RFR: 8352689: Allow for hash sum overrides when linking from the run-time image [v2]

Tue Mar 25 17:49:24 UTC 2025

On Tue, 25 Mar 2025 17:43:07 GMT, Severin Gehwolf <sgehwolf at openjdk.org> wrote:

>> Please review this enhancement which adds a hidden `jlink` option `--sha-overrides` that can be used to provide alternative hash sums for files in an image. Please see the bug for use-cases as to why this is needed. This patch allows for the `--sha-overrides` option to be either specified multiple times or separated by a comma to list multiple hash sum overrides. Alternatively when starting with the `@` character the override options come from a file. The format is the same: `<module>|<file-path>|<sha>` triplets, either on the command line or in a file (one per line).
>> 
>> The added, linux only, test uses `objcopy` to fully strip `libjvm.so` of its symbols with the assumption that this would change the hash sum of the resulting file. Then, a link from the run-time image is being attempted with the added option `--sha-overrides=java.base|lib/server/libjvm.so|<new-sha-sum>` and verifies the link succeeds.
>> 
>> Having something like that is useful when it gets combined with e.g. `--save-jlink-arg-files` to produce a `jlink` which works out of the box on say JDK builds that modify binaries due to some debug symbols handling outside the JDK builds' control. 
>> 
>> While using `--ignore-modified-runtime` is an option that is sub-optimal as that would spit out many warnings in the RPM build case, where the user wouldn't control that RPM build to begin with.
>> 
>> Testing:
>> - [x] GHA
>> - [x] Some manual tests together with [JDK-8352692](https://bugs.openjdk.org/browse/JDK-8352692) on some JEP 493 enabled builds.
>> - [x] `jlink` jtreg tests.
>> 
>> Thoughts?
>
> Severin Gehwolf has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - Copyright updates
>  - Allow for ${java.home} substitution when \@file is being passed
>    
>    Also refactor the tests. One using the CLI, the other using
>    the @file-base version of the option.

This now also has support for substitution of a JAVA_HOME token to read the overrides from a file in the JDK tree. That is useful if that overrides file needs to be baked into the JDK build, but the actual hash sums aren't yet known at the time. The idea is to allow for a flexible enough setup to produce a `jlink` possibly with needed sha-overrides built in, yet coming from an external file that can be created after (once the actual check sums are actually known). Test has been added for it.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/24190#issuecomment-2752069736