Commit Graph

182 Commits

Author SHA1 Message Date
Andrew Hughes
f206f3a913 Turn on system security properties as part of the build's install section
Move cacerts replacement to install section and retain original of this and tzdb.dat
Run tests on the installed image, rather than the build image
Introduce variables to refer to the static library installation directories
Use relative symlinks so they work within the image
Run debug symbols check during build stage, before the install strips them
2022-07-08 02:38:51 +01:00
Stephan Bergmann
7d90e62473 Fix flatpak builds
...after 19065a8b01585a1aa5f22e38e99fc0c47c597074 "Temporarily move x86 to use
Zero in order to get a working build":

When building the

>       if ${run_bootstrap} ; then

branch for suffix='' and loop='-main', the second

>           buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}

uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk
on the previous line.  But installjdk does

> 	rm ${imagepath}/lib/tzdb.dat
> 	ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat

which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a
flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non-
flatpak build) which is not present at build-time (but will be present at
runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for
the flatpak /app prefix).  So using that JDK's compiler during the build kept
failing due to java.io.FileNotFoundException for its lib/tzdb.dat.

(This was not an issue prior to 19065a8b01585a1aa5f22e38e99fc0c47c597074, as
installjdk's modification of lib/tzdb.dat used to be done only for the "Final
setup on the main image" at the very end of the build, not during the build for
JDKs that are themselves used later during the build.)

The easiest workaround for this issue appears to be to just not bootstrap_build
in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has
been modified through installjdk is used during the build.
2022-07-07 20:37:19 +01:00
Francisco Ferrari Bihurriet
742fc4c474 RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION
2022-07-01 02:05:02 +01:00
Stephan Bergmann
26e1d8bb6d Fix flatpak builds (catering for their uncompressed manual pages)
...see
<https://docs.fedoraproject.org/en-US/flatpak/troubleshooting/#_uncompressed_manual_pages>
for details
2022-06-30 01:55:18 +01:00
Andrew John Hughes
7bc45a5253 Update FIPS support to bring in latest changes
* RH2023467: Enable FIPS keys export
* RH2094027: SunEC runtime permission for FIPS
* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together

Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
Enable system security properties in the RPM (now disabled by default in the FIPS repo)
Improve security properties test to check both enabled and disabled behaviour
Run security properties test with property debugging on
Minor sync-ups with java-17-openjdk spec file
2022-06-24 17:41:21 +01:00
Andrew John Hughes
624750adb4 Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build 2022-05-25 09:59:33 +01:00
Jiri Vanek
fcc7371149 updated to CPU jdk-18.0.1+10 sources 2022-04-28 11:59:03 +02:00
Jiri Vanek
40e63ef0cc updated to CPU jdk-18.0.1 sources 2022-04-27 18:36:10 +02:00
Andrew John Hughes
4c04ead0c3 Add missing ChangeLog entry for previous commit 2022-04-10 22:23:34 +01:00
Jiri Vanek
fb85c81739 removed hardcoded /usr/lib/jvm by %{_jvmdir} to make rpmlint happy 2022-04-05 16:04:27 +02:00
Andrew John Hughes
f4cdbe8673 Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built 2022-03-28 15:09:43 +01:00
Jiri
b4e869d71c Updated generate_source_tarball.sh to match current sources 2022-03-24 13:18:38 +01:00
Jiri
eaab09411c Removed ages unused update_package.sh 2022-03-24 13:18:12 +01:00
Jiri Vanek
3c5126e20f set build jdk to 18
as ga is 1, set vendor_version_string to 22.3
2022-03-21 12:48:15 +01:00
Jiri Vanek
d51da6f4c2 replaced tabs by sets of spaces to make rpmlint happy 2022-03-21 12:47:11 +01:00
Andrew John Hughes
48dbe4bbff Update to RC version of OpenJDK 18
* Add new slave jwebserver and corresponding manpage
- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
- Disable HotSpot-only pre-build which is incompatible with the boot JDK being a different major version to that being built
- Rebase FIPS patches from fips-18u branch and simplify by using a single patch from that repository
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
2022-03-16 05:20:49 +00:00
Andrew John Hughes
ed4b79a683 Reinstate JIT builds on x86_32.
Add JDK-8282004 to fix missing CALL effects on x86_32.
2022-02-17 01:57:58 +00:00
Severin Gehwolf
0bb7626ce6 Re-enable gdb backtrace check on formerly disabled arches. 2022-02-08 15:35:20 +01:00
Andrew John Hughes
487c5b54b4 Temporarily move x86 to use Zero in order to get a working build
Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
Explicitly list JIT architectures rather than relying on those with slowdebug builds
Disable the serviceability agent on Zero architectures even when the architecture itself is supported
2022-02-05 01:48:07 +00:00
Andrew John Hughes
aadc529dd1 Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
Need to support noarch for creating source RPMs for non-scratch builds.
2022-01-24 18:50:55 +00:00
Andrew John Hughes
a0812df57d January 2022 security update to jdk 17.0.2+8
Set LTS designator on RHEL, excluding Fedora & EPEL.
Rename libsvml.so to libjsvml.so following JDK-8276025
Remove JDK-8276572 patch which is now upstream.
Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
2022-01-24 14:30:58 +00:00
Andrew John Hughes
1b7a9fc8f1 Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent 2022-01-24 02:17:42 +00:00
Fedora Release Engineering
82a565bf80 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-20 13:40:37 +00:00
Andrew John Hughes
21e63a4b52 Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
Disable on x86, x86_64, ppc64le & s390x while these are broken in rawhide.
2022-01-19 00:37:12 +00:00
Andrew John Hughes
dc05b09f75 Fix FIPS issues in native code and with initialisation of java.security.Security 2022-01-13 01:12:07 +00:00
Jiri Vanek
d62b3d65d1 Storing and restoring alterntives during update manually
Fixing:
Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE

The move of alternatives creation to posttrans to fix:
Bug 1200302 - dnf reinstall breaks alternatives
Had caused the alternatives to be removed, and then created again,
instead of being added, and then removing the old, and thus persisting
the selection in family

Thus this fix, is storing the family of manually selected master, and if
stored, then it is restoring the family of the master
2021-12-13 18:18:06 +01:00
Jiri Vanek
b0564c69d6 family extracted to globals 2021-12-13 18:15:09 +01:00
Jiri Vanek
31a223aed4 Providing proper provides for javadoc-zip subpk
Before this patch, the java-17-openjdk-javadoc-zip was not existing, and
instead of that, javadoc was provided by both
Factm, that both subpkgs should provide javadoc, should be kept
2021-12-09 11:56:47 +01:00
Jiri Vanek
461ed378a5 Removing tabs in whitespaced specfile for rpmlint 2021-12-09 11:50:27 +01:00
Andrew John Hughes
241e828cfe Handle Fedora in distro conditionals that currently only pertain to RHEL. 2021-11-29 01:43:48 +00:00
Jiri Vanek
6837909120 Patch syslookup.c so it actually has some code to be compiled into libsyslookup
Related: rhbz#2013846
2021-11-08 14:49:39 +01:00
Severin Gehwolf
62ce7fecfc Use 'sql:' prefix in nss.fips.cfg
Fedora 35 and better no longer ship the legacy
secmod.db file as part of the nss package. Explicitly
tell OpenJDK to use sqlite-based sec mode.

Resolves: RHBZ#2019555
2021-11-05 14:28:40 +01:00
Andrew John Hughes
5deee57a12 Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. 2021-11-03 21:39:17 +00:00
Andrew John Hughes
68acf88023 Sync desktop files with upstream IcedTea release 3.15.0 using new script 2021-11-01 13:46:13 +00:00
Andrew John Hughes
28b9940eba Restructure the build so a minimal initial build is then used for the final build (with docs)
This reduces pressure on the system JDK and ensures the JDK being built can do a full build
2021-10-26 16:35:41 +01:00
Andrew John Hughes
18b2f76565 Minor cosmetic improvements to make spec more comparable between variants 2021-10-26 02:11:32 +01:00
Andrew John Hughes
e70d9ec500 Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
2021-10-21 16:36:06 +01:00
Petra Mikova
fb48b1ebd8 October CPU 2021 update 2021-10-21 14:41:20 +02:00
Andrew John Hughes
2891e38fa2 Add FIPS patch to allow plain key import.
Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
2021-10-10 23:10:57 +01:00
Andrew John Hughes
f2132d86ba Add patch to login to the NSS software token when in FIPS mode.
Fix unused function compiler warning found in systemconf.c
Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
2021-10-01 02:13:43 +01:00
Andrew John Hughes
37b7b79aff Update release notes to document the major changes between OpenJDK 11 & 17. 2021-09-27 02:43:04 +01:00
Andrew John Hughes
53cd241c34 Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. 2021-09-16 02:11:23 +01:00
Andrew John Hughes
37b0e84cf4 Update to jdk-17+35, also known as jdk-17-ga.
Switch to GA mode.
2021-09-15 00:07:30 +01:00
Andrew John Hughes
619b0b263e Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
2021-09-08 04:41:40 +01:00
Andrew John Hughes
e426a3c6f9 Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
2021-09-06 01:15:24 +01:00
Jiri Vanek
e16ee29c24 alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
2021-08-31 18:26:42 +02:00
Andrew John Hughes
e79cabf8e2 Update to jdk-17+33, including JDWP fix and July 2021 CPU
Resolves: rhbz#1972529
2021-07-30 06:27:26 +01:00
Fedora Release Engineering
e3ed81b032 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-22 08:57:38 +00:00
Andrew John Hughes
7bc094fb91 Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
2021-07-07 07:02:16 +01:00
Petra Mikova
e22fd4035f Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
It makes the SunPKCS provider show up again
Resolves: rhbz#1971120
2021-06-28 18:04:36 +02:00