Bug 572875 and Bug 572878: Sign .jnilib/.dll in production builds

Because the dll/jnilib is modified in place, the natives are qualified
with their build date, rather than their git date as the checked-in
libraries are not signed.

Change-Id: I3078f5040f7ef9590bb4ab5d031dcb29b3c3bdde

10 files changed, 100 insertions, 6 deletions

diff --git a/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF b/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF
index 0a7de03a046..d09e011644e 100644
--- a/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF
+++ b/core/org.eclipse.cdt.core.linux.aarch64/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: %fragmentName.linux.aarch64
 Bundle-SymbolicName: org.eclipse.cdt.core.linux.aarch64;singleton:=true
-Bundle-Version: 6.0.100.qualifier
+Bundle-Version: 6.0.200.qualifier
 Bundle-Vendor: %providerName
 Fragment-Host: org.eclipse.cdt.core.native;bundle-version="[6.0.0,7.0.0)"
 Bundle-Localization: plugin
diff --git a/core/org.eclipse.cdt.core.linux.aarch64/pom.xml b/core/org.eclipse.cdt.core.linux.aarch64/pom.xml
index e242537775d..ff4ea053015 100644
--- a/core/org.eclipse.cdt.core.linux.aarch64/pom.xml
+++ b/core/org.eclipse.cdt.core.linux.aarch64/pom.xml
@@ -21,7 +21,7 @@
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
-	<version>6.0.100-SNAPSHOT</version>
+	<version>6.0.200-SNAPSHOT</version>
 	<artifactId>org.eclipse.cdt.core.linux.aarch64</artifactId>
 	<packaging>eclipse-plugin</packaging>
 
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF b/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF
index ae80f5f3d00..e110dd20940 100644
--- a/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF
+++ b/core/org.eclipse.cdt.core.linux.ppc64le/META-INF/MANIFEST.MF
@@ -3,7 +3,7 @@ Bundle-SymbolicName: org.eclipse.cdt.core.linux.ppc64le;singleton:=true
 Bundle-ManifestVersion: 2
 Bundle-Localization: plugin
 Bundle-Name: %fragmentName.linux.ppc64le
-Bundle-Version: 6.0.100.qualifier
+Bundle-Version: 6.0.200.qualifier
 Fragment-Host: org.eclipse.cdt.core.native;bundle-version="[6.0.0,7.0.0)"
 Bundle-Vendor: %providerName
 Eclipse-PlatformFilter: (&(osgi.os=linux)(osgi.arch=ppc64le))
diff --git a/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml b/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml
index dda99c20b4e..f8f8de0ae23 100644
--- a/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml
+++ b/core/org.eclipse.cdt.core.linux.ppc64le/pom.xml
@@ -21,7 +21,7 @@
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
-	<version>6.0.100-SNAPSHOT</version>
+	<version>6.0.200-SNAPSHOT</version>
 	<artifactId>org.eclipse.cdt.core.linux.ppc64le</artifactId>
 	<packaging>eclipse-plugin</packaging>
 
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF b/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF
index 2a9b6739dd4..d52a8d49ac7 100644
--- a/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF
+++ b/core/org.eclipse.cdt.core.linux.x86_64/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: %fragmentName.linux.x86_64
 Bundle-SymbolicName: org.eclipse.cdt.core.linux.x86_64;singleton:=true
-Bundle-Version: 6.0.100.qualifier
+Bundle-Version: 6.0.200.qualifier
 Bundle-Vendor: %providerName
 Fragment-Host: org.eclipse.cdt.core.native;bundle-version="[6.0.0,7.0.0)"
 Bundle-Localization: plugin
diff --git a/core/org.eclipse.cdt.core.linux.x86_64/pom.xml b/core/org.eclipse.cdt.core.linux.x86_64/pom.xml
index 8d54d28652a..37d7285985e 100644
--- a/core/org.eclipse.cdt.core.linux.x86_64/pom.xml
+++ b/core/org.eclipse.cdt.core.linux.x86_64/pom.xml
@@ -21,7 +21,7 @@
 		<relativePath>../../pom.xml</relativePath>
 	</parent>
 
-	<version>6.0.100-SNAPSHOT</version>
+	<version>6.0.200-SNAPSHOT</version>
 	<artifactId>org.eclipse.cdt.core.linux.x86_64</artifactId>
 	<packaging>eclipse-plugin</packaging>
 
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/core/org.eclipse.cdt.core.macosx/pom.xml b/core/org.eclipse.cdt.core.macosx/pom.xml
index 926e09966ab..c9c3002726b 100644
--- a/core/org.eclipse.cdt.core.macosx/pom.xml
+++ b/core/org.eclipse.cdt.core.macosx/pom.xml
@@ -43,6 +43,17 @@
 					</environments>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 
diff --git a/core/org.eclipse.cdt.core.native/native_src/Makefile b/core/org.eclipse.cdt.core.native/native_src/Makefile
index 914324a201b..8ba1b06f230 100644
--- a/core/org.eclipse.cdt.core.native/native_src/Makefile
+++ b/core/org.eclipse.cdt.core.native/native_src/Makefile
@@ -66,6 +66,19 @@ clean :
 
 rebuild: clean all
 
+MAC_TO_SIGN=$(OS_DIR_MACOS_X86_64)/libspawner.jnilib \
+	$(OS_DIR_MACOS_X86_64)/libpty.jnilib \
+	$(OS_DIR_MACOS_X86)/libspawner.jnilib \
+	$(OS_DIR_MACOS_X86)/libpty.jnilib
+WIN_TO_SIGN=$(OS_DIR_WIN32_X86_64)/starter.exe \
+	$(OS_DIR_WIN32_X86_64)/spawner.dll \
+	$(OS_DIR_WIN32_X86_64)/pty.dll
+production: $(MAC_TO_SIGN) $(WIN_TO_SIGN)
+	$(foreach tosign,$(MAC_TO_SIGN) $(WIN_TO_SIGN),mv $(tosign) $(tosign)-unsigned &&) true
+	$(foreach tosign,$(MAC_TO_SIGN),curl -o $(tosign) -F file=@$(tosign)-unsigned https://cbi.eclipse.org/macos/codesign/sign &&) true
+	$(foreach tosign,$(WIN_TO_SIGN),curl -o $(tosign) -F file=@$(tosign)-unsigned https://cbi.eclipse.org/authenticode/sign   &&) true
+	$(foreach tosign,$(MAC_TO_SIGN) $(WIN_TO_SIGN),rm $(tosign)-unsigned &&) true
+
 
 # Windows x86_64
 # Windows DLLs have a build timestamp in them. This makes it impossible to have reproducible builds.
diff --git a/core/org.eclipse.cdt.core.native/pom.xml b/core/org.eclipse.cdt.core.native/pom.xml
index df7d025ff41..16d05a8d4f6 100644
--- a/core/org.eclipse.cdt.core.native/pom.xml
+++ b/core/org.eclipse.cdt.core.native/pom.xml
@@ -133,5 +133,31 @@
 				</plugins>
 			</build>
 		</profile>
+		<profile>
+			<id>production</id>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>natives</id>
+								<phase>process-resources</phase>
+								<configuration>
+									<target>
+										<exec executable="make" newenvironment="false" failOnError="true" dir="./native_src">
+											<arg value="production" />
+										</exec>
+									</target>
+								</configuration>
+								<goals>
+									<goal>run</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
 	</profiles>
 </project>
diff --git a/core/org.eclipse.cdt.core.win32.x86_64/pom.xml b/core/org.eclipse.cdt.core.win32.x86_64/pom.xml
index 3e87f42408e..31c937d0409 100644
--- a/core/org.eclipse.cdt.core.win32.x86_64/pom.xml
+++ b/core/org.eclipse.cdt.core.win32.x86_64/pom.xml
@@ -58,6 +58,17 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-packaging-plugin</artifactId>
+				<configuration>
+					<!-- When signing binaries, the result is not checked into repo, so the
+						 jgit timestamp provider cannot be used. This has the side effect
+						 that the version of this bundle needs to be incremented on each
+						 CDT release. -->
+					<timestampProvider>default</timestampProvider>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 </project>