Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build cacerts during build from Mozilla's list, take 2 #2113

Merged
merged 1 commit into from
Nov 25, 2020
Merged

Build cacerts during build from Mozilla's list, take 2 #2113

merged 1 commit into from
Nov 25, 2020

Conversation

aahlenst
Copy link
Contributor

@aahlenst aahlenst commented Oct 3, 2020

Generates the CA certificate bundle at build time from Mozilla's list of trusted CA certificates.

For context see adoptium/adoptium-support#13. TSC approval is recorded in adoptium/adoptium-support#13 (comment).

There was a previous attempt that failed (#2033, #2083) because I forgot to lock the keystore format to JKS/SUN 🤦. Adding tests to ensure that everything works is being tracked in adoptium/aqa-tests#1963. Ideally, we wait for the tests to appear before merging this one.

@adoptopenjdk-github-bot
Copy link
Contributor

🟢 PR TESTER RESULT 🟢

✅ All pipelines passed! ✅

@karianna karianna added the enhancement Issues that enhance the code or documentation of the repo in any way label Oct 5, 2020
@karianna karianna added this to the October 2020 milestone Oct 5, 2020
karianna
karianna requested changes Oct 5, 2020
View reviewed changes
README.md Show resolved Hide resolved
makejdk-any-platform.1 Show resolved Hide resolved
sbin/prepareWorkspace.sh Show resolved Hide resolved
@aahlenst aahlenst mentioned this pull request Oct 8, 2020
Closed
@sxa sxa mentioned this pull request Oct 26, 2020
Open
@sxa
Copy link
Member

sxa commented Oct 26, 2020

@aahlenst What's the situation with this - are you looking to move it forward again now that the October releases have shipped? Are there any blockers?

@aahlenst
Copy link
Contributor Author

As I said, we need the tests first. Tests are there, but not integrated. Waiting for Shelley and myself to work this out. Do not expect any movement from my side before late next week.

@karianna
Copy link
Contributor

@aahlenst small merge conflict now as well

@M-Davies M-Davies modified the milestones: October 2020, November 2020 Nov 7, 2020
@aahlenst aahlenst marked this pull request as ready for review November 12, 2020 08:34
@aahlenst
Copy link
Contributor Author

Now that adoptium/aqa-tests#2049 has landed, this is safe to merge as soon as the releases are done and the tests were successful. adoptium/aqa-tests#1963 (comment) demonstrates that the test detect a broken trust store.

@aahlenst
Build cacerts during build from Mozilla's list
26c1c11 
The cacerts trust store provided by OpenJDK lacks a few common certificates
(see adoptium/adoptium-support#13). We reached
out to OpenJDK, but there was little interest to change the state of affairs
(see https://mail.openjdk.java.net/pipermail/jdk-dev/2020-May/004305.html).
Consequently, the AdoptOpenJDK TSC decided to replace the bundled trust
store with the root CA certificates included in Mozilla Firefox. Mozilla
runs a trusted root CA program and is used by, amongst others, most Linux
distributions. Running our own root CA program was not an option (too much
work, difficult). But we leave the option open to include CA certificates
on a case-by-case basis. If anyone wants to build with the stock OpenJDK
certificates, pass `--custom-cacerts false`.

The list of CA certificates is not downloaded on demand but stored in the
repository. This prevents intermittent download failures and makes it easier
to inspect what certificates we have bundled with a certain release. Changes
are also clearly visible in the revision history. This is also the reason that
the cacerts file is built from source during the JDK build. The downside is
that the list of certificates needs to be regularly updated.

The cacerts trust store is built with keytool from the boot JDK to ensure
that it is compatible with the built JDK version.
karianna
karianna approved these changes Nov 24, 2020
View reviewed changes
Copy link
Contributor

@karianna karianna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@M-Davies
Copy link

run tests

@adoptopenjdk-github-bot
Copy link
Contributor

🟠 PR TESTER RESULT 🟠

❎ Some pipelines failed or the job was aborted! ❎
See the pipeline-build-check below for more information...

@M-Davies
Copy link

🟠 PR TESTER RESULT 🟠

❎ Some pipelines failed or the job was aborted! ❎
See the pipeline-build-check below for more information...

One annoying network issue on a mac machine (unrelated to this PR)

M-Davies
M-Davies approved these changes Nov 25, 2020
View reviewed changes
Copy link

@M-Davies M-Davies left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the tests passed, I'm happy to merge this 👍

@aahlenst aahlenst merged commit 9cb3ddc into adoptium:master Nov 25, 2020
@aahlenst aahlenst deleted the mozilla-cacerts branch November 25, 2020 10:19
@aahlenst aahlenst mentioned this pull request Nov 25, 2020
Closed
This was referenced Nov 26, 2020
Closed
Merged
@gabrieljones gabrieljones mentioned this pull request Jan 12, 2021
Closed
@sxa sxa mentioned this pull request Jan 28, 2021
Merged
@sxa sxa mentioned this pull request Mar 23, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@M-Davies M-Davies M-Davies approved these changes

@karianna karianna karianna approved these changes

Assignees
No one assigned
Labels
enhancement Issues that enhance the code or documentation of the repo in any way
Projects
None yet
Milestone
November 2020
Development

Successfully merging this pull request may close these issues.
5 participants
@aahlenst @adoptopenjdk-github-bot @sxa @karianna @M-Davies