8005355: build-infra: Java security signing (need a top-level make target).
Reviewed-by: tbell, ohair
## Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.## This code is free software; you can redistribute it and/or modify it# under the terms of the GNU General Public License version 2 only, as# published by the Free Software Foundation. Oracle designates this# particular file as subject to the "Classpath" exception as provided# by Oracle in the LICENSE file that accompanied this code.## This code is distributed in the hope that it will be useful, but WITHOUT# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License# version 2 for more details (a copy is included in the LICENSE file that# accompanied this code).## You should have received a copy of the GNU General Public License version# 2 along with this work; if not, write to the Free Software Foundation,# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.## Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA# or visit www.oracle.com if you need additional information or have any# questions.#include $(SPEC)include MakeBase.gmk# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK # builds respectively.)## JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE# jar files do not require signing, but those for JDK do. If an unsigned# jar file is installed into JDK, things will break when the crypto# routines are called.## All jars are created in CreateJars.gmk. This Makefile does the signing# of the jars for JDK.## For JDK, the binaries use pre-built/pre-signed binary files stored in# the closed workspace that are not shipped in the OpenJDK workspaces.# We still build the JDK files to verify the files compile, and in# preparation for possible signing. Developers working on JCE in JDK# must sign the JCE files before testing. The JCE signing key is kept# separate from the JDK workspace to prevent its disclosure.## SPECIAL NOTE TO JCE/JDK developers: The source files must eventually# be built, signed, and then the resulting jar files MUST BE CHECKED# INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be# reflected in the shipped binaries. The "sign-jars" target in the top# level Makefile should be used to generate the required files.## Default targetall:ifndef OPENJDKREADME-MAKEFILE_WARNING := \ "\nPlease read makefiles/SignJars.gmk for further build instructions.\n"## Location for JCE codesigning key.#SIGNING_KEY_DIR := /security/ws/JCE-signing/srcSIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jksSIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txtSIGNING_ALIAS := oracle_jce_rsa## Defines for signing the various jar files.#check-keystore: @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ $(PRINTF) $(README-MAKEFILE_WARNING); \ exit 2; \ fi$(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/% $(MKDIR) -p $(@D) $(CP) $< $@ $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) @$(PRINTF) "\nJar codesigning finished.\n"JAR_LIST := jce.jar \ local_policy.jar \ sunec.jar \ sunjce_provider.jar \ sunpkcs11.jar \ US_export_policy.jarSIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST))$(SIGNED_JARS): check-keystoreall: $(SIGNED_JARS) @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***" @$(PRINTF) "\n***still be checked into the closed workspace! ***" @$(PRINTF) $(README-MAKEFILE_WARNING)endif # !OPENJDK