Rework checksum and signatures computation and display in build websites

Display the individual SHA512 checksums of downloadable artifacts
individually in the file tables.
Compute the SHA512 checksums in the Java scripts generating the
drop-data files and store them in the buildproperties.json (instead of
individual files per artifact).

Also drop ability to pass a file list to the scripts for drop data
generation, as it's practically irrelevant. If the pages for existing
drops should be regenerated, the artifacts just have to be downloaded to
the build-agent.

Author: HannesWell

JenkinsJobs/Builds/build.jenkinsfile

@@ -273,10 +273,6 @@ pipeline {
 							tools {
 								jdk 'temurin-jdk25-latest'
 							}
-							environment {
-								KEYRING = credentials('secret-subkeys-releng.asc')
-								KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.asc-passphrase')
-							}
 							steps {
 								dir("${DROP_DIR}/${BUILD_ID}") {
 									script {
@@ -394,7 +390,7 @@ pipeline {
 									popd
 									rm -rf ${DROP_DIR}/${BUILD_ID}/apitoolingreference
 
-									# Wait for notarization before checksums and pages got generated.
+									# Wait for notarization to complete before checksums are generated.
 									wait
 									for f in $notarizeLogDir/*.log; do
 										echo $f
@@ -403,10 +399,6 @@ pipeline {
 
 									# Publish Eclipse
 
-									pushd ${DROP_DIR}/${BUILD_ID}
-										bash ${CJE_ROOT}/scripts/produceChecksum.sh eclipse
-									popd
-									
 									java \
 										-DdropDirectory=${DROP_DIR}/${BUILD_ID} \
 										-DgitBaselineTag=${GIT_BASELINE_TAG} \
@@ -416,6 +408,9 @@ pipeline {
 										-DdropDirectory=${DROP_DIR}/${BUILD_ID} \
 										${SCRIPTS}/releng/CompilerSummaryGenerator.java
 								'''
+								script {
+									utilities.pgpSignFile("${DROP_DIR}/${BUILD_ID}/eclipse-${BUILD_ID}-checksums", 'eclipse')
+								}
 							}
 						}
 						stage('Promote Eclipse') {
@@ -440,10 +435,6 @@ pipeline {
 							tools {
 								jdk 'temurin-jdk25-latest'
 							}
-							environment {
-								KEYRING = credentials('secret-subkeys-releng.asc')
-								KEYRING_PASSPHRASE = credentials('secret-subkeys-releng.asc-passphrase')
-							}
 							steps {
 								dir("${EQUINOX_DROP_DIR}/${BUILD_ID}") {
 									script {
@@ -475,7 +466,7 @@ pipeline {
 										unzip -o -j equinox-SDK-$BUILD_ID.zip plugins/*.jar -x plugins/*.source_*
 									popd
 
-									# Wait for notarization to complete
+									# Wait for notarization to complete before checksums are generated.
 									wait
 									for f in $notarizeLogDir/*.log; do
 										echo $f
@@ -498,14 +489,13 @@ pipeline {
 										-v
 									popd
 
-									pushd ${EQUINOX_DROP_DIR}/${BUILD_ID}
-										bash ${CJE_ROOT}/scripts/produceChecksum.sh equinox
-									popd
-									
 									java \
 										-DdropDirectory=${EQUINOX_DROP_DIR}/${BUILD_ID} \
 										${SCRIPTS}/releng/BuildDropDataGenerator.java mainEquinox
 								'''
+								script {
+									utilities.pgpSignFile("${EQUINOX_DROP_DIR}/${BUILD_ID}/equinox-${BUILD_ID}-checksums", 'equinox')
+								}
 							}
 						}
 						stage('Promote Equinox') {

JenkinsJobs/Releng/promoteBuild.jenkinsfile

@@ -360,7 +360,7 @@ def renameBuildDrop(String baseDropPath, String oldDropID, String oldBuildLabel,
 EOF
 
 		#Update checksums to new filenames
-		ssh genie.releng@projects-storage.eclipse.org sed --in-place --expression 's/${oldBuildLabel}/${newBuildLabel}/g' ${targetPath}/checksum/*
+		ssh genie.releng@projects-storage.eclipse.org sed --in-place --expression 's/${oldBuildLabel}/${newBuildLabel}/g' ${targetPath}/*-checksums
 	"""
 
 	// Update buildproperties.json to new names

JenkinsJobs/shared/utilities.groovy

@@ -66,6 +66,30 @@ def writeJSON(String jsonFilePath, def json) {
 	writeFile(file: jsonFilePath, text: JsonOutput.prettyPrint(JsonOutput.toJson(json)).replace('    ','\t'), encoding :'UTF-8')
 }
 
+def prepareGPGSigning(String client = '') {
+	def gpgHome = "${WORKSPACE}/tools/gpg/${client}"
+	withCredentials([ file(credentialsId: 'secret-subkeys-releng.asc', variable: 'KEYRING') ]) {
+		sh """#!/bin/bash -xe
+			# Import gpg keys into a clean gpg-homedir
+			rm -rf "${gpgHome}"
+			mkdir -p "${gpgHome}"
+			gpg --homedir "${gpgHome}" --batch --import "\${KEYRING}"
+		"""
+	}
+	return gpgHome
+}
+
+def pgpSignFile(String filePath, String client = '') {
+	def gpgHome = prepareGPGSigning(client)
+	withCredentials([ string(credentialsId: 'secret-subkeys-releng.asc-passphrase', variable: 'KEYRING_PASSPHRASE') ]) {
+		sh """
+			gpg --homedir "${gpgHome}" --batch \
+				--detach-sign --armor --pinentry-mode loopback --passphrase-fd 0 \
+				--output ${filePath}.asc ${filePath} <<< "\${KEYRING_PASSPHRASE}"
+		"""
+	}
+}
+
 // --- website generation ---
 
 def copyStaticWebsiteFiles(String gitRoot, String website) {

cje-production/scripts/produceChecksum.sh

@@ -16,10 +16,11 @@
 import java.util.Map.Entry;
 
 import utilities.JSON;
+import utilities.JSON.Object;
 import utilities.OS;
+import utilities.OS.FileInfo;
 
 Path DIRECTORY;
-Optional<Path> FILES_LIST_FILE;
 
 /**
  * Considered JVM properties are:
@@ -30,23 +31,14 @@
  * <li>{@code gitReposChanged} (required for {@code mainEclipse}) -- The comma
  * separated list of URLs of Git repositories that changed since the
  * baseline.</li>
- * <li>{@code filesList} (optional) -- path to a file listing all files and
- * their size in the directory.<br>
- * Can be generated using the UNIX command
- * {@code find . -exec stat --format "%n %s" {} \; }</li>
  * </ul>
  * The generated data files (mainly JSON) are written at locations within the
  * specified directory where the website pages expect them.
  */
 void main(String[] args) throws IOException {
 	DIRECTORY = Path.of(OS.readProperty("dropDirectory")).toRealPath();
-	FILES_LIST_FILE = Optional.ofNullable(System.getProperty("filesList")).map(Path::of);
 	IO.println("INFO: Generating drop data file for");
 	IO.println("\t" + DIRECTORY);
-	FILES_LIST_FILE.ifPresent(list -> {
-		IO.println("INFO: Reading files from:");
-		IO.println("\t" + list);
-	});
 
 	switch (args[0]) {
 	case "mainEclipse" -> mainEclipsePageData();
@@ -57,12 +49,15 @@ void main(String[] args) throws IOException {
 }
 
 final Pattern COMMA = Pattern.compile(",");
+final String FILENAME = "name";
+final String FILE_SIZE = "size";
+final String FILE_HASH_TYPE = "sha512";
 
 void mainEclipsePageData() throws IOException {
 	String gitBaselineTag = OS.readProperty("gitBaselineTag").trim();
 	List<String> gitReposChanged = List.of(OS.readProperty("gitReposChanged").trim().split(","));
 
-	Map<Path, Long> files = OS.listFileTree(DIRECTORY, FILES_LIST_FILE, null, 1);
+	Map<Path, FileInfo> files = OS.listFileTree(DIRECTORY, 1);
 	Map<String, String> properties = OS.loadProperties(DIRECTORY.resolve("buildproperties.properties"));
 	String buildId = properties.get("BUILD_ID");
 	ZonedDateTime buildDate = buildTimestamp(buildId);
@@ -116,13 +111,15 @@ void mainEclipsePageData() throws IOException {
 
 	buildProperties.add("swtBinaries", collectFileEntries(files, filename -> filename.startsWith("swt-")));
 
+	writeChecksumsSummaryFile(buildProperties, buildId, "eclipse");
+
 	Path file = DIRECTORY.resolve("buildproperties.json");
 	IO.println("Write Eclipse drop main data to: " + file);
 	JSON.write(buildProperties, file);
 }
 
 void mainEquinoxPageData() throws IOException {
-	Map<Path, Long> files = OS.listFileTree(DIRECTORY, FILES_LIST_FILE, null, 1);
+	Map<Path, FileInfo> files = OS.listFileTree(DIRECTORY, 1);
 	Map<String, String> properties = OS.loadProperties(DIRECTORY.resolve("buildproperties.properties"));
 	String buildId = properties.get("BUILD_ID");
 	ZonedDateTime buildDate = buildTimestamp(buildId);
@@ -153,20 +150,21 @@ void mainEquinoxPageData() throws IOException {
 	buildProperties.add("starterKits", collectFileEntries(files,
 			filename -> filename.startsWith("EclipseRT-OSGi-StarterKit-") && !OS.isMacTarGZ(filename)));
 
+	writeChecksumsSummaryFile(buildProperties, buildId, "equinox");
+
 	Path file = DIRECTORY.resolve("buildproperties.json");
 	IO.println("Write Equinox drop main data to: " + file);
 	JSON.write(buildProperties, file);
 }
 
 void buildLogsPageData() throws IOException {
-	Path buildLogsDirectory = Path.of("buildlogs");
-	Path comparatorLogsDirectory = Path.of("buildlogs/comparatorlogs");
-	Map<Path, Long> files = OS.listFileTree(DIRECTORY, FILES_LIST_FILE, buildLogsDirectory, 3);
+	Path comparatorLogsDirectory = Path.of("comparatorlogs");
+	Map<Path, FileInfo> files = OS.listFileTree(DIRECTORY.resolve("buildlogs"), 2);
 
 	JSON.Object logFiles = JSON.Object.create();
-	JSON.Array buildLogs = colleFilesInDirectory(buildLogsDirectory, filename -> filename.startsWith("s"), files);
+	JSON.Array buildLogs = collectFileEntries(files, filename -> filename.startsWith("s"));
 	logFiles.add("build", buildLogs);
-	JSON.Array comparatorLogs = colleFilesInDirectory(comparatorLogsDirectory, _ -> true, files);
+	JSON.Array comparatorLogs = collectFilesInDirectory(files, comparatorLogsDirectory, _ -> true);
 	logFiles.add("comparator", comparatorLogs);
 
 	Path file = DIRECTORY.resolve("buildlogs/logs.json");
@@ -185,12 +183,12 @@ String previousReleaseAPILabel(Map<String, String> buildProps) {
 	return major + "." + (minor - 1);
 }
 
-JSON.Array collectFileEntries(Map<Path, Long> buildFiles, Predicate<String> filenameFilter) {
-	return colleFilesInDirectory(null, filenameFilter, buildFiles);
+JSON.Array collectFileEntries(Map<Path, FileInfo> buildFiles, Predicate<String> filenameFilter) {
+	return collectFilesInDirectory(buildFiles, null, filenameFilter);
 }
 
-JSON.Array colleFilesInDirectory(Path inDirectory, Predicate<String> filenameFilter, Map<Path, Long> buildFiles) {
-	Function<Entry<Path, Long>, String> getFilename = f -> f.getKey().getFileName().toString();
+JSON.Array collectFilesInDirectory(Map<Path, FileInfo> buildFiles, Path inDirectory, Predicate<String> filenameFilter) {
+	Function<Entry<Path, FileInfo>, String> getFilename = f -> f.getKey().getFileName().toString();
 	int expectedNameCount = inDirectory != null ? inDirectory.getNameCount() + 1 : 1;
 	return buildFiles.entrySet().stream().filter(f -> {
 		Path file = f.getKey();
@@ -218,7 +216,7 @@ JSON.Array colleFilesInDirectory(Path inDirectory, Predicate<String> filenameFil
 	return 100;
 })).thenComparing(Comparator.naturalOrder());
 
-JSON.Object createFileEntry(String filename, Map<Path, Long> buildFiles, String platform) {
+JSON.Object createFileEntry(String filename, Map<Path, FileInfo> buildFiles, String platform) {
 	Path filePath = Path.of(filename);
 	JSON.Object file = createFileDescription(filePath, buildFiles.get(filePath));
 	if (platform != null) {
@@ -227,10 +225,28 @@ JSON.Object createFileEntry(String filename, Map<Path, Long> buildFiles, String
 	return file;
 }
 
-JSON.Object createFileDescription(Path file, Long fileSize) {
+void writeChecksumsSummaryFile(JSON.Object buildProperties, String buildId, String client) throws IOException {
+	Path checksumSummary = DIRECTORY.resolve(client + "-" + buildId + "-checksums");
+	List<String> lines = buildProperties.members().values().stream() //
+			.filter(JSON.Array.class::isInstance).map(JSON.Array.class::cast) //
+			.map(JSON.Array::elements).flatMap(List::stream) //
+			.filter(JSON.Object.class::isInstance).map(JSON.Object.class::cast) //
+			.map(Object::members).filter(o -> o.containsKey(FILENAME) && o.containsKey(FILE_HASH_TYPE))
+			.sorted(Comparator.comparing((Map<String, JSON.Value> o) -> getStringValue(o, FILENAME)))
+			.map(o -> getStringValue(o, FILE_HASH_TYPE) + " *" + getStringValue(o, FILENAME)).toList();
+	IO.println("Write checksum summary file to: " + checksumSummary);
+	Files.write(checksumSummary, lines);
+}
+
+String getStringValue(Map<String, JSON.Value> o, String key) {
+	return ((JSON.String) o.get(key)).characters();
+}
+
+JSON.Object createFileDescription(Path file, FileInfo fileInfo) {
 	JSON.Object fileEntry = JSON.Object.create();
-	fileEntry.add("name", JSON.String.create(file.toString().replace(File.separatorChar, '/')));
-	fileEntry.add("size", JSON.String.create(OS.fileSizeAsString(fileSize)));
+	fileEntry.add(FILENAME, JSON.String.create(file.toString().replace(File.separatorChar, '/')));
+	fileEntry.add(FILE_SIZE, JSON.String.create(OS.fileSizeAsString(fileInfo.size())));
+	fileEntry.add(FILE_HASH_TYPE, JSON.String.create(fileInfo.hashSHA512()));
 	return fileEntry;
 }