diff --git a/.azure-devops/build/steps/windows/before.yml b/.azure-devops/build/steps/windows/before.yml index ce3f16219..39bf5ecb7 100644 --- a/.azure-devops/build/steps/windows/before.yml +++ b/.azure-devops/build/steps/windows/before.yml @@ -46,9 +46,17 @@ steps: # install cygwin and build dependencies - powershell: | $ProgressPreference = 'SilentlyContinue'; - Invoke-WebRequest -UseBasicParsing 'https://cygwin.com/setup-x86_64.exe' -OutFile '${{ parameters.dependenciesDir }}\cygwin.exe'; - Start-Process -Wait -FilePath '${{ parameters.dependenciesDir }}\cygwin.exe' -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir $(Agent.BuildDirectory)\cygwin_packages --root $(Agent.BuildDirectory)\cygwin64'; - displayName: "[Windows Before] download and install Cygwin" + $DownloadedFile = "${{ parameters.dependenciesDir }}\cygwin.exe"; + $DownloadUrl = 'https://cygwin.com/setup-x86_64.exe'; + $ExpectedChecksum = 'e7815d360ab098fdd1f03f10f43f363c73a632e8866e304c72573cf1e6a0dec8'; + Invoke-WebRequest -UseBasicParsing -Uri $DownloadUrl -OutFile $DownloadedFile; + + # Calculate SHA256 checksum of the downloaded file + $DownloadedChecksum = (Get-FileHash -Path $DownloadedFile -Algorithm SHA256).Hash; + + # Compare calculated checksum with the expected checksum + if ($DownloadedChecksum -eq $ExpectedChecksum) { + Start-Process -Wait -FilePath $DownloadedFile -ArgumentList '--packages wget,bsdtar,rsync,gnupg,git,autoconf,make,gcc-core,mingw64-x86_64-gcc-core,unzip,zip,cpio,curl,grep,perl --quiet-mode --download --local-install --delete-orphans --site # add cygwin bin to PATH - script: | diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ea5b0a8e..72133a9a8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -162,7 +162,7 @@ jobs: rm /usr/local/bin/python3-config || true rm /usr/local/bin/python3.11-config || true rm /usr/local/bin/python3.12-config || true - + - name: Install Dependencies run: | brew install automake bash binutils freetype gnu-sed nasm @@ -173,7 +173,7 @@ jobs: java-version: 7 distribution: 'zulu' if: matrix.version.name == 'jdk8u' - + - name: Select correct Xcode (JDK8) if: matrix.version.name == 'jdk8u' run: | @@ -206,7 +206,7 @@ jobs: TARGET_OS: mac FILENAME: OpenJDK.tar.gz JDK7_BOOT_DIR: ${{ steps.setup-java.outputs.path }} - + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 name: Collect and Archive Artifacts with: @@ -328,6 +328,19 @@ jobs: curl -L "$env:VS2017_URL" -o "$HOME/vs2017.exe" if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Verify Download Of Visual Studio 2017 + shell: powershell + run: | + $expected_checksum="7ED8FA27575648163E07548FF5667B55B95663A2323E2B2A5F87B16284E481E6" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2017.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2017.outputs.cache-hit != 'true' && matrix.version == 'jdk8u' + - name: Install Visual Studio 2017 if: matrix.version == 'jdk8u' run: > @@ -343,6 +356,19 @@ jobs: curl -L "$env:VS2019_URL" -o "$HOME/vs2019.exe" if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Verify Download Of Visual Studio 2019 + shell: powershell + run: | + $expected_checksum="F29399A618BD3A8D1DCC96D349453F686B6176590D904308402A6402543E310B" + $actual_checksum=(Get-FileHash -Algorithm SHA256 -Path $HOME/vs2019.exe | Select-Object -ExpandProperty Hash) + echo "Expect : $expected_checksum" + echo "Actual : $actual_checksum" + if ($expected_checksum -ne $actual_checksum) { + Write-Output "Error - Checksum Verification Failed - Exiting" + exit 1 + } + if: steps.vs2019.outputs.cache-hit != 'true' && (matrix.version == 'jdk11u' || matrix.version == 'jdk17u') + - name: Install Visual Studio 2019 if: matrix.version == 'jdk11u' || matrix.version == 'jdk17u' run: > diff --git a/build-farm/platform-specific-configurations/linux.sh b/build-farm/platform-specific-configurations/linux.sh index dca182588..104d1a3e0 100755 --- a/build-farm/platform-specific-configurations/linux.sh +++ b/build-farm/platform-specific-configurations/linux.sh @@ -51,14 +51,44 @@ function locateDragonwell8BootJDK() else echo Dragonwell 8 requires a Dragonwell boot JDK - downloading one ... mkdir -p "$PWD/jdk-8" + # if [ "$(uname -m)" = "x86_64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # elif [ "$(uname -m)" = "aarch64" ]; then + # curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + # else + # echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" + # exit 1 + # fi + ## Secure Dragonwell Downloads By Validating Checksums if [ "$(uname -m)" = "x86_64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" + EXPECTED_SHA256="E03923f200dffddf9eee2aadc0c495674fe0b87cc2eece94a9a8dec84812d12bd" elif [ "$(uname -m)" = "aarch64" ]; then - curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8" + DOWNLOAD_URL="https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" + EXPECTED_SHA256="ff0594f36d13883972ca0b302d35cca5099f10b8be54c70c091f626e4e308774" else echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK" exit 1 fi + # Download the file and calculate its SHA256 checksum + TMP_FILE=$(mktemp) + curl -L "$DOWNLOAD_URL" -o "$TMP_FILE" + + # Calculate the SHA256 checksum of the downloaded file + ACTUAL_SHA256=$(sha256sum "$TMP_FILE" | awk '{print $1}') + + # Compare the actual and expected SHA256 checksums + if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then + echo "Checksum verification failed for downloaded file!" + rm "$TMP_FILE" + exit 1 + fi + + # Extract the downloaded file + tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk-8" + + # Clean up the temporary file + rm "$TMP_FILE" export "${BOOT_JDK_VARIABLE}"="$PWD/jdk-8" fi } @@ -333,7 +363,7 @@ if [[ "${CONFIGURE_ARGS}" =~ .*"--with-devkit=".* ]]; then echo "Using gcc from DevKit toolchain specified in configure args" elif [[ "${BUILD_ARGS}" =~ .*"--use-adoptium-devkit".* ]]; then echo "Using gcc from Adoptium DevKit toolchain specified in --use-adoptium-devkit build args" -else +else if [ "${VARIANT}" == "${BUILD_VARIANT_DRAGONWELL}" ] && [ "$JAVA_FEATURE_VERSION" -eq 11 ] && [ -r /usr/local/gcc9/ ] && [ "${ARCHITECTURE}" == "aarch64" ]; then # GCC9 rather than 10 requested by Alibaba for now # Ref https://github.com/adoptium/temurin-build/issues/2250#issuecomment-732958466 diff --git a/docker/buildDocker.sh b/docker/buildDocker.sh index 5740d931c..4b23447b8 100755 --- a/docker/buildDocker.sh +++ b/docker/buildDocker.sh @@ -129,6 +129,13 @@ useEclipseOpenJ9DockerFiles() mkdir -p "$dockerfileDir" cd "$dockerfileDir" || { echo "Dockerfile directory ($dockerfileDir) was not found"; exit 3; } getFile https://raw.githubusercontent.com/eclipse-openj9/openj9/master/buildenv/docker/mkdocker.sh mkdocker.sh + MKDOCK_SHA="a09a00c2beb9c53985b4c3ed6fb62825d90808775941ab56417bef75a575be55" + mkd_downloaded_sha=$(sha256sum mkdocker.sh | awk '{print $1}') + if [ "$mkd_downloaded_sha" != "$MKDOCK_SHA" ]; then + echo "ERROR: SHA256 checksum mismatch for mkdocker.sh" + exit 1 + fi + chmod +x mkdocker.sh # Generate an Ubuntu1804 Dockerfile using mkdocker.sh "$dockerfileDir/mkdocker.sh" --dist=ubuntu --version=18 --print >> "$dockerfileDir/Dockerfile" diff --git a/tooling/reproducible/linux_repro_build_compare.sh b/tooling/reproducible/linux_repro_build_compare.sh index b25407e9a..7651ac753 100755 --- a/tooling/reproducible/linux_repro_build_compare.sh +++ b/tooling/reproducible/linux_repro_build_compare.sh @@ -21,7 +21,9 @@ set -e SBOM_PARAM=$1 JDK_PARAM=$2 ANT_VERSION=1.10.5 +ANT_SHA=9028e2fc64491cca0f991acc09b06ee7fe644afe41d1d6caf72702ca25c4613c ANT_CONTRIB_VERSION=1.0b3 +ANT_CONTRIB_SHA=4d93e07ae6479049bb28071b069b7107322adaee5b70016674a0bffd4aac47f9 isJdkDir=false installPrereqs() { @@ -31,8 +33,17 @@ installPrereqs() { yum install -y git bzip2 xz openssl pigz which jq # pigz/which not strictly needed but help in final compression if grep -i release.6 /etc/redhat-release; then if [ ! -r /usr/local/bin/autoconf ]; then - curl https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz | tar xpfz - || exit 1 - (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + curl --output ./autoconf-2.69.tar.gz https://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz + ACSHA256=954bd69b391edc12d6a4a51a2dd1476543da5c6bbf05a95b59dc0dd6fd4c2969 + ACCHKSHA=$(sha256sum ./autoconf-2.69.tar.gz|cut -d" " -f1) + if [ "$ACSHA256" = "$ACCHKSHA" ]; then + echo "Hi" + tar xpfz ./autoconf-2.69.tar.gz || exit 1 + (cd autoconf-2.69 && ./configure --prefix=/usr/local && make install) + else + echo "ERROR - Checksum For AutoConf Download Is Incorrect" + exit 1; + fi fi fi fi @@ -40,15 +51,27 @@ installPrereqs() { # ant required for --create-sbom downloadAnt() { - if [ ! -r /usr/local/apache-ant-${ANT_VERSION}/bin/ant ]; then - echo Downloading ant for SBOM creation: - curl https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip > /tmp/apache-ant-${ANT_VERSION}-bin.zip - (cd /usr/local && unzip -qn /tmp/apache-ant-${ANT_VERSION}-bin.zip) - rm /tmp/apache-ant-${ANT_VERSION}-bin.zip - echo Downloading ant-contrib-${ANT_CONTRIB_VERSION}: - curl -L https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip > /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip - (unzip -qnj /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar -d /usr/local/apache-ant-${ANT_VERSION}/lib) - rm /tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip + if [ ! -r "/usr/local/apache-ant-${ANT_VERSION}/bin/ant" ]; then + echo "Downloading ant for SBOM creation..." + curl -o "/tmp/apache-ant-${ANT_VERSION}-bin.zip" "https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.zip" + ANTCHKSHA=$(sha256sum "/tmp/apache-ant-${ANT_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_SHA" = "$ANTCHKSHA" ]; then + (cd /usr/local && unzip -qn "/tmp/apache-ant-${ANT_VERSION}-bin.zip") + rm "/tmp/apache-ant-${ANT_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant download is incorrect" + exit 1 + fi + echo "Downloading ant-contrib-${ANT_CONTRIB_VERSION}..." + curl -Lo "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "https://sourceforge.net/projects/ant-contrib/files/ant-contrib/${ANT_CONTRIB_VERSION}/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + ANTCTRCHKSHA=$(sha256sum "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" | cut -d" " -f1) + if [ "$ANT_CONTRIB_SHA" = "$ANTCTRCHKSHA" ]; then + (unzip -qnj "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" "ant-contrib/ant-contrib-${ANT_CONTRIB_VERSION}.jar" -d "/usr/local/apache-ant-${ANT_VERSION}/lib") + rm "/tmp/ant-contrib-${ANT_CONTRIB_VERSION}-bin.zip" + else + echo "ERROR - Checksum for Ant Contrib download is incorrect" + exit 1 + fi fi }