make/SignJars.gmk - platform/external/jetbrains/jdk8u_jdk - Git at Google

 #
 # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License version 2 only, as
 # published by the Free Software Foundation.  Oracle designates this
 # particular file as subject to the "Classpath" exception as provided
 # by Oracle in the LICENSE file that accompanied this code.
 #
 # This code is distributed in the hope that it will be useful, but WITHOUT
 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 # FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # version 2 for more details (a copy is included in the LICENSE file that
 # accompanied this code).
 #
 # You should have received a copy of the GNU General Public License version
 # 2 along with this work; if not, write to the Free Software Foundation,
 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #

 include $(SPEC)
 include MakeBase.gmk

 # (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK
 # builds respectively.)
 #
 # JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE
 # jar files do not require signing, but those for JDK do. If an unsigned
 # jar file is installed into JDK, things will break when the crypto
 # routines are called.
 #
 # All jars are created in CreateJars.gmk. This Makefile does the signing
 # of the jars for JDK.
 #
 # For JDK, the binaries use pre-built/pre-signed binary files stored in
 # the closed workspace that are not shipped in the OpenJDK workspaces.
 # We still build the JDK files to verify the files compile, and in
 # preparation for possible signing. Developers working on JCE in JDK
 # must sign the JCE files before testing. The JCE signing key is kept
 # separate from the JDK workspace to prevent its disclosure.
 #
 # SPECIAL NOTE TO JCE/JDK developers: The source files must eventually
 # be built, signed, and then the resulting jar files MUST BE CHECKED
 # INTO THE CLOSED PART OF THE WORKSPACE*. This separate step *MUST NOT
 # BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
 # reflected in the shipped binaries.
 #
 # Please consult with Release Engineering, which is responsible for
 # creating the final JCE builds suitable for checkin.
 #

 # Default target
 all:

 ifndef OPENJDK

 README-MAKEFILE_WARNING := \
     "\nPlease read jdk/make/SignJars.gmk for further build instructions.\n"

 #
 # Location for JCE codesigning key.
 #
 SIGNING_KEY_DIR := /security/ws/JCE-signing/src
 SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks
 SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
 SIGNING_ALIAS := oracle_jce_rsa

 #
 # Defines for signing the various jar files.
 #
 check-keystore:
 	@if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
 	  $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
 	  $(PRINTF) $(README-MAKEFILE_WARNING); \
 	  exit 2; \
 	fi

 $(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/%
 	$(call install-file)
 	$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
 	    $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
 	@$(PRINTF) "\nJar codesigning finished.\n"

 JAR_LIST := \
     jce.jar \
     policy/limited/local_policy.jar \
     policy/limited/US_export_policy.jar \
     policy/unlimited/local_policy.jar \
     policy/unlimited/US_export_policy.jar \
     sunec.jar \
     sunjce_provider.jar \
     sunpkcs11.jar \
     sunmscapi.jar \
     ucrypto.jar \
     #

 UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST)))

 ifeq ($(UNSIGNED_JARS), )
   $(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/)
 endif

 SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \
     $(UNSIGNED_JARS))

 $(SIGNED_JARS): check-keystore

 $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \
     $(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
 	$(install-file)

 all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt
 	@$(PRINTF) "\n*** The jar files built by the 'sign-jars' target are developer      ***"
 	@$(PRINTF) "\n*** builds only and *MUST NOT* be checked into the closed workspace. ***"
 	@$(PRINTF) "\n***                                                                  ***"
 	@$(PRINTF) "\n*** Please consult with Release Engineering: they will generate      ***"
 	@$(PRINTF) "\n*** the proper binaries for the closed workspace.                    ***"
 	@$(PRINTF) "\n"
 	@$(PRINTF) $(README-MAKEFILE_WARNING)

 endif # !OPENJDK
	#
	# Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
	# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	#
	# This code is free software; you can redistribute it and/or modify it
	# under the terms of the GNU General Public License version 2 only, as
	# published by the Free Software Foundation. Oracle designates this
	# particular file as subject to the "Classpath" exception as provided
	# by Oracle in the LICENSE file that accompanied this code.
	#
	# This code is distributed in the hope that it will be useful, but WITHOUT
	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	# version 2 for more details (a copy is included in the LICENSE file that
	# accompanied this code).
	#
	# You should have received a copy of the GNU General Public License version
	# 2 along with this work; if not, write to the Free Software Foundation,
	# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	#
	# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	# or visit www.oracle.com if you need additional information or have any
	# questions.
	#

	include $(SPEC)
	include MakeBase.gmk

	# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK
	# builds respectively.)
	#
	# JCE builds are very different between OpenJDK and JDK. The OpenJDK JCE
	# jar files do not require signing, but those for JDK do. If an unsigned
	# jar file is installed into JDK, things will break when the crypto
	# routines are called.
	#
	# All jars are created in CreateJars.gmk. This Makefile does the signing
	# of the jars for JDK.
	#
	# For JDK, the binaries use pre-built/pre-signed binary files stored in
	# the closed workspace that are not shipped in the OpenJDK workspaces.
	# We still build the JDK files to verify the files compile, and in
	# preparation for possible signing. Developers working on JCE in JDK
	# must sign the JCE files before testing. The JCE signing key is kept
	# separate from the JDK workspace to prevent its disclosure.
	#
	# SPECIAL NOTE TO JCE/JDK developers: The source files must eventually
	# be built, signed, and then the resulting jar files MUST BE CHECKED
	# INTO THE CLOSED PART OF THE WORKSPACE. This separate step MUST NOT
	# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
	# reflected in the shipped binaries.
	#
	# Please consult with Release Engineering, which is responsible for
	# creating the final JCE builds suitable for checkin.
	#

	# Default target
	all:

	ifndef OPENJDK

	README-MAKEFILE_WARNING := \
	"\nPlease read jdk/make/SignJars.gmk for further build instructions.\n"

	#
	# Location for JCE codesigning key.
	#
	SIGNING_KEY_DIR := /security/ws/JCE-signing/src
	SIGNING_KEYSTORE := $(SIGNING_KEY_DIR)/KeyStore.jks
	SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
	SIGNING_ALIAS := oracle_jce_rsa

	#
	# Defines for signing the various jar files.
	#
	check-keystore:
	@if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
	$(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism NOT available..."; \
	$(PRINTF) $(README-MAKEFILE_WARNING); \
	exit 2; \
	fi

	$(JDK_OUTPUTDIR)/jce/signed/%: $(JDK_OUTPUTDIR)/jce/unsigned/%
	$(call install-file)
	$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
	$@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
	@$(PRINTF) "\nJar codesigning finished.\n"

	JAR_LIST := \
	jce.jar \
	policy/limited/local_policy.jar \
	policy/limited/US_export_policy.jar \
	policy/unlimited/local_policy.jar \
	policy/unlimited/US_export_policy.jar \
	sunec.jar \
	sunjce_provider.jar \
	sunpkcs11.jar \
	sunmscapi.jar \
	ucrypto.jar \
	#

	UNSIGNED_JARS := $(wildcard $(addprefix $(JDK_OUTPUTDIR)/jce/unsigned/, $(JAR_LIST)))

	ifeq ($(UNSIGNED_JARS), )
	$(error No jars found in $(JDK_OUTPUTDIR)/jce/unsigned/)
	endif

	SIGNED_JARS := $(patsubst $(JDK_OUTPUTDIR)/jce/unsigned/%,$(JDK_OUTPUTDIR)/jce/signed/%, \
	$(UNSIGNED_JARS))

	$(SIGNED_JARS): check-keystore

	$(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt: \
	$(JDK_OUTPUTDIR)/jce/unsigned/policy/unlimited/README.txt
	$(install-file)

	all: $(SIGNED_JARS) $(JDK_OUTPUTDIR)/jce/signed/policy/unlimited/README.txt
	@$(PRINTF) "\n* The jar files built by the 'sign-jars' target are developer *"
	@$(PRINTF) "\n*** builds only and MUST NOT be checked into the closed workspace. ***"
	@$(PRINTF) "\n* *"
	@$(PRINTF) "\n* Please consult with Release Engineering: they will generate *"
	@$(PRINTF) "\n* the proper binaries for the closed workspace. *"
	@$(PRINTF) "\n"
	@$(PRINTF) $(README-MAKEFILE_WARNING)

	endif # !OPENJDK