| # |
| # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. |
| # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| # |
| # This code is free software; you can redistribute it and/or modify it |
| # under the terms of the GNU General Public License version 2 only, as |
| # published by the Free Software Foundation. Oracle designates this |
| # particular file as subject to the "Classpath" exception as provided |
| # by Oracle in the LICENSE file that accompanied this code. |
| # |
| # This code is distributed in the hope that it will be useful, but WITHOUT |
| # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| # version 2 for more details (a copy is included in the LICENSE file that |
| # accompanied this code). |
| # |
| # You should have received a copy of the GNU General Public License version |
| # 2 along with this work; if not, write to the Free Software Foundation, |
| # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| # |
| # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| # or visit www.oracle.com if you need additional information or have any |
| # questions. |
| # |
| |
| include $(SPEC) |
| include MakeBase.gmk |
| |
| # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK |
| # builds respectively.) |
| # |
| # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE |
| # jar files do not require signing, but those for JDK do. If an unsigned |
| # jar file is installed into JDK, things will break when the crypto |
| # routines are called. |
| # |
| # All jars are created in CreateJars.gmk. This Makefile does the signing |
| # of the jars for JDK. |
| # |
| # For JDK, the binaries use pre-built/pre-signed binary files stored in |
| # the closed workspace that are not shipped in the OpenJDK workspaces. |
| # We still build the JDK files to verify the files compile, and in |
| # preparation for possible signing. Developers working on JCE in JDK |
| # must sign the JCE files before testing. The JCE signing key is kept |
| # separate from the JDK workspace to prevent its disclosure. |
| # |
| # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually |
| # be built, signed, and then the resulting jar files MUST BE CHECKED |
| # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT |
| # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be |
| # reflected in the shipped binaries. |
| # |
| # Please consult with Release Engineering, which is responsible for |
| # creating the final JCE builds suitable for checkin. |
| # |
| |
| # Default target |
| all: |
| |
| ifndef OPENJDK |
| |
| README-MAKEFILE_WARNING := \ |
| "\nPlease read jdk/make/SignJars.gmk for further build instructions.\n" |
| |
| # |
| # Location for JCE codesigning key. |
| # |
| SIGNING_KEY_DIR := /security/ws/JCE-signing/src |
| SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks |
| SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt |
| SIGNING_ALIAS := oracle_jce_rsa |
| |
| # |
| # Defines for signing the various jar files. |
| # |
| check-keystore: |
| @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ |
| $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ |
| $(PRINTF) $(README-MAKEFILE_WARNING); \ |
| exit 2; \ |
| fi |
| |
| $(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/% |
| $(call install-file) |
| $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ |
| $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) |
| @$(PRINTF) "\nJar codesigning finished.\n" |
| |
| JAR_LIST := \ |
| jce.jar \ |
| policy/limited/local_policy.jar \ |
| policy/limited/US_export_policy.jar \ |
| policy/unlimited/local_policy.jar \ |
| policy/unlimited/US_export_policy.jar \ |
| sunec.jar \ |
| sunjce_provider.jar \ |
| sunpkcs11.jar \ |
| sunmscapi.jar \ |
| ucrypto.jar \ |
| # |
| |
| UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST))) |
| |
| ifeq ($(UNSIGNED_JARS), ) |
| $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/) |
| endif |
| |
| SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \ |
| $(UNSIGNED_JARS)) |
| |
| $(SIGNED_JARS): check-keystore |
| |
| $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \ |
| $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt |
| $(install-file) |
| |
| all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt |
| @$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer ***" |
| @$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***" |
| @$(PRINTF) "\n*** ***" |
| @$(PRINTF) "\n*** Please consult with Release Engineering: they will generate ***" |
| @$(PRINTF) "\n*** the proper binaries for the closed workspace. ***" |
| @$(PRINTF) "\n" |
| @$(PRINTF) $(README-MAKEFILE_WARNING) |
| |
| endif # !OPENJDK |