diff -r e7c44a9146bf -r 296bb1620e00 jdk/makefiles/SignJars.gmk --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/makefiles/SignJars.gmk Wed Jan 02 15:35:12 2013 +0100 @@ -0,0 +1,104 @@ +# +# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +include $(SPEC) +include MakeBase.gmk + +# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK +# builds respectively.) +# +# JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE +# jar files do not require signing, but those for JDK do. If an unsigned +# jar file is installed into JDK, things will break when the crypto +# routines are called. +# +# All jars are created in CreateJars.gmk. This Makefile does the signing +# of the jars for JDK. +# +# For JDK, the binaries use pre-built/pre-signed binary files stored in +# the closed workspace that are not shipped in the OpenJDK workspaces. +# We still build the JDK files to verify the files compile, and in +# preparation for possible signing. Developers working on JCE in JDK +# must sign the JCE files before testing. The JCE signing key is kept +# separate from the JDK workspace to prevent its disclosure. +# +# SPECIAL NOTE TO JCE/JDK developers: The source files must eventually +# be built, signed, and then the resulting jar files MUST BE CHECKED +# INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT +# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be +# reflected in the shipped binaries. The "sign-jars" target in the top +# level Makefile should be used to generate the required files. +# + +# Default target +all: + +ifndef OPENJDK + +README-MAKEFILE_WARNING := \ + "\nPlease read makefiles/SignJars.gmk for further build instructions.\n" + +# +# Location for JCE codesigning key. +# +SIGNING_KEY_DIR := /security/ws/JCE-signing/src +SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks +SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt +SIGNING_ALIAS := oracle_jce_rsa + +# +# Defines for signing the various jar files. +# +check-keystore: + @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ + $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ + $(PRINTF) $(README-MAKEFILE_WARNING); \ + exit 2; \ + fi + +$(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/% + $(MKDIR) -p $(@D) + $(CP) $< $@ + $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ + $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) + @$(PRINTF) "\nJar codesigning finished.\n" + +JAR_LIST := jce.jar \ + local_policy.jar \ + sunec.jar \ + sunjce_provider.jar \ + sunpkcs11.jar \ + US_export_policy.jar + +SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST)) + +$(SIGNED_JARS): check-keystore + +all: $(SIGNED_JARS) + @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***" + @$(PRINTF) "\n***still be checked into the closed workspace! ***" + @$(PRINTF) $(README-MAKEFILE_WARNING) + +endif # !OPENJDK