RFR: 8350801: Add a code signing hook to the JDK build system [v4]

[Frederic Thevenet]

On Tue, 25 Mar 2025 17:22:07 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

> Using the log file from ExecuteWithLog as the recipe target to work around changing/signing the actual target file in place is an interesting choice, but I think it will work. Have you tried incremental builds thoroughly?

Hmm... If think you're right to be suspicious about this; I just realized this approach has a pretty big flaw: in the event of a failure occurring in the script, `make` will delete the file used as the target, which in this case is bad since not only the job failed, but you've just lost the log file that could have helped you understand why!
To be fair, what's in the `ExecuteWithLog` file should also be present in `build.log`, but it will mixed up with everything else and potentially a pain to piece back together.

I'm leaning toward reverting to my initial idea, which was to add the command that calls the script as part of the linking recipe. I decided to extract it in its own to avoid duplication, since linking for Windows and macOS/Linux is split across two source files, but I'm thinking that might not be justified, since it's only a couple of lines (see https://github.com/fthevenet/jdk/commit/2afcf05edbf8498a5f289a6247506b5a284e2be9 to get of sense of the diff).
This also has the benefit of putting to rest any worries w.r.t. incremental builds, I think.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/23807#issuecomment-2752415817