8350801: Add a code signing hook to the JDK build system

fthevenet · jerboaa · commit 4100dc9d4cdd · 2025-03-27T10:16:59.000Z
Reviewed-by: ihse, erikj
diff --git a/make/autoconf/configure.ac b/make/autoconf/configure.ac
@@ -260,6 +260,7 @@ JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE
 JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE_COH
 JDKOPT_ENABLE_DISABLE_COMPATIBLE_CDS_ALIGNMENT
 JDKOPT_SETUP_MACOSX_SIGNING
+JDKOPT_SETUP_SIGNING_HOOK
 
 ################################################################################
 #
diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
@@ -965,6 +965,29 @@ AC_DEFUN([JDKOPT_SETUP_MACOSX_SIGNING],
   AC_SUBST(MACOSX_CODESIGN_MODE)
 ])
 
+################################################################################
+#
+# Setup a hook to invoke a script that runs for file produced by the native
+# compilation steps, after linking.
+# Parameter is the path to the script to be called.
+#
+AC_DEFUN([JDKOPT_SETUP_SIGNING_HOOK],
+[
+  UTIL_ARG_WITH(NAME: signing-hook, TYPE: executable,
+      OPTIONAL: true, DEFAULT: "",
+      DESC: [specify path to script used to code sign native binaries]
+  )
+
+  AC_MSG_CHECKING([for signing hook])
+  if test "x$SIGNING_HOOK" != x; then
+    UTIL_FIXUP_EXECUTABLE(SIGNING_HOOK)
+    AC_MSG_RESULT([$SIGNING_HOOK])
+  else
+    AC_MSG_RESULT([none])
+  fi
+  AC_SUBST(SIGNING_HOOK)
+])
+
 ################################################################################
 #
 # fallback linker
diff --git a/make/autoconf/spec.gmk.template b/make/autoconf/spec.gmk.template
@@ -479,6 +479,9 @@ MACOSX_VERSION_MAX := @MACOSX_VERSION_MAX@
 MACOSX_CODESIGN_MODE := @MACOSX_CODESIGN_MODE@
 MACOSX_CODESIGN_IDENTITY := @MACOSX_CODESIGN_IDENTITY@
 
+# The code signing hook configuration
+SIGNING_HOOK := @SIGNING_HOOK@
+
 # Toolchain type: gcc, clang, microsoft...
 TOOLCHAIN_TYPE := @TOOLCHAIN_TYPE@
 TOOLCHAIN_VERSION := @TOOLCHAIN_VERSION@
diff --git a/make/autoconf/util.m4 b/make/autoconf/util.m4
@@ -566,6 +566,14 @@ AC_DEFUN([UTIL_CHECK_TYPE_file],
   fi
 ])
 
+AC_DEFUN([UTIL_CHECK_TYPE_executable],
+[
+  # Check that the argument is an existing file that the user has execute access to.
+  if (test ! -x "$1") || (test ! -f "$1") ; then
+    FAILURE="File $1 does not exist or is not executable"
+  fi
+])
+
 AC_DEFUN([UTIL_CHECK_TYPE_directory],
 [
   # Check that the argument is an existing directory
@@ -648,7 +656,7 @@ AC_DEFUN([UTIL_CHECK_TYPE_features],
 # Arguments:
 #   NAME: The base name of this option (i.e. what follows --with-). Required.
 #   TYPE: The type of the value. Can be one of "string", "integer", "file",
-#     "directory", "literal", "multivalue" or "features". Required.
+#     "executable", "directory", "literal", "multivalue" or "features". Required.
 #   DEFAULT: The default value for this option. Can be any valid string.
 #     Required.
 #   OPTIONAL: If this feature can be disabled. Defaults to false. If true,
@@ -758,7 +766,7 @@ UTIL_DEFUN_NAMED([UTIL_ARG_WITH],
   # Need to assign since we can't expand ARG TYPE inside the m4 quoted if statement
   TEST_TYPE="ARG_TYPE"
   # Additional [] needed to keep m4 from mangling shell constructs.
-  [ if [[ ! "$TEST_TYPE" =~ ^(string|integer|file|directory|literal|multivalue|features)$ ]] ; then ]
+  [ if [[ ! "$TEST_TYPE" =~ ^(string|integer|file|executable|directory|literal|multivalue|features)$ ]] ; then ]
     AC_MSG_ERROR([Internal error: Argument TYPE to [UTIL_ARG_WITH] must be a valid type, was: 'ARG_TYPE'])
   fi
 
diff --git a/make/common/native/Link.gmk b/make/common/native/Link.gmk
@@ -203,6 +203,10 @@ define CreateDynamicLibraryOrExecutable
 	      $(CODESIGN) -f -s $$($1_CODESIGN_OPTS) --entitlements \
 	          $$(call GetEntitlementsFile, $$@) $$@)
         endif
+        ifneq ($(SIGNING_HOOK), )
+	  $$(call ExecuteWithLog, $$($1_OBJECT_DIR)/$$($1_SAFE_NAME)_call_signing_hook, \
+	      $(SIGNING_HOOK) $$($1_TARGET))
+        endif
 
   # This is for IDE integration purposes only, and is not normally generated
   $1_LDFLAGS_FILE := $$(MAKESUPPORT_OUTPUTDIR)/compile-commands/$$($1_UNIQUE_NAME)-ldflags.txt
diff --git a/make/common/native/LinkMicrosoft.gmk b/make/common/native/LinkMicrosoft.gmk
@@ -117,6 +117,10 @@ define CreateDynamicLibraryOrExecutableMicrosoft
 	      -identity:"$$($1_NAME).exe, version=$$($1_MANIFEST_VERSION)" \
 	      -outputresource:$$@;#1
         endif
+        ifneq ($(SIGNING_HOOK), )
+	  $$(call ExecuteWithLog, $$($1_OBJECT_DIR)/$$($1_SAFE_NAME)_call_signing_hook, \
+	      $(SIGNING_HOOK) $$($1_TARGET))
+        endif
 endef
 
 ################################################################################

Original file line number	Diff line number	Diff line change
`@@ -260,6 +260,7 @@ JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE`
`260`	`260`	`JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE_COH`
`261`	`261`	`JDKOPT_ENABLE_DISABLE_COMPATIBLE_CDS_ALIGNMENT`
`262`	`262`	`JDKOPT_SETUP_MACOSX_SIGNING`
	`263`	`+JDKOPT_SETUP_SIGNING_HOOK`
`263`	`264`
`264`	`265`	`################################################################################`
`265`	`266`	`#`