Hi Erik, I have implemented your requested changes. I think it is a lot cleaner now and the bundling as well as the signing parts are now only executed when necessary.
New WebRev: http://cr.openjdk.java.net/~rschuenemann/wr/2020/8238534-macos_sign_bundles/02/ Rene On Mon, Feb 10, 2020 at 9:23 AM René Schünemann <rene.schuenem...@gmail.com> wrote: > > Hi Erik, > > thank you for your review and I totally agree with you. It would > definitely be better avoid temp dirs. > I will try to move the creation of the signed image to MacBundles.gmk > and then re-use the SetubBundleFile in Bundles.gmk. > > Rene > > On Fri, Feb 7, 2020 at 5:19 PM Erik Joelsson <erik.joels...@oracle.com> wrote: > > > > Hello René, > > > > It's good to see an open solution to this, but I have some opinions on > > the patch. > > > > The concept of building into "temp dirs" that are then removed is a > > practice we try to avoid in the build. Whenever possible, each rule > > should be a well defined transformation from a set of source files to a > > target file. There is just no reason to remove the jdk-signed dir here. > > If something goes wrong, you would want the dir around to investigate. > > This also keeps incremental builds working as expected. Your current > > patch will always rebuild the bundles, which is not ok. > > > > I would recommend putting the jdk-signed dir in > > $(IMAGES_OUTPUTDIR)/jdk-signed and just leave it there. I would create a > > separate rule for the signing part, where the target file is the > > CodeResources file that codesign actually creates, and the prerequisite > > files simply $(COPY_SIGNED_JDK_BUNDLE). > > > > Separate rules for creating a top level directory are not needed. The > > rules generated from SetupCopyFiles will create all directories needed. > > > > I would also keep using the existing SetupBundleFile for the actual > > bundling, even if most of the functionality in it is not used, just to > > avoid more separate code paths than necessary. > > > > /Erik > > > > On 2020-02-07 02:05, René Schünemann wrote: > > > For the Apple notarization process, the whole bundle in its final form > > > has to be signed with the codesign tool. > > > See the discussion here: https://bugs.openjdk.java.net/browse/JDK-8238225 > > > > > > This change copies all JDK/JRE files to a temporary directory, which > > > is then passed to the codesign tool. The temporary directory is then > > > used as the base directory for the bundle archive and is getting > > > removed after the archive has been created. This only applies when a > > > valid code signing identity is set and the build type is release. > > > > > > Bug: https://bugs.openjdk.java.net/browse/JDK-8238534 > > > WebRev: > > > http://cr.openjdk.java.net/~rschuenemann/wr/2020/8238534-macos_sign_bundles/01/ > > > > > > Rene
