> OpenJDK vendors who provide binary distributions for the Windows and macOS > platforms generally need to ensure that every native executable file and > dynamic library that are part of the binary builds are digitally signed using > a set of OS specific APIs. > > The JDK build systems already provides the ability to invoke Apple code > signing API during the build on macOS, but there is no equivalent support for > Windows.which means that each vendor has had to come up with their own way to > integrate the code signing step into their build pipeline. > As the shape of the JDK binary deliverable evolved to accommodate features > like modules, signing binaries as an after-the-fact process has gradually > become more complicated and error prone, in particular with regard to the > introduction of JEP 493. > > This change aims to solve this by introducing a "signing hook" that users can > use to specify a custom script that will be invoked by the build system for > every native executable of library compiled and linked as part of the build > target. > This is to provide enough flexibility for each vendor to include their own > specific configuration and/or signing logic, not limited to a specific set of > platforms.
Frederic Thevenet has updated the pull request incrementally with one additional commit since the last revision: Call the hook as part of the native linking recipe. ------------- Changes: - all: https://git.openjdk.org/jdk/pull/23807/files - new: https://git.openjdk.org/jdk/pull/23807/files/4c548a8b..6606a7e9 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=23807&range=04 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=23807&range=03-04 Stats: 28 lines in 3 files changed: 8 ins; 20 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/23807.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/23807/head:pull/23807 PR: https://git.openjdk.org/jdk/pull/23807
