[Proposal] Add a configure option to explicitly set CompanyName property in VersionInfo resource for Windows exe/dll

Tue Dec 5 14:24:16 UTC 2023

To maybe clarify things a bit; the idea here is to allow for different 
values for the CompanyName RC field and the rest of the places where 
"vendor-name" is currently used.

You may be wondering why? The TL:DR is; we aim to make it easier to do a 
binary comparison between builds from the same source but from different 
vendors.

Now there are of course a lot of things that need to happen before this 
even matters (like aligning the native tool chains, bootjdks, etc..), 
but because differences in the compiled resources for an otherwise 
identically produced binary on Windows will cause the CRC in the PE 
header to change, this means that all native binaries resulting from 
will have significant differences that are difficult to account for.

There is only one RC field that is typically different in two builds of 
the same sources by two different vendors, and it is "CompanyName ", and 
as a matter of fact, it is of very little use: both users and java 
programs will query the java.vendor property to get this info, and if 
one's goal is to verify the provenance of a single binary file, then the 
name of signer from the digital signature on that file is far more 
reliable, as it is not so easily forged.

So having the option to set this value to something generic enough that 
it can be the same across different vendors (should they want to) - 
while keeping all of other the usage or "vendor-name" as they are now - 
seems like a good way of solving that particular problem.

Of course, the comparison process still needs to account for differences 
in the vendor strings (but that now only affects jvm.dll, instead of 
every single exe and dll) as the different digital signatures (but these 
can be easily stripped before comparing).

This is just our own reason for having this as an option, but it could 
probably prove useful in other situations too.

On 05/12/2023 15:19, Frederic Thevenet wrote:
> Hi Magnus,
>
>
> On 05/12/2023 13:58, Magnus Ihse Bursie wrote:
>>
>> So this is really a "--with-jdk-rc-vendor-name", since it will use 
>> that value instead of --with-jdk-vendor-name for the RC fields in 
>> Windows binaries?
>>
> I don't have a strong opinion about the name, only the target RC field 
> in question is called "CompanyName", and this new option would only be 
> used to set this property, so referencing to this instead of the term 
> "vendor" made maybe more sense to me.
>
>> Would --with-jdk-vendor-name be used for anything at all on Windows 
>> in that case?
>>
>
> I can't find any references to an existing "--with-jdk-vendor-name" so 
> I assume than you meant "--wtih-vendor-name", is that correct?
>
> If so, yes; "--with-vendor-name" would still be used for the same 
> things than it currently is, with the exception of populating the 
> "CompanyName" RC field *if* "--with-jdk-rc-vendor/company-name" is 
> also used.

-- 
Frederic Thevenet
Senior Software Engineer - OpenJDK
Red Hat France<https://www.redhat.com>
BAF5 C2D2 0BE0 1715 5EE1 0815 2065 AD47 B326 EB92
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/build-dev/attachments/20231205/d80ba790/attachment-0001.htm>