On Wed, 26 Mar 2025 09:28:49 GMT, Frederic Thevenet <ftheve...@openjdk.org> wrote:
>> OpenJDK vendors who provide binary distributions for the Windows and macOS >> platforms generally need to ensure that every native executable file and >> dynamic library that are part of the binary builds are digitally signed >> using a set of OS specific APIs. >> >> The JDK build systems already provides the ability to invoke Apple code >> signing API during the build on macOS, but there is no equivalent support >> for Windows.which means that each vendor has had to come up with their own >> way to integrate the code signing step into their build pipeline. >> As the shape of the JDK binary deliverable evolved to accommodate features >> like modules, signing binaries as an after-the-fact process has gradually >> become more complicated and error prone, in particular with regard to the >> introduction of JEP 493. >> >> This change aims to solve this by introducing a "signing hook" that users >> can use to specify a custom script that will be invoked by the build system >> for every native executable of library compiled and linked as part of the >> build target. >> This is to provide enough flexibility for each vendor to include their own >> specific configuration and/or signing logic, not limited to a specific set >> of platforms. > > Frederic Thevenet has updated the pull request incrementally with one > additional commit since the last revision: > > Call the hook as part of the native linking recipe. Marked as reviewed by erikj (Reviewer). ------------- PR Review: https://git.openjdk.org/jdk/pull/23807#pullrequestreview-2717022657
