--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/makefiles/SignJars.gmk Wed Jan 02 15:35:12 2013 +0100
@@ -0,0 +1,104 @@
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+include $(SPEC)
+include MakeBase.gmk
+
+# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK
+# builds respectively.)
+#
+# JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE
+# jar files do not require signing, but those for JDK do. If an unsigned
+# jar file is installed into JDK, things will break when the crypto
+# routines are called.
+#
+# All jars are created in CreateJars.gmk. This Makefile does the signing
+# of the jars for JDK.
+#
+# For JDK, the binaries use pre-built/pre-signed binary files stored in
+# the closed workspace that are not shipped in the OpenJDK workspaces.
+# We still build the JDK files to verify the files compile, and in
+# preparation for possible signing. Developers working on JCE in JDK
+# must sign the JCE files before testing. The JCE signing key is kept
+# separate from the JDK workspace to prevent its disclosure.
+#
+# SPECIAL NOTE TO JCE/JDK developers: The source files must eventually
+# be built, signed, and then the resulting jar files MUST BE CHECKED
+# INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT
+# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
+# reflected in the shipped binaries. The "sign-jars" target in the top
+# level Makefile should be used to generate the required files.
+#
+
+# Default target
+all:
+
+ifndef OPENJDK
+
+README-MAKEFILE_WARNING := \
+ "\nPlease read makefiles/SignJars.gmk for further build instructions.\n"
+
+#
+# Location for JCE codesigning key.
+#
+SIGNING_KEY_DIR := /security/ws/JCE-signing/src
+SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks
+SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
+SIGNING_ALIAS := oracle_jce_rsa
+
+#
+# Defines for signing the various jar files.
+#
+check-keystore:
+ @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
+ $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
+ $(PRINTF) $(README-MAKEFILE_WARNING); \
+ exit 2; \
+ fi
+
+$(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/%
+ $(MKDIR) -p $(@D)
+ $(CP) $< $@
+ $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
+ $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
+ @$(PRINTF) "\nJar codesigning finished.\n"
+
+JAR_LIST := jce.jar \
+ local_policy.jar \
+ sunec.jar \
+ sunjce_provider.jar \
+ sunpkcs11.jar \
+ US_export_policy.jar
+
+SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST))
+
+$(SIGNED_JARS): check-keystore
+
+all: $(SIGNED_JARS)
+ @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***"
+ @$(PRINTF) "\n***still be checked into the closed workspace! ***"
+ @$(PRINTF) $(README-MAKEFILE_WARNING)
+
+endif # !OPENJDK