Add Digital Signature to DLLs in Maven Build (microsoft#22401)

idiskyle · Ishwar Raut · commit 92190620412e · 2024-11-19T06:38:21.000-08:00
### Description * Add digital signature to dll files in jar files. * Jar file names: onnxruntime-{version}.jar, onnxruntime_gpu-{version}.jar ### Motivation and Context microsoft#19204
diff --git a/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml b/tools/ci_build/github/azure-pipelines/stages/java-cuda-packaging-stage.yml
@@ -58,6 +58,11 @@ stages:
         showWarnings: true
         workingDirectory: '$(Build.BinariesDirectory)\java-artifact'
 
+    - template: ../templates/jar-esrp-dll.yml
+      parameters:
+        JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
+        JarFileName: 'onnxruntime_gpu-$(OnnxRuntimeVersion).jar'
+
     - template: ../templates/jar-maven-signing-win.yml
       parameters:
         JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
diff --git a/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml b/tools/ci_build/github/azure-pipelines/templates/c-api-cpu.yml
@@ -260,6 +260,11 @@ stages:
         showWarnings: true
         workingDirectory: '$(Build.BinariesDirectory)\java-artifact'
 
+    - template: jar-esrp-dll.yml
+      parameters:
+        JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
+        JarFileName: 'onnxruntime-$(OnnxRuntimeVersion).jar'
+
     - template: jar-maven-signing-win.yml
       parameters:
         JarFileDirectory: '$(Build.BinariesDirectory)\java-artifact\onnxruntime-java-win-x64'
diff --git a/tools/ci_build/github/azure-pipelines/templates/jar-esrp-dll.yml b/tools/ci_build/github/azure-pipelines/templates/jar-esrp-dll.yml
@@ -0,0 +1,30 @@
+parameters:
+- name: JarFileDirectory
+  type: string
+  default: ''
+
+- name: JarFileName
+  type: string
+  default: ''
+
+steps:
+  - task: PowerShell@2
+    displayName: 'ESRP Jar - Extract Jar File'
+    inputs:
+      targetType: filePath
+      filePath: $(Build.SourcesDirectory)\tools\ci_build\github\windows\jar_esrp_dll.ps1
+      arguments: extract '${{ parameters.JarFileDirectory }}' '${{ parameters.JarFileName }}'
+      workingDirectory: '$(Build.BinariesDirectory)'
+
+  - template: win-esrp-dll.yml
+    parameters:
+      FolderPath: '${{ parameters.JarFileDirectory }}\jar_extracted_full_files'
+      DisplayName: 'ESRP Jar - Sign Dlls'
+
+  - task: PowerShell@2
+    displayName: 'ESRP Jar - Repack Jar File'
+    inputs:
+      targetType: filePath
+      filePath: $(Build.SourcesDirectory)\tools\ci_build\github\windows\jar_esrp_dll.ps1
+      arguments: repack '${{ parameters.JarFileDirectory }}' '${{ parameters.JarFileName }}'
+      workingDirectory: '$(Build.BinariesDirectory)'
diff --git a/tools/ci_build/github/windows/jar_esrp_dll.ps1 b/tools/ci_build/github/windows/jar_esrp_dll.ps1
@@ -0,0 +1,41 @@
+$instruction = $args[0] # extract or repack
+$original_jar_file_directory = $args[1] # The directory where the original jar file is located
+$original_jar_file_name = $args[2] # The name of the original jar file
+
+$original_jar_file_full_path = "$original_jar_file_directory\$original_jar_file_name"
+$extracted_file_directory = "$original_jar_file_directory\jar_extracted_full_files"
+
+if ($instruction -eq "extract") {
+    Write-Host "Extracting the jar file $original_jar_file_full_path..."
+    & 7z x $original_jar_file_full_path -o"$extracted_file_directory"
+    if ($lastExitCode -ne 0) {
+        Write-Host -Object "7z extracting the jar file command failed. Exitcode: $exitCode"
+        exit $lastExitCode
+    }
+    Write-Host "Extracted files directory: $extracted_file_directory"
+
+    Write-Host "Removing the original jar file..."
+    Remove-Item -Path "$original_jar_file_full_path" -Force
+    Write-Host "Removed the original jar file."
+}
+elseif ($instruction -eq "repack") {
+    Write-Host "Removing ESRP's CodeSignSummary file..."
+    # It is the summary generated by ESRP tool. It is not needed in the jar file.
+    Remove-Item -Path "$extracted_file_directory/CodeSignSummary*.*" -Force
+    Write-Host "Removed ESRP's CodeSignSummary file."
+
+    Write-Host "Repacking the jar file from directory $extracted_file_directory..."
+    & 7z a "$original_jar_file_full_path" "$extracted_file_directory\*"
+    if ($lastExitCode -ne 0) {
+        Write-Host -Object "7z repacking the jar file command failed. Exitcode: $exitCode"
+        exit $lastExitCode
+    }
+    Write-Host "Repacked the jar file $original_jar_file_full_path."
+
+    Write-Host "Removing the extracted files..."
+    Remove-Item -Path "$extracted_file_directory" -Recurse -Force
+    Write-Host "Removed the extracted files."
+}
+else {
+    Write-Host "Invalid instruction: $instruction"
+}
