# # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 only, as # published by the Free Software Foundation. Oracle designates this # particular file as subject to the "Classpath" exception as provided # by Oracle in the LICENSE file that accompanied this code. # # This code is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # version 2 for more details (a copy is included in the LICENSE file that # accompanied this code). # # You should have received a copy of the GNU General Public License version # 2 along with this work; if not, write to the Free Software Foundation, # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA # or visit www.oracle.com if you need additional information or have any # questions. # include $(SPEC) include MakeBase.gmk # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK # builds respectively.) # # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE # jar files do not require signing, but those for JDK do. If an unsigned # jar file is installed into JDK, things will break when the crypto # routines are called. # # All jars are created in CreateJars.gmk. This Makefile does the signing # of the jars for JDK. # # For JDK, the binaries use pre-built/pre-signed binary files stored in # the closed workspace that are not shipped in the OpenJDK workspaces. # We still build the JDK files to verify the files compile, and in # preparation for possible signing. Developers working on JCE in JDK # must sign the JCE files before testing. The JCE signing key is kept # separate from the JDK workspace to prevent its disclosure. # # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually # be built, signed, and then the resulting jar files MUST BE CHECKED # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be # reflected in the shipped binaries. # # Please consult with Release Engineering, which is responsible for # creating the final JCE builds suitable for checkin. # # Default target all: ifndef OPENJDK README-MAKEFILE_WARNING := \ "\nPlease read jdk/make/SignJars.gmk for further build instructions.\n" # # Location for JCE codesigning key. # SIGNING_KEY_DIR := /security/ws/JCE-signing/src SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt SIGNING_ALIAS := oracle_jce_rsa # # Defines for signing the various jar files. # check-keystore: @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ $(PRINTF) $(README-MAKEFILE_WARNING); \ exit 2; \ fi $(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/% $(call install-file) $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) @$(PRINTF) "\nJar codesigning finished.\n" JAR_LIST := \ jce.jar \ policy/limited/local_policy.jar \ policy/limited/US_export_policy.jar \ policy/unlimited/local_policy.jar \ policy/unlimited/US_export_policy.jar \ sunec.jar \ sunjce_provider.jar \ sunpkcs11.jar \ sunmscapi.jar \ ucrypto.jar \ # UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST))) ifeq ($(UNSIGNED_JARS), ) $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/) endif SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \ $(UNSIGNED_JARS)) $(SIGNED_JARS): check-keystore $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \ $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt $(install-file) all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt @$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer ***" @$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***" @$(PRINTF) "\n*** ***" @$(PRINTF) "\n*** Please consult with Release Engineering: they will generate ***" @$(PRINTF) "\n*** the proper binaries for the closed workspace. ***" @$(PRINTF) "\n" @$(PRINTF) $(README-MAKEFILE_WARNING) endif # !OPENJDK