1 # 2 # Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. 3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 # 5 # This code is free software; you can redistribute it and/or modify it 6 # under the terms of the GNU General Public License version 2 only, as 7 # published by the Free Software Foundation. Oracle designates this 8 # particular file as subject to the "Classpath" exception as provided 9 # by Oracle in the LICENSE file that accompanied this code. 10 # 11 # This code is distributed in the hope that it will be useful, but WITHOUT 12 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 # version 2 for more details (a copy is included in the LICENSE file that 15 # accompanied this code). 16 # 17 # You should have received a copy of the GNU General Public License version 18 # 2 along with this work; if not, write to the Free Software Foundation, 19 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 # 21 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 # or visit www.oracle.com if you need additional information or have any 23 # questions. 24 # 25 26 include $(SPEC) 27 include MakeBase.gmk 28 29 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK 30 # builds respectively.) 31 # 32 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE 33 # jar files do not require signing, but those for JDK do. If an unsigned 34 # jar file is installed into JDK, things will break when the crypto 35 # routines are called. 36 # 37 # All jars are created in CreateJars.gmk. This Makefile does the signing 38 # of the jars for JDK. 39 # 40 # For JDK, the binaries use pre-built/pre-signed binary files stored in 41 # the closed workspace that are not shipped in the OpenJDK workspaces. 42 # We still build the JDK files to verify the files compile, and in 43 # preparation for possible signing. Developers working on JCE in JDK 44 # must sign the JCE files before testing. The JCE signing key is kept 45 # separate from the JDK workspace to prevent its disclosure. 46 # 47 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually 48 # be built, signed, and then the resulting jar files MUST BE CHECKED 49 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT 50 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be 51 # reflected in the shipped binaries. The "sign-jars" target in the top 52 # level Makefile should be used to generate the required files. 53 # 54 55 # Default target 56 all: 57 58 ifndef OPENJDK 59 60 README-MAKEFILE_WARNING := \ 61 "\nPlease read makefiles/SignJars.gmk for further build instructions.\n" 62 63 # 64 # Location for JCE codesigning key. 65 # 66 SIGNING_KEY_DIR := /security/ws/JCE-signing/src 67 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks 68 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt 69 SIGNING_ALIAS := oracle_jce_rsa 70 71 # 72 # Defines for signing the various jar files. 73 # 74 check-keystore: 75 @if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \ 76 $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \ 77 $(PRINTF) $(README-MAKEFILE_WARNING); \ 78 exit 2; \ 79 fi 80 81 $(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/% 82 $(call install-file) 83 $(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \ 84 $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE) 85 @$(PRINTF) "\nJar codesigning finished.\n" 86 87 JAR_LIST := jce.jar \ 88 local_policy.jar \ 89 sunec.jar \ 90 sunjce_provider.jar \ 91 sunpkcs11.jar \ 92 US_export_policy.jar 93 94 SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST)) 95 96 $(SIGNED_JARS): check-keystore 97 98 all: $(SIGNED_JARS) 99 @$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***" 100 @$(PRINTF) "\n***still be checked into the closed workspace! ***" 101 @$(PRINTF) $(README-MAKEFILE_WARNING) 102 103 endif # !OPENJDK