Expand Down
Loading