RFR: JDK-8238534

René Schünemann rene.schuenemann at gmail.com
Mon Feb 10 08:23:44 UTC 2020 

Hi Erik,

thank you for your review and I totally agree with you. It would
definitely be better avoid temp dirs.
I will try to move the creation of the signed image to MacBundles.gmk
and then re-use the SetubBundleFile in Bundles.gmk.

Rene

On Fri, Feb 7, 2020 at 5:19 PM Erik Joelsson <erik.joelsson at oracle.com> wrote:
>
> Hello René,
>
> It's good to see an open solution to this, but I have some opinions on
> the patch.
>
> The concept of building into "temp dirs" that are then removed is a
> practice we try to avoid in the build. Whenever possible, each rule
> should be a well defined transformation from a set of source files to a
> target file. There is just no reason to remove the jdk-signed dir here.
> If something goes wrong, you would want the dir around to investigate.
> This also keeps incremental builds working as expected. Your current
> patch will always rebuild the bundles, which is not ok.
>
> I would recommend putting the jdk-signed dir in
> $(IMAGES_OUTPUTDIR)/jdk-signed and just leave it there. I would create a
> separate rule for the signing part, where the target file is the
> CodeResources file that codesign actually creates, and the prerequisite
> files simply $(COPY_SIGNED_JDK_BUNDLE).
>
> Separate rules for creating a top level directory are not needed. The
> rules generated from SetupCopyFiles will create all directories needed.
>
> I would also keep using the existing SetupBundleFile for the actual
> bundling, even if most of the functionality in it is not used, just to
> avoid more separate code paths than necessary.
>
> /Erik
>
> On 2020-02-07 02:05, René Schünemann wrote:
> > For the Apple notarization process, the whole bundle in its final form
> > has to be signed with the codesign tool.
> > See the discussion here: https://bugs.openjdk.java.net/browse/JDK-8238225
> >
> > This change copies all JDK/JRE files to a temporary directory, which
> > is then passed to the codesign tool. The temporary directory is then
> > used as the base directory for the bundle archive and is getting
> > removed after the archive has been created. This only applies when a
> > valid code signing identity is set and the build type is release.
> >
> > Bug: https://bugs.openjdk.java.net/browse/JDK-8238534
> > WebRev: http://cr.openjdk.java.net/~rschuenemann/wr/2020/8238534-macos_sign_bundles/01/
> >
> > Rene

More information about the build-dev mailing list