From 365d87a6499ca3bd1d40f4d42d031b9701f8d541 Mon Sep 17 00:00:00 2001
From: Alex Boyko <alex.boyko@broadcom.com>
Date: Thu, 7 Nov 2024 00:57:53 -0500
Subject: [PATCH] Tpe win sign (#1399)

* [GHA] TPE signing service adoption

* [GHA] yaml syntax error

* [GHA] corrections

* [GHA] corrections

* [GHA] correct wait times

* [GHA] correct aws s3 command

* [GHA] wrap up

* [GHA] polish up
---
 .github/scripts/sign-exe-in-zip-file.sh       |  2 +-
 .github/scripts/sign-exe.sh                   | 26 +++++++++++--------
 .../gh-hosted-eclipse-distro-build.yml        | 20 +++-----------
 3 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/.github/scripts/sign-exe-in-zip-file.sh b/.github/scripts/sign-exe-in-zip-file.sh
index a91ea7eeab..6021e41d32 100755
--- a/.github/scripts/sign-exe-in-zip-file.sh
+++ b/.github/scripts/sign-exe-in-zip-file.sh
@@ -18,7 +18,7 @@ echo "Successfully extracted ${filename}"
 sts_folder=`find ./${destination_folder_name} -maxdepth 1 -type d -name 'sts-*' -print -quit`
 echo "Found STS distro folder: ${sts_folder}"
 echo "About to sign win exe file: ${sts_folder}/SpringToolSuite4.exe (id = ${id})"
-$sign_script ${sts_folder}/SpringToolSuite4.exe ${sts_folder}/SpringToolSuite4.exe $id
+$sign_script ${sts_folder}/SpringToolSuite4.exe ${sts_folder}/SpringToolSuite4.exe "${id}-${filename%.*}" 30 900
 echo "Adding to zip contents of a folder ${destination_folder_name}"
 cd ${destination_folder_name}
 zip -r -q ../$file .
diff --git a/.github/scripts/sign-exe.sh b/.github/scripts/sign-exe.sh
index ef2c209bde..997e3f7d35 100755
--- a/.github/scripts/sign-exe.sh
+++ b/.github/scripts/sign-exe.sh
@@ -2,17 +2,21 @@ set -e
 in_file=$1
 out_file=$2
 id=$3
+wait_time=$4
+timeout=$5
 
 in_filename="$(basename -- $in_file)"
-echo "Setting up folder ${id} on the remote machine"
-ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- mkdir /opt/bamboo/$id
-echo "Copying $in_filename to remote machine into /opt/bamboo/${id}..."
-scp -i $SSH_KEY $in_file $SSH_USER@vm-tools.spring.vmware.com:/opt/bamboo/$id
-echo "Signing $in_filename..."
-ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- /build/apps/signing/signserver/signc -v --input=/opt/bamboo/$id/$in_filename --keyid=authenticode_SHA2 --signmethod="winddk-8.1" --output=/opt/bamboo/$id/$in_filename --hash sha256
-echo "Copying **signed** $in_filename back... (into $out_file)"
-scp -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com:/opt/bamboo/$id/$in_filename $out_file
-echo "Cleaning up remote machine..."
-ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- rm -rf /opt/bamboo/$id
-echo "Successfully signed $in_filename"
+echo "Copying ${in_file} to s3 s3://${AWS_S3_BUCKET}/exes-to-sign/${id}.exe for signing"
+aws s3 cp $in_file s3://$AWS_S3_BUCKET/exes-to-sign/$id.exe --no-progress
+for (( i=wait_time; i<timeout; i+=wait_time )) ; {
+  sleep $wait_time
+  object_exists=$(aws s3api head-object --bucket $CDN_BUCKET --key spring-tools/exes-signed/$id.exe || true)
+  if [ -z "$object_exists" ]; then
+    echo "Waited ${i} seconds but ${in_filename} hasn't been signed yet..."
+  else
+    echo "Successfully signed file ${in_filename}"
+    break
+  fi
+}
+aws s3 mv s3://$AWS_S3_BUCKET/exes-signed/$id.exe $out_file --no-progress
 
diff --git a/.github/workflows/gh-hosted-eclipse-distro-build.yml b/.github/workflows/gh-hosted-eclipse-distro-build.yml
index 645971eae5..447716dbcb 100644
--- a/.github/workflows/gh-hosted-eclipse-distro-build.yml
+++ b/.github/workflows/gh-hosted-eclipse-distro-build.yml
@@ -34,6 +34,7 @@ env:
   AWS_ENDPOINT_URL_S3:  ${{ secrets.CDN_S3_ENDPOINT }}
   AWS_S3_BUCKET: ${{ secrets.CDN_BUCKET }}/spring-tools
   DOWNLOAD_URL_ROOT: https://cdn.spring.io/spring-tools
+  CDN_BUCKET: ${{ secrets.CDN_BUCKET }}
 
 jobs:
 
@@ -146,17 +147,15 @@ jobs:
       - name: Upload Win Zip to S3 for Signing via JFrog
         run: |
           aws s3 rm s3://$AWS_S3_BUCKET/sts4-distro-win-sign/${{ inputs.eclipse_profile }} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip" --exclude "*/*"
-          aws s3 cp ${{ github.workspace }}/eclipse-distribution/org.springframework.boot.ide.product.${{ inputs.eclipse_profile }}/target/products s3://$AWS_S3_BUCKET/sts4-distro-win-sign/${{ inputs.eclipse_profile }} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip" --exclude "*/*" --no-progress
     outputs:
       id: ${{ inputs.eclipse_profile }}-${{ inputs.build_type }}-${{ github.run_id }}
       dist_path: ${{ steps.s3-paths.outputs.dist_path }}
       p2_path: ${{ steps.s3-paths.outputs.p2_path }}
       version: ${{ steps.project-version.outputs.version }}
 
-
   sign-win-distros:
     needs: [ eclipse-distro-build ]
-    runs-on: [ self-hosted, Linux ]
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
         with:
@@ -167,17 +166,14 @@ jobs:
           rm -f spring-tool-suite-4*win*.zip*
           rm -f spring-tool-suite-4*win*.self-extracting.jar*
           ls
-          aws s3 mv s3://$AWS_S3_BUCKET/sts4-distro-ci-temp/${{ needs.eclipse-distro-build.outputs.id }} . --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --exclude "*/*"
+          aws s3 mv s3://$AWS_S3_BUCKET/sts4-distro-ci-temp/${{ needs.eclipse-distro-build.outputs.id }} . --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --exclude "*/*" --no-progress
       - name: Sign EXE within zip files
         id: sign
-        env:
-          SSH_KEY: ~/.ssh/id_rsa
-          SSH_USER: signer
         run: |
           files=`ls spring-tool-suite-4*win*.zip`
           for file in $files
           do
-            ${{ github.workspace }}/.github/scripts/sign-exe-in-zip-file.sh $file ${{ github.workspace }}/.github/scripts/sign-exe.sh ${{ github.workspace }}/.github/scripts/self-extracting-jar-creator.jar ${{ needs.eclipse-distro-build.outputs.id }}
+            ${{ github.workspace }}/.github/scripts/sign-exe-in-zip-file.sh $file ${{ github.workspace }}/.github/scripts/sign-exe.sh ${{ github.workspace }}/.github/scripts/self-extracting-jar-creator.jar ${{ github.run_id }}
           done
       - name: Update Win zip/jar on S3
         id: update-s3
@@ -196,14 +192,6 @@ jobs:
           eclipse_profile=${{ inputs.eclipse_profile }}
           eclipse_version=${eclipse_profile:0:2}.${eclipse_profile:2}
           ${{ github.workspace }}/.github/scripts/update-distro-download-page.sh $dist_path $eclipse_version ${{ inputs.build_type }} $AWS_S3_BUCKET $DOWNLOAD_URL_ROOT
-      - name: Cleanup
-        if: ${{ always() }}
-        env:
-          SSH_KEY: ~/.ssh/id_rsa
-          SSH_USER: signer
-        run: |
-          ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- rm -rf /opt/bamboo/${{ needs.eclipse-distro-build.outputs.id }}
-          rm -rf *spring-tool-suite-4*win*
 
   sign-osx-distros:
     needs: [ eclipse-distro-build ]