RFR: JDK-8238534

René Schünemann rene.schuenemann at gmail.com
Mon Feb 10 18:12:48 UTC 2020 

Hi Erik,

I have implemented your requested changes. I think it is a lot cleaner
now and the bundling as well as the
signing parts are now only executed when necessary.

New WebRev: http://cr.openjdk.java.net/~rschuenemann/wr/2020/8238534-macos_sign_bundles/02/

Rene

On Mon, Feb 10, 2020 at 9:23 AM René Schünemann
<rene.schuenemann at gmail.com> wrote:
>
> Hi Erik,
>
> thank you for your review and I totally agree with you. It would
> definitely be better avoid temp dirs.
> I will try to move the creation of the signed image to MacBundles.gmk
> and then re-use the SetubBundleFile in Bundles.gmk.
>
> Rene
>
> On Fri, Feb 7, 2020 at 5:19 PM Erik Joelsson <erik.joelsson at oracle.com> wrote:
> >
> > Hello René,
> >
> > It's good to see an open solution to this, but I have some opinions on
> > the patch.
> >
> > The concept of building into "temp dirs" that are then removed is a
> > practice we try to avoid in the build. Whenever possible, each rule
> > should be a well defined transformation from a set of source files to a
> > target file. There is just no reason to remove the jdk-signed dir here.
> > If something goes wrong, you would want the dir around to investigate.
> > This also keeps incremental builds working as expected. Your current
> > patch will always rebuild the bundles, which is not ok.
> >
> > I would recommend putting the jdk-signed dir in
> > $(IMAGES_OUTPUTDIR)/jdk-signed and just leave it there. I would create a
> > separate rule for the signing part, where the target file is the
> > CodeResources file that codesign actually creates, and the prerequisite
> > files simply $(COPY_SIGNED_JDK_BUNDLE).
> >
> > Separate rules for creating a top level directory are not needed. The
> > rules generated from SetupCopyFiles will create all directories needed.
> >
> > I would also keep using the existing SetupBundleFile for the actual
> > bundling, even if most of the functionality in it is not used, just to
> > avoid more separate code paths than necessary.
> >
> > /Erik
> >
> > On 2020-02-07 02:05, René Schünemann wrote:
> > > For the Apple notarization process, the whole bundle in its final form
> > > has to be signed with the codesign tool.
> > > See the discussion here: https://bugs.openjdk.java.net/browse/JDK-8238225
> > >
> > > This change copies all JDK/JRE files to a temporary directory, which
> > > is then passed to the codesign tool. The temporary directory is then
> > > used as the base directory for the bundle archive and is getting
> > > removed after the archive has been created. This only applies when a
> > > valid code signing identity is set and the build type is release.
> > >
> > > Bug: https://bugs.openjdk.java.net/browse/JDK-8238534
> > > WebRev: http://cr.openjdk.java.net/~rschuenemann/wr/2020/8238534-macos_sign_bundles/01/
> > >
> > > Rene

More information about the build-dev mailing list