On Wed, 26 Feb 2025 18:02:53 GMT, Frederic Thevenet <[email protected]> wrote:
> OpenJDK vendors who provide binary distributions for the Windows and macOS > platforms generally need to ensure that every native executable file and > dynamic library that are part of the binary builds are digitally signed using > a set of OS specific APIs. > > The JDK build systems already provides the ability to invoke Apple code > signing API during the build on macOS, but there is no equivalent support for > Windows.which means that each vendor has had to come up with their own way to > integrate the code signing step into their build pipeline. > As the shape of the JDK binary deliverable evolved to accommodate features > like modules, signing binaries as an after-the-fact process has gradually > become more complicated and error prone, in particular with regard to the > introduction of JEP 493. > > This change aims to solve this by introducing a "signing hook" that users can > use to specify a custom script that will be invoked by the build system for > every native executable of library compiled and linked as part of the build > target. > This is to provide enough flexibility for each vendor to include their own > specific configuration and/or signing logic, not limited to a specific set of > platforms. This pull request has now been integrated. Changeset: 4100dc9d Author: Frederic Thevenet <[email protected]> Committer: Severin Gehwolf <[email protected]> URL: https://git.openjdk.org/jdk/commit/4100dc9d4cdd5f0c202b2b2a32554e3aa4f15025 Stats: 45 lines in 6 files changed: 43 ins; 0 del; 2 mod 8350801: Add a code signing hook to the JDK build system Reviewed-by: ihse, erikj ------------- PR: https://git.openjdk.org/jdk/pull/23807
