Details
-
Enhancement
-
Status: Resolved
-
P4
-
Resolution: Fixed
-
18
-
b27
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8282105 | 17.0.3 | Andrew Leonard | P4 | Resolved | Fixed | b03 |
Description
Currently if an OpenJDK developer wants to generate a build with their own cacerts, they need to generate a "cacerts file" externally using keytool, and then pass it to configure using --with-cacerts-file="cacerts file". Unfortunately keytool does not produce a deterministic output, thus the OpenJDK built jdk cacerts is not reproducible.
The OpenJDK internal build of the builtin cacerts resolves this problem with its own build tool "GenerateCacerts", whose output is deterministic.
Developers could easily leverage this tool with the addition of a new configure option --with-cacerts-src="user cacerts folder", which generates the keystore using GenerateCacerts from this folder rather than the builtin cacerts folder.
The OpenJDK internal build of the builtin cacerts resolves this problem with its own build tool "GenerateCacerts", whose output is deterministic.
Developers could easily leverage this tool with the addition of a new configure option --with-cacerts-src="user cacerts folder", which generates the keystore using GenerateCacerts from this folder rather than the builtin cacerts folder.
Attachments
Issue Links
- backported by
-
JDK-8282105 Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
-
- Resolved
-
- relates to
-
JDK-8278163 --with-cacerts-src variable resolved after GenerateCacerts recipe setup
-
- Resolved
-
- links to
-
Commit
openjdk/jdk17u-dev/f6afde21
-
Commit
openjdk/jdk/dc2abc9f
-
Review
openjdk/jdk17u-dev/164
-
Review
openjdk/jdk/6647
(1 links to)