From 1ba1df7a76f409a67cd324b078b11157f3ddd64c Mon Sep 17 00:00:00 2001 From: Petra Mikova Date: Tue, 31 Jan 2023 13:14:07 +0100 Subject: [PATCH] Necessary parts moved from rpm-like install to build Necessary parts moved from rpm-like install to build --- java-17-openjdk-portable.spec | 199 ++++++++-------------------------- 1 file changed, 45 insertions(+), 154 deletions(-) diff --git a/java-17-openjdk-portable.spec b/java-17-openjdk-portable.spec index 1ee18a5..d5f06a0 100644 --- a/java-17-openjdk-portable.spec +++ b/java-17-openjdk-portable.spec @@ -1193,22 +1193,14 @@ function installjdk() { # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Turn on system security properties - sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ - ${imagepath}/conf/security/java.security - - - # Rename OpenJDK cacerts database - mv ${imagepath}/lib/security/cacerts{,.upstream} - # Install cacerts symlink needed by some apps which hard-code the path - ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + if [ -d man/man1 ] ; then + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi fi } @@ -1299,20 +1291,15 @@ EOF %endif for suffix in %{build_loop} ; do - if [ "x$suffix" = "x" ] ; then debugbuild=release else # change --something to something debugbuild=`echo $suffix | sed "s/-//g"` fi - - for loop in %{main_suffix} %{staticlibs_loop} ; do - builddir=%{buildoutputdir -- ${suffix}${loop}} bootbuilddir=boot${builddir} - if test "x${loop}" = "x%{main_suffix}" ; then link_opt="%{link_type}" %if %{system_libs} @@ -1357,6 +1344,7 @@ for suffix in %{build_loop} ; do # Final setup on the main image top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} + installjdk ${top_dir_abs_main_build_path}/images/%{jreimage} # Check debug symbols were built into the dynamic libraries debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} @@ -1365,11 +1353,40 @@ for suffix in %{build_loop} ; do ################################################################################ pushd ${top_dir_abs_main_build_path}/images - if [ "x$suffix" == "x" ] ; then - nameSuffix="" - else - nameSuffix=`echo "$suffix"| sed s/-/./` - fi + if [ "x$suffix" == "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + # additional steps needed for fluent repack; most of them done twice, as images are already populated + # maybe most of them should be done in upstream build? + for imagedir in %{jdkimage} %{jreimage} ; do + pushd $imagedir + # Convert man pages to UTF8 encoding + if [ -d man/man1 ] ; then # jre do not have man pages... + for manpage in man/man1/* ; do + iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp + mv -f $manpage.tmp $manpage + done + fi + # Install release notes + cp -a %{SOURCE10} `pwd` + cp -a %{SOURCE10} `pwd`/legal + # stabilize permissions; aprtially duplicated in instalojdk + find `pwd` -name "*.so" -exec chmod 755 {} \; -exec echo "set 755 to so {}" \; ; + find `pwd` -type d -exec chmod 755 {} \; -exec echo "set 755 to dir {}" \; ; + find `pwd`/legal -type f -exec chmod 644 {} \; -exec echo "set 644 to licences {}" \; ; + popd # jdkimage/jreimage + done # jre/sdk work in loop + # javadoc is done only for release sdkimage + if ! echo $suffix | grep -q "debug" ; then + # Install Javadoc documentation + #cp -a docs %{jdkimage} # not sure if the plaintext javadoc is for some use + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + cp -a `pwd`/../bundles/${built_doc_archive} `pwd`/%{jdkimage}/javadocs.zip || ls -l `pwd`/../bundles + fi + # end of additional steps + mv %{jdkimage} %{jdkportablename -- "$nameSuffix"} mv %{jreimage} %{jreportablename -- "$nameSuffix"} tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"} @@ -1400,134 +1417,8 @@ for suffix in %{build_loop} ; do done # end of release / debug cycle loop %install -STRIP_KEEP_SYMTAB=libjvm* - - for suffix in %{build_loop} ; do top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -if [ "fixme" == "todo" ] ; then #todo, extract some parts to build, drop the rest - but keep it in rpms after repack - -# done in build -%if %{include_staticlibs} -top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} -%endif -jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} - -# tbd in rpms -# Install the jdk -mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} - -pushd ${jdk_image} - -# tbd in rpms -%if %{with_systemtap} - # Install systemtap support files - install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset - # note, that uniquesuffix is in BUILD dir in this case - cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ - pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/ - tapsetFiles=`ls *.stp` - popd - install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir} - for name in $tapsetFiles ; do - targetName=`echo $name | sed "s/.stp/$suffix.stp/"` - ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName - done -%endif - -# tbd in rpms - # Install version-ed symlinks - pushd $RPM_BUILD_ROOT%{_jvmdir} - ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} - popd - -# todo fix in build - # Install man pages - install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1 - for manpage in man/man1/* - do - # Convert man pages to UTF8 encoding - iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp - mv -f $manpage.tmp $manpage - install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \ - $manpage .1)-%{uniquesuffix -- $suffix}.1 - done - # Remove man pages from jdk image - rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man - -popd - -# done in build -# Install static libs artefacts -%if %{include_staticlibs} -mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} -cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} -%endif - -# todo fix in build -if ! echo $suffix | grep -q "debug" ; then - # Install Javadoc documentation - install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ - $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ -fi - -# todo fix in build -# Install release notes -commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} -install -d -m 755 ${commondocdir} -cp -a %{SOURCE10} ${commondocdir} - -# Install icons and menu entries -for s in 16 24 32 48 ; do - install -D -p -m 644 \ - %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \ - $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png -done - -# tbd in rpms -# Install desktop files -install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps} -for e in jconsole$suffix ; do - desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \ - --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop -done - -# tbd in rpms -# Install /etc/.java/.systemPrefs/ directory -# See https://bugzilla.redhat.com/show_bug.cgi?id=741821 -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs - -# todo fix in build -# copy samples next to demos; samples are mostly js files -cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ - - -# tbd in rpms -# moving config files to /etc -mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} -mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib -mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} -mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib -pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix} - ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf -popd -pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib - ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security -popd -# end moving files to /etc - -# todo fix in build -# stabilize permissions -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ; -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ; -find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ; - -fi # fixme, todo ################################################################################ if [ "x$suffix" == "x" ] ; then @@ -1585,14 +1476,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") -# Check system crypto (policy) is active and can be disabled +# Check system crypto (policy) is deactive and can be enabled # Test takes a single argument - true or false - to state whether system # security properties are enabled or not. $JAVA_HOME/bin/javac -d . %{SOURCE15} export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") export SEC_DEBUG="-Djava.security.debug=properties" -$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true -$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=false ${PROG} true || echo "do not work, https://pkgs.devel.redhat.com/cgit/rpms/java-11-openjdk/tree/java-11-openjdk.spec?h=openjdk-portable-rhel-7#n1292 have it wrong?" # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi