Google culture really likes build output determinism, and we recently built our own cacerts generator.
To get determinism, we are using cert digest as alias (must have a unique alias, but value doesn't seem to matter much), and using cert notBefore instead of current (build) timestamp. On Mon, Jun 10, 2019 at 12:40 PM Erik Joelsson <erik.joels...@oracle.com> wrote: > Since JDK-8193255, when we started generating the cacerts file in the > build, the build compare baseline builds have started failing. It seems > the cacerts binary file has some non determinism built in so it doesn't > get generated exactly the same given the same input. This patch adds > special handling when comparing that file by comparing the output of > "keytool -list" on the files instead. > > Bug: https://bugs.openjdk.java.net/browse/JDK-8225392 > > Webrev: http://cr.openjdk.java.net/~erikj/8225392/webrev.01/ > > /Erik > >
