24 # |
24 # |
25 |
25 |
26 include $(SPEC) |
26 include $(SPEC) |
27 include MakeBase.gmk |
27 include MakeBase.gmk |
28 |
28 |
29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK |
29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK |
30 # builds respectively.) |
30 # builds respectively.) |
31 # |
31 # |
32 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE |
32 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE |
33 # jar files do not require signing, but those for JDK do. If an unsigned |
33 # jar files do not require signing, but those for JDK do. If an unsigned |
34 # jar file is installed into JDK, things will break when the crypto |
34 # jar file is installed into JDK, things will break when the crypto |
35 # routines are called. |
35 # routines are called. |
36 # |
36 # |
37 # All jars are created in CreateJars.gmk. This Makefile does the signing |
37 # All jars are created in CreateJars.gmk. This Makefile does the signing |
38 # of the jars for JDK. |
38 # of the jars for JDK. |
39 # |
39 # |
40 # For JDK, the binaries use pre-built/pre-signed binary files stored in |
40 # For JDK, the binaries use pre-built/pre-signed binary files stored in |
41 # the closed workspace that are not shipped in the OpenJDK workspaces. |
41 # the closed workspace that are not shipped in the OpenJDK workspaces. |
42 # We still build the JDK files to verify the files compile, and in |
42 # We still build the JDK files to verify the files compile, and in |
43 # preparation for possible signing. Developers working on JCE in JDK |
43 # preparation for possible signing. Developers working on JCE in JDK |
44 # must sign the JCE files before testing. The JCE signing key is kept |
44 # must sign the JCE files before testing. The JCE signing key is kept |
45 # separate from the JDK workspace to prevent its disclosure. |
45 # separate from the JDK workspace to prevent its disclosure. |
46 # |
46 # |
47 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually |
47 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually |
48 # be built, signed, and then the resulting jar files MUST BE CHECKED |
48 # be built, signed, and then the resulting jar files MUST BE CHECKED |
49 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT |
49 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT |
50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be |
50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be |
51 # reflected in the shipped binaries. The "sign-jars" target in the top |
51 # reflected in the shipped binaries. The "sign-jars" target in the top |
52 # level Makefile should be used to generate the required files. |
52 # level Makefile should be used to generate the required files. |
53 # |
53 # |
54 |
54 |
55 # Default target |
55 # Default target |
56 all: |
56 all: |
61 "\nPlease read makefiles/SignJars.gmk for further build instructions.\n" |
61 "\nPlease read makefiles/SignJars.gmk for further build instructions.\n" |
62 |
62 |
63 # |
63 # |
64 # Location for JCE codesigning key. |
64 # Location for JCE codesigning key. |
65 # |
65 # |
66 SIGNING_KEY_DIR := /security/ws/JCE-signing/src |
66 SIGNING_KEY_DIR := /security/ws/JCE-signing/src |
67 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks |
67 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks |
68 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt |
68 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt |
69 SIGNING_ALIAS := oracle_jce_rsa |
69 SIGNING_ALIAS := oracle_jce_rsa |
70 |
70 |
71 # |
71 # |
72 # Defines for signing the various jar files. |
72 # Defines for signing the various jar files. |
73 # |
73 # |
74 check-keystore: |
74 check-keystore: |
75 @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ |
75 @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ |
76 $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ |
76 $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ |
77 $(PRINTF) $(README-MAKEFILE_WARNING); \ |
77 $(PRINTF) $(README-MAKEFILE_WARNING); \ |
78 exit 2; \ |
78 exit 2; \ |
79 fi |
79 fi |
80 |
80 |
81 $(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/% |
81 $(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/% |
82 $(call install-file) |
82 $(call install-file) |
83 $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ |
83 $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ |
84 $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) |
84 $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) |
85 @$(PRINTF) "\nJar codesigning finished.\n" |
85 @$(PRINTF) "\nJar codesigning finished.\n" |
86 |
86 |
87 JAR_LIST := jce.jar \ |
87 JAR_LIST := jce.jar \ |
88 local_policy.jar \ |
88 local_policy.jar \ |
89 sunec.jar \ |
89 sunec.jar \ |
90 sunjce_provider.jar \ |
90 sunjce_provider.jar \ |
91 sunpkcs11.jar \ |
91 sunpkcs11.jar \ |
92 US_export_policy.jar |
92 US_export_policy.jar |
93 |
93 |
94 SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST)) |
94 SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST)) |
95 |
95 |
96 $(SIGNED_JARS): check-keystore |
96 $(SIGNED_JARS): check-keystore |
97 |
97 |
98 all: $(SIGNED_JARS) |
98 all: $(SIGNED_JARS) |
99 @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***" |
99 @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***" |
100 @$(PRINTF) "\n***still be checked into the closed workspace! ***" |
100 @$(PRINTF) "\n***still be checked into the closed workspace!***" |
101 @$(PRINTF) $(README-MAKEFILE_WARNING) |
101 @$(PRINTF) $(README-MAKEFILE_WARNING) |
102 |
102 |
103 endif # !OPENJDK |
103 endif # !OPENJDK |