hg: build-infra/jdk8/jdk: 8005355: build-infra: Java security signing (need a top-level make target).

Mon Jan 7 03:30:59 PST 2013

On 4/01/2013 10:03 PM, David Holmes wrote:
> On 4/01/2013 9:58 PM, Erik Joelsson wrote:
>> On 2013-01-04 12:38, David Holmes wrote:
>>> On 4/01/2013 7:13 PM, Erik Joelsson wrote:
>>>> Yes, now that I've looked closely at the profiles work I understand the
>>>> issue. The old build did behave this way though, the jars were built
>>>> even if they weren't needed, just to exercise the code. I would ask the
>>>> security team if that's a requirement or not. Perhaps the list of
>>>> unsigned jars could be made into a special target, still included when
>>>> building "images" but not for "profiles"?
>>>
>>> If it must be built then it is simpler I think to always set the
>>> unsigned jar as being a dependency of the actual jar.
>>>
>> That sounds reasonable to me. Do you want me to fix this or can you do
>> it as part of profiles?
>
> I'll fix it as part of profiles. I'll try just leaving the
>
> JARS =+ <unsigned jar>
>
> and see if that works.

That did work. Though it was curious to note that the OpenJDK version of 
the unsigned jars is different to the non-open version in most cases.

Also the ucrypto jar was odd because we never actually build it - it 
only exists for closed and in that case it gets copied not built. The 
pattern for this file was different from the other signed jars.

David
-----

> Thanks,
> David
>
>> /Erik
>>> Personally it seems very suspicious to me to always build a jar needed
>>> for OPENJDK only when OPENJDK is not in fact set. The RI builds should
>>> be sufficient to exercise this code.
>>>
>>> Anyway needs to be resolved ...
>>>
>>> Thanks,
>>> David
>>> -----
>>>
>>>> /Erik
>>>>
>>>> On 2013-01-04 07:30, David Holmes wrote:
>>>>> Hit send too soon. Of course all the "unsigned jar" additions to JARS
>>>>> cause the same problem.
>>>>>
>>>>> David
>>>>>
>>>>> On 4/01/2013 4:27 PM, David Holmes wrote:
>>>>>> Hi Erik,
>>>>>>
>>>>>> This change to CreateJars.gmk causes me a problem with the Profiles
>>>>>> work:
>>>>>>
>>>>>> +JARS += $(SUNPKCS11_JAR_DST) $(SUNPKCS11_JAR_UNSIGNED)
>>>>>>
>>>>>> This causes the "unsigned" jar to always be built even if not needed
>>>>>> because we are copying the signed one. There is only one real jar
>>>>>> file
>>>>>> target here: $(SUNPKCS11_JAR_DST) and it will either be built or
>>>>>> copied
>>>>>> depending on the type of build.
>>>>>>
>>>>>> In Profiles the JARS variable is built up based on the actual list of
>>>>>> jars needed in the final image. So there is no
>>>>>> $(SUNPKCS11_JAR_UNSIGNED)
>>>>>> on that list.
>>>>>>
>>>>>> I'm yet to try building with only the equivalent of
>>>>>>
>>>>>> JARS += $(SUNPKCS11_JAR_DST)
>>>>>>
>>>>>> as I'm still merging other changes. But I'm hopeful that this will
>>>>>> still
>>>>>> work.
>>>>>>
>>>>>> In the meantime I wanted to flag this with you.
>>>>>>
>>>>>> Thanks,
>>>>>> David
>>>>>>
>>>>>>
>>>>>> On 30/12/2012 4:57 AM, erik.joelsson at oracle.com wrote:
>>>>>>> Changeset: d03b9a9ca8de
>>>>>>> Author: erikj
>>>>>>> Date: 2012-12-29 19:55 +0100
>>>>>>> URL:
>>>>>>> http://hg.openjdk.java.net/build-infra/jdk8/jdk/rev/d03b9a9ca8de
>>>>>>>
>>>>>>> 8005355: build-infra: Java security signing (need a top-level make
>>>>>>> target).
>>>>>>> Summary: Added sign-jars top level target. Made closed build always
>>>>>>> build jars for verification and signing.
>>>>>>>
>>>>>>> ! makefiles/BuildJdk.gmk
>>>>>>> ! makefiles/CreateJars.gmk
>>>>>>> + makefiles/SignJars.gmk
>>>>>>>