changeset 6356:461b069100fa

8005355: build-infra: Java security signing (need a top-level make target). Reviewed-by: tbell, ohair
author erikj
date Wed, 02 Jan 2013 15:35:12 +0100
parents 368fa50469da
children 3841da683703
files makefiles/BuildJdk.gmk makefiles/CompileJavaClasses.gmk makefiles/CreateJars.gmk makefiles/SignJars.gmk
diffstat 4 files changed, 249 insertions(+), 127 deletions(-) [+]
line wrap: on
line diff
--- a/makefiles/BuildJdk.gmk	Fri Dec 28 09:51:46 2012 +0100
+++ b/makefiles/BuildJdk.gmk	Wed Jan 02 15:35:12 2013 +0100
@@ -97,6 +97,9 @@
 	+$(MAKE) -f CompileLaunchers.gmk OVERLAY_IMAGES=true
 	+$(MAKE) -f Images.gmk overlay-images
 
+sign-jars:
+	+$(MAKE) -f SignJars.gmk
+
 BINARIES:=$(notdir $(wildcard $(IMAGES_OUTPUTDIR)/j2sdk-image/bin/*))
 INSTALLDIR:=openjdk-$(RELEASE)
 
--- a/makefiles/CompileJavaClasses.gmk	Fri Dec 28 09:51:46 2012 +0100
+++ b/makefiles/CompileJavaClasses.gmk	Wed Jan 02 15:35:12 2013 +0100
@@ -42,8 +42,7 @@
 		com/sun/tools/example/trace\
 		com/sun/tools/example/debug/bdi\
 		com/sun/tools/example/debug/event\
-		com/sun/tools/example/debug/gui \
-		com/oracle/security
+		com/sun/tools/example/debug/gui
 
 ifdef OPENJDK
     EXCLUDES+=	sun/dc \
@@ -86,6 +85,8 @@
         sun/nio/ch/SolarisEventPort.java \
 	sun/tools/attach/SolarisAttachProvider.java \
 	sun/tools/attach/SolarisVirtualMachine.java
+
+   EXCLUDES += com/oracle/security
 endif
 
 # In the old build, this isn't excluded on macosx, even though it probably
--- a/makefiles/CreateJars.gmk	Fri Dec 28 09:51:46 2012 +0100
+++ b/makefiles/CreateJars.gmk	Wed Jan 02 15:35:12 2013 +0100
@@ -129,6 +129,7 @@
 
 # Exclude list for rt.jar and resources.jar
 RT_JAR_EXCLUDES := \
+	com/oracle/security \
 	com/sun/javadoc \
 	com/sun/jdi \
 	com/sun/jarsigner \
@@ -440,60 +441,61 @@
 	$(MV) $@.tmp $@
 
 ##########################################################################################
+# For all security jars, always build the jar, but for closed, install the prebuilt signed
+# version instead of the newly built jar. For open, signing is not needed. See SignJars.gmk
+# for more information.
 
 SUNPKCS11_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunpkcs11.jar
+SUNPKCS11_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunpkcs11.jar
+
+$(eval $(call SetupArchive,BUILD_SUNPKCS11_JAR,,\
+	SRCS:=$(JDK_OUTPUTDIR)/classes, \
+	SUFFIXES:=.class,\
+	INCLUDES:=sun/security/pkcs11,\
+	JAR:=$(SUNPKCS11_JAR_UNSIGNED), \
+        MANIFEST:=$(JCE_MANIFEST), \
+	SKIP_METAINF := true))
+
+$(SUNPKCS11_JAR_UNSIGNED): $(JCE_MANIFEST)
 
 ifndef OPENJDK
-
     SUNPKCS11_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/pkcs11/sunpkcs11.jar
-
     $(SUNPKCS11_JAR_DST) : $(SUNPKCS11_JAR_SRC)
 	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunPKCS11 provider..."
 	$(install-file)
-
 else
-
-    $(eval $(call SetupArchive,BUILD_SUNPKCS11_JAR,,\
-	SRCS:=$(JDK_OUTPUTDIR)/classes, \
-	SUFFIXES:=.class,\
-	INCLUDES:=sun/security/pkcs11,\
-	JAR:=$(SUNPKCS11_JAR_DST), \
-        MANIFEST:=$(JCE_MANIFEST), \
-	SKIP_METAINF := true))
-
-    $(SUNPKCS11_JAR_DST): $(JCE_MANIFEST)
-
+    $(SUNPKCS11_JAR_DST) : $(SUNPKCS11_JAR_UNSIGNED)
+	$(install-file)
 endif
 
-JARS += $(SUNPKCS11_JAR_DST)
+JARS += $(SUNPKCS11_JAR_DST) $(SUNPKCS11_JAR_UNSIGNED)
 
 ##########################################################################################
 
 SUNEC_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunec.jar
+SUNEC_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunec.jar
+
+$(eval $(call SetupArchive,BUILD_SUNEC_JAR,,\
+		SRCS:=$(JDK_OUTPUTDIR)/classes, \
+		SUFFIXES:=.class,\
+		INCLUDES:=sun/security/ec,\
+		JAR:=$(SUNEC_JAR_UNSIGNED), \
+                MANIFEST:=$(JCE_MANIFEST), \
+		SKIP_METAINF := true))
+
+$(SUNEC_JAR_UNSIGNED): $(JCE_MANIFEST)
 
 ifndef OPENJDK
-
     SUNEC_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ec/sunec.jar
-
     $(SUNEC_JAR_DST) : $(SUNEC_JAR_SRC)
 	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunEC provider..."
 	$(install-file)
-
 else
-
-    $(eval $(call SetupArchive,BUILD_SUNEC_JAR,,\
-		SRCS:=$(JDK_OUTPUTDIR)/classes, \
-		SUFFIXES:=.class,\
-		INCLUDES:=sun/security/ec,\
-		JAR:=$(SUNEC_JAR_DST), \
-                MANIFEST:=$(JCE_MANIFEST), \
-		SKIP_METAINF := true))
-
-    $(SUNEC_JAR_DST): $(JCE_MANIFEST)
-
+    $(SUNEC_JAR_DST) : $(SUNEC_JAR_UNSIGNED)
+	$(install-file)
 endif
 
-JARS += $(SUNEC_JAR_DST)
+JARS += $(SUNEC_JAR_DST) $(SUNEC_JAR_UNSIGNED)
 
 ##########################################################################################
 
@@ -511,162 +513,163 @@
 ##########################################################################################
 
 SUNJCE_PROVIDER_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunjce_provider.jar
+SUNJCE_PROVIDER_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunjce_provider.jar
+
+$(eval $(call SetupArchive,BUILD_SUNJCE_PROVIDER_JAR,,\
+		SRCS:=$(JDK_OUTPUTDIR)/classes, \
+		SUFFIXES:=.class,\
+		INCLUDES:= com/sun/crypto/provider,\
+		JAR:=$(SUNJCE_PROVIDER_JAR_UNSIGNED), \
+                MANIFEST:=$(JCE_MANIFEST), \
+		SKIP_METAINF := true))
+
+$(SUNJCE_PROVIDER_JAR_UNSIGNED): $(JCE_MANIFEST)
 
 ifndef OPENJDK
     SUNJCE_PROVIDER_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/sunjce_provider.jar
-
     $(SUNJCE_PROVIDER_JAR_DST) : $(SUNJCE_PROVIDER_JAR_SRC)
 	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunJCE provider..."
 	$(install-file)
+else
+    $(SUNJCE_PROVIDER_JAR_DST) : $(SUNJCE_PROVIDER_JAR_UNSIGNED)
+	$(install-file)
+endif
 
-else
+JARS += $(SUNJCE_PROVIDER_JAR_DST) $(SUNJCE_PROVIDER_JAR_UNSIGNED)
 
-    $(eval $(call SetupArchive,BUILD_SUNJCE_PROVIDER_JAR,,\
+##########################################################################################
+
+JCE_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/jce.jar
+JCE_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/jce.jar
+
+$(eval $(call SetupArchive,BUILD_JCE_JAR,,\
 		SRCS:=$(JDK_OUTPUTDIR)/classes, \
 		SUFFIXES:=.class,\
-		INCLUDES:= com/sun/crypto/provider,\
-		JAR:=$(SUNJCE_PROVIDER_JAR_DST), \
+		INCLUDES:= javax/crypto sun/security/internal,\
+		JAR:=$(JCE_JAR_UNSIGNED), \
                 MANIFEST:=$(JCE_MANIFEST), \
 		SKIP_METAINF := true))
 
-    $(SUNJCE_PROVIDER_JAR_DST): $(JCE_MANIFEST)
-
-endif
-
-JARS += $(SUNJCE_PROVIDER_JAR_DST)
-
-JCE_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/jce.jar
+$(JCE_JAR_UNSIGNED): $(JCE_MANIFEST)
 
 ifndef OPENJDK
-
     JCE_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/jce/jce.jar
-
     $(JCE_JAR_DST) : $(JCE_JAR_SRC)
 	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt jce.jar..."
 	$(install-file)
-
 else
-
-    $(eval $(call SetupArchive,BUILD_JCE_JAR,,\
-		SRCS:=$(JDK_OUTPUTDIR)/classes, \
-		SUFFIXES:=.class,\
-		INCLUDES:= javax/crypto sun/security/internal,\
-		JAR:=$(JCE_JAR_DST), \
-                MANIFEST:=$(JCE_MANIFEST), \
-		SKIP_METAINF := true))
-
-    $(JCE_JAR_DST): $(JCE_MANIFEST)
-
+    $(JCE_JAR_DST) : $(JCE_JAR_UNSIGNED)
+	$(install-file)
 endif
 
-JARS += $(JCE_JAR_DST)
+JARS += $(JCE_JAR_DST) $(JCE_JAR_UNSIGNED)
 
 ##########################################################################################
 
 US_EXPORT_POLICY_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/security/US_export_policy.jar
+US_EXPORT_POLICY_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/US_export_policy.jar
+
+#
+# TODO fix so that SetupArchive does not write files into SRCS
+#   then we don't need this extra copying
+#
+# NOTE:  We currently do not place restrictions on our limited export
+# policy.  This was not a typo.
+#
+US_EXPORT_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
+US_EXPORT_POLICY_JAR_TMP := $(IMAGES_OUTPUTDIR)/US_export_policy_jar.tmp
+
+$(US_EXPORT_POLICY_JAR_TMP)/% : $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
+	$(install-file)
+
+US_EXPORT_POLICY_JAR_DEPS := $(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
+
+$(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR,$(US_EXPORT_POLICY_JAR_DEPS),\
+		SRCS:=$(US_EXPORT_POLICY_JAR_TMP), \
+		SUFFIXES:= .policy,\
+		JAR:=$(US_EXPORT_POLICY_JAR_UNSIGNED), \
+		EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
+		SKIP_METAINF := true))
 
 ifndef OPENJDK
-
-
     $(US_EXPORT_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/US_export_policy.jar
 	$(ECHO) $(LOG_INFO) Copying $(@F)
 	$(install-file)
-
 else
-
-    #
-    # TODO fix so that SetupArchive does not write files into SRCS
-    #   then we don't need this extra copying
-    #
-    # NOTE:  We currently do not place restrictions on our limited export
-    # policy.  This was not a typo.
-    #
-    US_EXPORT_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
-    US_EXPORT_POLICY_JAR_TMP := $(IMAGES_OUTPUTDIR)/US_export_policy_jar.tmp
-
-    $(US_EXPORT_POLICY_JAR_TMP)/% : $(US_EXPORT_POLICY_JAR_SRC_DIR)/%
+    $(US_EXPORT_POLICY_JAR_DST): $(US_EXPORT_POLICY_JAR_UNSIGNED)
 	$(install-file)
-
-    US_EXPORT_POLICY_JAR_DEPS := $(US_EXPORT_POLICY_JAR_TMP)/default_US_export.policy
-
-    $(eval $(call SetupArchive,BUILD_US_EXPORT_POLICY_JAR,$(US_EXPORT_POLICY_JAR_DEPS),\
-		SRCS:=$(US_EXPORT_POLICY_JAR_TMP), \
-		SUFFIXES:= .policy,\
-		JAR:=$(US_EXPORT_POLICY_JAR_DST), \
-		EXTRA_MANIFEST_ATTR := Crypto-Strength: unlimited, \
-		SKIP_METAINF := true))
-
 endif
 
-JARS += $(US_EXPORT_POLICY_JAR_DST)
+JARS += $(US_EXPORT_POLICY_JAR_DST) $(US_EXPORT_POLICY_JAR_UNSIGNED)
 
 ##########################################################################################
 
 LOCAL_POLICY_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/security/local_policy.jar
+LOCAL_POLICY_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/local_policy.jar
+
+#
+# TODO fix so that SetupArchive does not write files into SRCS
+#   then we don't need this extra copying
+#
+LOCAL_POLICY_JAR_TMP := $(IMAGES_OUTPUTDIR)/local_policy_jar.tmp
+
+ifeq ($(UNLIMITED_CRYPTO), true)
+    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
+    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/default_local.policy
+    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: unlimited
+else
+    LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/limited
+    LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/exempt_local.policy \
+                             $(LOCAL_POLICY_JAR_TMP)/default_local.policy
+    LOCAL_POLICY_JAR_ATTR := Crypto-Strength: limited
+endif
+
+$(LOCAL_POLICY_JAR_TMP)/% : $(LOCAL_POLICY_JAR_SRC_DIR)/%
+	$(install-file)
+
+$(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR,$(LOCAL_POLICY_JAR_DEPS),\
+		SRCS:=$(LOCAL_POLICY_JAR_TMP),\
+		SUFFIXES:= .policy,\
+		JAR:=$(LOCAL_POLICY_JAR_UNSIGNED), \
+		EXTRA_MANIFEST_ATTR := $(LOCAL_POLICY_JAR_ATTR), \
+		SKIP_METAINF := true))
 
 ifndef OPENJDK
-
     $(LOCAL_POLICY_JAR_DST): $(JDK_TOPDIR)/make/closed/tools/crypto/jce/local_policy.jar
 	$(ECHO) $(LOG_INFO) Copying $(@F)
 	$(install-file)
-
 else
-
-    #
-    # TODO fix so that SetupArchive does not write files into SRCS
-    #   then we don't need this extra copying
-    #
-    LOCAL_POLICY_JAR_TMP := $(IMAGES_OUTPUTDIR)/local_policy_jar.tmp
-
-    ifeq ($(UNLIMITED_CRYPTO), true)
-        LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/unlimited
-        LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/default_local.policy
-        LOCAL_POLICY_JAR_ATTR := Crypto-Strength: unlimited
-    else
-        LOCAL_POLICY_JAR_SRC_DIR := $(JDK_TOPDIR)/make/javax/crypto/policy/limited
-        LOCAL_POLICY_JAR_DEPS := $(LOCAL_POLICY_JAR_TMP)/exempt_local.policy \
-                                 $(LOCAL_POLICY_JAR_TMP)/default_local.policy
-        LOCAL_POLICY_JAR_ATTR := Crypto-Strength: limited
-    endif
-
-    $(LOCAL_POLICY_JAR_TMP)/% : $(LOCAL_POLICY_JAR_SRC_DIR)/%
+    $(LOCAL_POLICY_JAR_DST): $(LOCAL_POLICY_JAR_UNSIGNED)
 	$(install-file)
-
-    $(eval $(call SetupArchive,BUILD_LOCAL_POLICY_JAR,$(LOCAL_POLICY_JAR_DEPS),\
-		SRCS:=$(LOCAL_POLICY_JAR_TMP),\
-		SUFFIXES:= .policy,\
-		JAR:=$(LOCAL_POLICY_JAR_DST), \
-		EXTRA_MANIFEST_ATTR := $(LOCAL_POLICY_JAR_ATTR), \
-		SKIP_METAINF := true))
-
 endif
 
-JARS += $(LOCAL_POLICY_JAR_DST)
+JARS += $(LOCAL_POLICY_JAR_DST) $(LOCAL_POLICY_JAR_UNSIGNED)
 
 ##########################################################################################
 
 ifeq ($(OPENJDK_TARGET_OS),windows)
 
 SUNMSCAPI_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/sunmscapi.jar
-
-ifndef OPENJDK
-SUNMSCAPI_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/mscapi/sunmscapi.jar
-
-$(SUNMSCAPI_JAR_DST) : $(SUNMSCAPI_JAR_SRC)
-	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunMSCAPI provider..."
-	$(install-file)
-
-else
+SUNMSCAPI_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/sunmscapi.jar
 
 $(eval $(call SetupArchive,BUILD_SUNMSCAPI_JAR,,\
 		SRCS:=$(JDK_OUTPUTDIR)/classes, \
 		SUFFIXES:=.class,\
 		INCLUDES:= sun/security/mscapi,\
-		JAR:=$(SUNMSCAPI_JAR_DST), \
+		JAR:=$(SUNMSCAPI_JAR_UNSIGNED), \
 		SKIP_METAINF:=true))
+
+ifndef OPENJDK
+    SUNMSCAPI_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/mscapi/sunmscapi.jar
+    $(SUNMSCAPI_JAR_DST) : $(SUNMSCAPI_JAR_SRC)
+	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt SunMSCAPI provider..."
+	$(install-file)
+else
+    $(SUNMSCAPI_JAR_DST) : $(SUNMSCAPI_JAR_UNSIGNED)
+	$(install-file)
 endif
 
-JARS += $(SUNMSCAPI_JAR_DST)
+JARS += $(SUNMSCAPI_JAR_DST) $(SUNMSCAPI_JAR_UNSIGNED)
 
 endif
 
@@ -676,13 +679,24 @@
 ifndef OPENJDK
 
 UCRYPTO_JAR_DST := $(IMAGES_OUTPUTDIR)/lib/ext/ucrypto.jar
+UCRYPTO_JAR_UNSIGNED := $(IMAGES_OUTPUTDIR)/unsigned/ucrypto.jar
 UCRYPTO_JAR_SRC := $(JDK_TOPDIR)/make/closed/tools/crypto/ucrypto/ucrypto.jar
 
+$(eval $(call SetupArchive,BUILD_UCRYPTO_JAR,,\
+		SRCS:=$(JDK_OUTPUTDIR)/classes, \
+		SUFFIXES:=.class,\
+		INCLUDES:=com/oracle/security/ucrypto,\
+		JAR:=$(UCRYPTO_JAR_UNSIGNED), \
+		MANIFEST:=$(JCE_MANIFEST), \
+		SKIP_METAINF:=true))
+
+$(UCRYPTO_JAR_UNSIGNED): $(JCE_MANIFEST)
+
 $(UCRYPTO_JAR_DST) : $(UCRYPTO_JAR_SRC)
 	@$(ECHO) $(LOG_INFO) "\n>>>Installing prebuilt OracleUcrypto provider..."
 	$(install-file)
 
-JARS += $(UCRYPTO_JAR_DST)
+JARS += $(UCRYPTO_JAR_DST) $(UCRYPTO_JAR_UNSIGNED)
 
 endif
 endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/makefiles/SignJars.gmk	Wed Jan 02 15:35:12 2013 +0100
@@ -0,0 +1,104 @@
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+include $(SPEC)
+include MakeBase.gmk
+
+# (The terms "OpenJDK" and "JDK" below refer to OpenJDK and Oracle JDK 
+# builds respectively.)
+#
+# JCE builds are very different between OpenJDK and JDK.  The OpenJDK JCE
+# jar files do not require signing, but those for JDK do.  If an unsigned
+# jar file is installed into JDK, things will break when the crypto
+# routines are called.
+#
+# All jars are created in CreateJars.gmk. This Makefile does the signing
+# of the jars for JDK.
+#
+# For JDK, the binaries use pre-built/pre-signed binary files stored in
+# the closed workspace that are not shipped in the OpenJDK workspaces.
+# We still build the JDK files to verify the files compile, and in
+# preparation for possible signing.  Developers working on JCE in JDK
+# must sign the JCE files before testing.  The JCE signing key is kept
+# separate from the JDK workspace to prevent its disclosure.
+#
+# SPECIAL NOTE TO JCE/JDK developers:  The source files must eventually
+# be built, signed, and then the resulting jar files MUST BE CHECKED
+# INTO THE CLOSED PART OF THE WORKSPACE*.  This separate step *MUST NOT
+# BE FORGOTTEN*, otherwise a bug fixed in the source code will not be
+# reflected in the shipped binaries.  The "sign-jars" target in the top
+# level Makefile should be used to generate the required files.
+#
+
+# Default target
+all:
+
+ifndef OPENJDK
+
+README-MAKEFILE_WARNING := \
+    "\nPlease read makefiles/SignJars.gmk for further build instructions.\n"
+
+#
+# Location for JCE codesigning key.
+#
+SIGNING_KEY_DIR    := /security/ws/JCE-signing/src
+SIGNING_KEYSTORE   := $(SIGNING_KEY_DIR)/KeyStore.jks
+SIGNING_PASSPHRASE := $(SIGNING_KEY_DIR)/passphrase.txt
+SIGNING_ALIAS      := oracle_jce_rsa
+
+#
+# Defines for signing the various jar files.
+#
+check-keystore:
+	@if [ ! -f $(SIGNING_KEYSTORE) -o ! -f $(SIGNING_PASSPHRASE) ]; then \
+	    $(PRINTF) "\n$(SIGNING_KEYSTORE): Signing mechanism *NOT* available..."; \
+	    $(PRINTF) $(README-MAKEFILE_WARNING); \
+	    exit 2; \
+	fi
+
+$(JCE_OUTPUTDIR)/%: $(IMAGES_OUTPUTDIR)/unsigned/%
+	$(MKDIR) -p $(@D)
+	$(CP) $< $@
+	$(JARSIGNER) -keystore $(SIGNING_KEYSTORE) \
+	    $@ $(SIGNING_ALIAS) < $(SIGNING_PASSPHRASE)
+	@$(PRINTF) "\nJar codesigning finished.\n"
+
+JAR_LIST := jce.jar \
+            local_policy.jar \
+            sunec.jar \
+            sunjce_provider.jar \
+            sunpkcs11.jar \
+            US_export_policy.jar
+
+SIGNED_JARS := $(addprefix $(JCE_OUTPUTDIR)/,$(JAR_LIST))
+
+$(SIGNED_JARS): check-keystore
+
+all: $(SIGNED_JARS)
+	@$(PRINTF) "\n***The jar files built by the 'jar-sign' target must***"
+	@$(PRINTF) "\n***still be checked into the closed workspace!     ***"
+	@$(PRINTF)  $(README-MAKEFILE_WARNING)
+
+endif  # !OPENJDK