RFR: 8350801: Add a code signing hook to the JDK build system [v3]

Magnus Ihse Bursie ihse at openjdk.org
Tue Mar 25 15:37:18 UTC 2025 

On Tue, 25 Mar 2025 14:26:46 GMT, Frederic Thevenet <fthevenet at openjdk.org> wrote:

>> OpenJDK vendors who provide binary distributions for the Windows and macOS platforms generally need to ensure that every native executable file and dynamic library that are part of the binary builds are digitally signed using a set of OS specific APIs.
>> 
>> The JDK build systems already provides the ability to invoke Apple code signing API during the build on macOS, but there is no equivalent support for Windows.which means that each vendor has had to come up with their own way to integrate the code signing step into their build pipeline.
>> As the shape of the JDK binary deliverable evolved to accommodate features like modules, signing binaries as an after-the-fact process has gradually become more complicated and error prone, in particular with regard to the introduction of JEP 493.
>> 
>> This change aims to solve this by introducing a "signing hook" that users can use to specify a custom script that will be invoked by the build system for every native executable of library compiled and linked as part of the build target.
>> This is to provide enough flexibility for each vendor to include their own specific configuration and/or signing logic, not limited to a specific set of platforms.
>
> Frederic Thevenet has updated the pull request incrementally with one additional commit since the last revision:
> 
>   SIGNING_HOOK_ENABLED is no longer used

make/autoconf/jdk-options.m4 line 997:

> 995:   else
> 996:     AC_MSG_RESULT([none])
> 997:   fi

Sorry, I noticed one more thing. `AC_SUBST` will need to prepare the `SIGNING_HOOK` replacement in spec.gmk, regardless of if it is empty or set to a value.

Due to the limitations of m4 expansion and how autoconf is implemented, the effect of `AC_SUBST` will be carried out regardless of the test in the if block. So the code above will actually work, but it is misleading, since things are written inside the if block that will be executed unconditionally. So please follow the pattern we have elsewhere and move AC_SUBST to the end:


Suggestion:

  AC_MSG_CHECKING([for signing hook])
  if test "x$SIGNING_HOOK" != x; then
    UTIL_FIXUP_EXECUTABLE(SIGNING_HOOK)
    AC_MSG_RESULT([$SIGNING_HOOK])
  else
    AC_MSG_RESULT([none])
  fi
  AC_SUBST(SIGNING_HOOK)

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23807#discussion_r2012385131

More information about the build-dev mailing list