[meta-java][PATCH 0/3] Java CA certificates updates

[meta-java][PATCH 0/3] Java CA certificates updates

[André Draszik]

openjdk-8 and openjre-8 use a trustStore that has nothing to do with
the system trusted CA certificates as provided by the ca-certificates
package.

These patches fix both to use the system CA certificates instead.

The depend on oe-core patch
   ca-certificates: use relative symlinks from $ETCCERTSDIR
   http://lists.openembedded.org/pipermail/openembedded-core/2018-March/149359.html
to be merged first.

[meta-java][PATCH 1/3] ca-certificates-java: add recipe to generate trustStore

[André Draszik]

From: André Draszik <andre.draszik@jci.com>

The OpenJDK-8 package currently comes with a trustStore
that was generated at OpenJDK-8-native build time from
*all* certificates available in the system, not just from
those that are marked as trusted.

This isn't right...

So this recipe hooks into the ca-certificates package and
(re-) creates the Java trustStore based on the
certificates trusted by the system, whenever they are
updated. This works both at image build time, as well as
during runtime on the target.

It works by installing a hook into ca-certificates'
$SYSROOT/etc/ca-certificates/update.d/ that is passed the
added/removed certificates as arguments. That hook is then
updating the Java trustStore and storing it in
$SYSROOT/etc/ssl/certs/java/cacerts.

The whole idea as well as the implementation of the hook
is borrowed from debian's ca-certificate-java package,
version 20170930 (the latest as of this commit).
Looking at the debian package, it appears like the same
binary trustStore ($SYSROOT/etc/ssl/certs/java/cacerts)
can be used by different versions of Java:
  * OpenJDK-7, 8, 9
  * Oracle Java 7, 8, 9

The Java sources here can be compiled by any compatible
Java compiler, but the resulting jar file should only be
run by one of the compatible Java versions mentioned
above, so as to create a trustStore that can be read by
any of the Java versions mentioned above. We try to ensure
this using PACKAGE_WRITE_DEPS during image build time,
and by trying to find a compatible Java version inside
${libdir_jvm} at runtime both during image build time and
on the target.

Given there is nothing that we can RDEPENDS on that would
satisfy any of the above Java versions (either JDK or JRE),
we simply RDEPENDS on java2-runtime, and test
PREFERRED_RPROVIDER_java2-runtime to be satisfactory.
Given I can only test OpenJDK/OpenJRE 8 at the moment, only
those are actually allowed at the moment, though. This can
easily be extended upon confirmation.

Final note - as per the debian package, there are three
cases when we can be called:
  1) as part of update-ca-certificates -> add / remove certs as instructed
  2) if first time install -> add all certs
  3) package update -> do nothing
We have no way to easily distinguish between first time install
and package update in OE, so the distinction between cases 2)
and 3) isn't perfect.

Signed-off-by: André Draszik <andre.draszik@jci.com>
---
 ...ficates-handle-SYSROOT-environment-variab.patch | 43 ++++++++++
 .../ca-certificates-java.hook.in                   | 64 +++++++++++++++
 .../ca-certificates-java_20170930.bb               | 94 ++++++++++++++++++++++
 3 files changed, 201 insertions(+)
 create mode 100644 recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
 create mode 100755 recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
 create mode 100644 recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb

diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
new file mode 100644
index 0000000..ca052ab
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
@@ -0,0 +1,43 @@
+From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
+Date: Tue, 27 Mar 2018 16:50:39 +0100
+Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
+ cacerts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We can now pass in the sysroot, so that the trustStore
+is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
+
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: André Draszik <andre.draszik@jci.com>
+---
+ src/main/java/org/debian/security/UpdateCertificates.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
+index e4f8205..dba9a7b 100644
+--- a/src/main/java/org/debian/security/UpdateCertificates.java
++++ b/src/main/java/org/debian/security/UpdateCertificates.java
+@@ -40,15 +40,19 @@ public class UpdateCertificates {
+ 
+     public static void main(String[] args) throws IOException, GeneralSecurityException {
+         String passwordString = "changeit";
++        String sysroot;
+         if (args.length == 2 && args[0].equals("-storepass")) {
+             passwordString = args[1];
+         } else if (args.length > 0) {
+             System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
+             System.exit(1);
+         }
++        sysroot = System.getenv("SYSROOT");
++        if (sysroot == null)
++            sysroot = "";
+ 
+         try {
+-            UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
++            UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
+             // Force reading of inputstream in UTF-8
+             uc.processChanges(new InputStreamReader(System.in, "UTF8"));
+             uc.finish();
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
new file mode 100755
index 0000000..ea20cdf
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
@@ -0,0 +1,64 @@
+#!/bin/sh -eux
+
+# As per the debian package, three cases when we can be called:
+#   1) as part of update-ca-certificates -> add / remove certs as instructed
+#   2) if first time install -> add all certs
+#   3) package update -> do nothing
+# We have no way to easily distinguish between first time install
+# and package update in OE, so the distinction between cases 2)
+# and 3) isn't perfect.
+
+self=$(basename $0)
+jvm_libdir="@@libdir_jvm@@"
+
+if [ -n "${D:-}" ] ; then
+    # called from postinst as part of image build on host
+    if [ -z "${JVM_LIBDIR:-}" ] ; then
+        # should never happen, this is supposed to be passed in
+        echo "$0: no JVM_LIBDIR specified" >&2
+        false
+    fi
+fi
+if [ -n "${JVM_LIBDIR:-}" ] ; then
+    jvm_libdir="${JVM_LIBDIR}"
+fi
+
+for JAVA in icedtea7-native/bin/java \
+            openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
+         ; do
+    if [ -x "${jvm_libdir}/${JAVA}" ] ; then
+        JAVA="${jvm_libdir}/${JAVA}"
+        break
+    fi
+done
+
+if [ ! -x "${JAVA}" ] ; then
+    # shouldn't really happen, as we RDEPEND on java
+    echo "$0: JAVA not found" >&2
+    false
+fi
+
+if [ "${self}" = "ca-certificates-java-hook" ] ; then
+    # case 1) from above
+    # the list of (changed) files is passed via stdin
+    while read input ; do
+        echo "${input}"
+    done
+elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 3) from above
+    # do nothing, as the trustStore exists already
+    return
+else
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 2) from above
+    # the trustStore doesn't exist yet, create it as this is
+    # a first time install (e.g. during image build)
+    find $D${sysconfdir}/ssl/certs -name '*.pem' | \
+    while read filename ; do
+        echo "+${filename}"
+    done
+fi | SYSROOT="${D:-}" ${JAVA} -Xmx64m \
+                              -jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
+                              -storepass changeit
+
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
new file mode 100644
index 0000000..0125d82
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
@@ -0,0 +1,94 @@
+SUMMARY = "Common CA certificates (JKS trustStore)"
+DESCRIPTION = "This package uses the hooks of the ca-certificates \
+package to update the cacerts JKS trustStore used for many java runtimes."
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "\
+	file://debian/copyright;md5=ab0f6b6900f6564dc3e273dfa36fcc72 \
+	file://src/main/java/org/debian/security/InvalidKeystorePasswordException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+	file://src/main/java/org/debian/security/KeyStoreHandler.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
+	file://src/main/java/org/debian/security/UnableToSaveKeystoreException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+	file://src/main/java/org/debian/security/UnknownInputException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+	file://src/main/java/org/debian/security/UpdateCertificates.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
+"
+DEPENDS = "virtual/javac-native fastjar-native"
+# We can't use virtual/javac-native, because that would create a
+# keystore that can't be read on the target (as virtual/javac-native
+# usually is either too old, or plain incompatible with this)
+PACKAGE_WRITE_DEPS += "openjdk-8-native"
+
+SRC_URI = "\
+	git://anonscm.debian.org/pkg-java/ca-certificates-java.git \
+	file://0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch \
+	file://${BPN}.hook.in \
+"
+
+SRCREV = "53651f7939e6f35694ee31e5ef0376f1bfce7e55"
+
+inherit java allarch
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+JARFILENAME = "${BPN}.jar"
+
+python () {
+    runtime = d.getVar("PREFERRED_RPROVIDER_java2-runtime") or ""
+    if not runtime in ("openjdk-8", "openjre-8"):
+        raise bb.parse.SkipRecipe("PREFERRED_RPROVIDER_java2-runtime '%s' unsupported" % runtime)
+}
+
+do_patch_append () {
+    bb.build.exec_func('do_fix_sysconfdir', d)
+}
+
+do_fix_sysconfdir () {
+	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
+	    -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
+}
+
+do_compile () {
+	mkdir -p build # simplify in-tree builds (externalsrc)
+	javac -g \
+	    -source 1.7 -target 1.7 -encoding ISO8859-1 \
+	    -d build \
+	    -sourcepath ${S}/src/main/java \
+	    $(find ${S}/src/main/java -name '*.java' -type f)
+
+	# needs to end with two empty lines
+	cat << EOF > ${B}/manifest
+Manifest-Version: 1.0
+Main-Class: org.debian.security.UpdateCertificates
+
+EOF
+	fastjar -cfm ${JARFILENAME} ${B}/manifest -C build .
+}
+
+do_install () {
+	oe_jarinstall ${JARFILENAME}
+
+	mkdir -p ${D}${sysconfdir}/ssl/certs/java
+	install -Dm0755 ${WORKDIR}/${BPN}.hook.in ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
+	sed -e 's|@@datadir_java@@|${datadir_java}|' \
+	    -e 's|@@libdir_jvm@@|${libdir_jvm}|' \
+	    -e 's|@@JARFILENAME@@|${JARFILENAME}|' \
+	    -i ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
+
+	install -d -m0755 ${D}${sbindir}
+	ln -s ${@os.path.relpath("${sysconfdir}/ca-certificates/update.d/${BPN}-hook", "${sbindir}")} \
+	      ${D}${sbindir}/create-ca-certificates-java
+}
+
+pkg_postinst_${PN} () {
+	if [ -n "$D" ] ; then
+	    JVM_LIBDIR=${STAGING_LIBDIR_JVM_NATIVE}
+	fi
+	JVM_LIBDIR=$JVM_LIBDIR $D${sbindir}/create-ca-certificates-java
+}
+
+RDEPENDS_${PN} = "ca-certificates"
+RDEPENDS_${PN}_append_class-target = " java2-runtime"
+RDEPENDS_${PN}_append_class-native = " virtual/java-native"
+
+FILES_${PN} += "${datadir_java}"
+
+BBCLASSEXTEND = "native"
-- 
2.16.2

[meta-java][PATCH 2/3] layer.conf: add ca-certificates-java to SIGGEN_EXCLUDERECIPES_ABISAFE

[André Draszik]

From: André Draszik <andre.draszik@jci.com>

Same as ca-certificates in openembedded-core

Signed-off-by: André Draszik <andre.draszik@jci.com>
---
 conf/layer.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/conf/layer.conf b/conf/layer.conf
index 84a4d89..60fd726 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -9,3 +9,7 @@ BBFILE_PATTERN_meta-java := "^${LAYERDIR}/"
 BBFILE_PRIORITY_meta-java = "10"
 
 LICENSE_PATH += "${LAYERDIR}/licenses"
+
+SIGGEN_EXCLUDERECIPES_ABISAFE += "\
+    ca-certificates-java \
+"
-- 
2.16.2

[meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java

[André Draszik]

From: André Draszik <andre.draszik@jci.com>

The OpenJDK-8 package currently comes with a trustStore
that was generated at OpenJDK-8-native build time from
*all* certificates available in the system, not just from
those that are marked as trusted.

This isn't right...

openjdk-8 and openjre-8 now RDEPENDS on (and use) the CA
certificates as provided by the ca-certificates-java
package just added.

This makes sure that Java now uses the same trusted CA
certificates as the rest of the system.

Signed-off-by: André Draszik <andre.draszik@jci.com>
---
 recipes-core/openjdk/openjdk-8-common.inc |  2 ++
 recipes-core/openjdk/openjdk-8-cross.inc  | 12 +++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/recipes-core/openjdk/openjdk-8-common.inc b/recipes-core/openjdk/openjdk-8-common.inc
index b2020c3..c8d157e 100644
--- a/recipes-core/openjdk/openjdk-8-common.inc
+++ b/recipes-core/openjdk/openjdk-8-common.inc
@@ -254,3 +254,5 @@ def version_specific_cflags(d):
 CFLAGS_append = " ${@version_specific_cflags(d)}"
 CXXFLAGS_append = " ${@version_specific_cflags(d)}"
 CXX_append = " -std=gnu++98"
+
+RDEPENDS_${PN} = "ca-certificates-java"
diff --git a/recipes-core/openjdk/openjdk-8-cross.inc b/recipes-core/openjdk/openjdk-8-cross.inc
index d70c946..6795c92 100644
--- a/recipes-core/openjdk/openjdk-8-cross.inc
+++ b/recipes-core/openjdk/openjdk-8-cross.inc
@@ -57,7 +57,6 @@ EXTRA_OECONF_append = "\
     --with-sys-root=${STAGING_DIR_HOST} \
     --with-tools-dir=${STAGING_DIR_NATIVE} \
     --with-boot-jdk=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native \
-    --with-cacerts-file=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native/jre/lib/security/cacerts \
     \
     --disable-precompiled-headers \
     --disable-zip-debug-info \
@@ -88,6 +87,17 @@ do_install_append() {
               pack200 --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "$0"'
       fi
     fi
+
+    if [ -d ${D}${JDK_HOME} ] ; then
+      rm ${D}${JDK_HOME}/jre/lib/security/cacerts
+      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JDK_HOME}/jre/lib/security/cacerts")} \
+            ${D}${JDK_HOME}/jre/lib/security/cacerts
+    fi
+    if [ -d ${D}${JRE_HOME} ] ; then
+      rm ${D}${JRE_HOME}/lib/security/cacerts
+      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JRE_HOME}/lib/security/cacerts")} \
+            ${D}${JRE_HOME}/lib/security/cacerts
+    fi
 }
 
 export MAKE_VERBOSE = "y"
-- 
2.16.2

[meta-java][PATCH v2] ca-certificates-java: add recipe to generate trustStore

[André Draszik]

From: André Draszik <andre.draszik@jci.com>

The OpenJDK-8 package currently comes with a trustStore
that was generated at OpenJDK-8-native build time from
*all* certificates available in the system, not just from
those that are marked as trusted.

This isn't right...

So this recipe hooks into the ca-certificates package and
(re-) creates the Java trustStore based on the
certificates trusted by the system, whenever they are
updated. This works both at image build time, as well as
during runtime on the target.

It works by installing a hook into ca-certificates'
$SYSROOT/etc/ca-certificates/update.d/ that is passed the
added/removed certificates as arguments. That hook is then
updating the Java trustStore and storing it in
$SYSROOT/etc/ssl/certs/java/cacerts.

The whole idea as well as the implementation of the hook
is borrowed from debian's ca-certificate-java package,
version 20170930 (the latest as of this commit).
Looking at the debian package, it appears like the same
binary trustStore ($SYSROOT/etc/ssl/certs/java/cacerts)
can be used by different versions of Java:
  * OpenJDK-7, 8, 9
  * Oracle Java 7, 8, 9

The Java sources here can be compiled by any compatible
Java compiler, but the resulting jar file should only be
run by one of the compatible Java versions mentioned
above, so as to create a trustStore that can be read by
any of the Java versions mentioned above. We try to ensure
this using PACKAGE_WRITE_DEPS during image build time,
and by trying to find a compatible Java version inside
${libdir_jvm} at runtime both during image build time and
on the target.

Given there is nothing that we can RDEPENDS on that would
satisfy any of the above Java versions (either JDK or JRE),
we simply RDEPENDS on java2-runtime, and test
PREFERRED_RPROVIDER_java2-runtime to be satisfactory.
Given I can only test OpenJDK/OpenJRE 8 at the moment, only
those are actually allowed at the moment, though. This can
easily be extended upon confirmation.

Final note - as per the debian package, there are three
cases when we can be called:
  1) as part of update-ca-certificates -> add / remove certs as instructed
  2) if first time install -> add all certs
  3) package update -> do nothing
We have no way to easily distinguish between first time install
and package update in OE, so the distinction between cases 2)
and 3) isn't perfect.

Signed-off-by: André Draszik <andre.draszik@jci.com>

---
v2:
* Works with rm_work enabled. We can't use STAGING_LIBDIR_JVM_NATIVE
  in pkg_postinst as that is statically resolved to this recipe's
  native sysroot, which is of no use when building an image.
  Use the NATIVE_ROOT variable instead
* make the ca-certificates hook script less verbose (remove set -x)
---
 ...ficates-handle-SYSROOT-environment-variab.patch |  43 +++++++++
 .../ca-certificates-java.hook.in                   |  64 ++++++++++++
 .../ca-certificates-java_20170930.bb               | 107 +++++++++++++++++++++
 3 files changed, 214 insertions(+)
 create mode 100644 recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
 create mode 100755 recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
 create mode 100644 recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb

diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
new file mode 100644
index 0000000..ca052ab
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
@@ -0,0 +1,43 @@
+From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
+Date: Tue, 27 Mar 2018 16:50:39 +0100
+Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
+ cacerts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We can now pass in the sysroot, so that the trustStore
+is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
+
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: André Draszik <andre.draszik@jci.com>
+---
+ src/main/java/org/debian/security/UpdateCertificates.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
+index e4f8205..dba9a7b 100644
+--- a/src/main/java/org/debian/security/UpdateCertificates.java
++++ b/src/main/java/org/debian/security/UpdateCertificates.java
+@@ -40,15 +40,19 @@ public class UpdateCertificates {
+ 
+     public static void main(String[] args) throws IOException, GeneralSecurityException {
+         String passwordString = "changeit";
++        String sysroot;
+         if (args.length == 2 && args[0].equals("-storepass")) {
+             passwordString = args[1];
+         } else if (args.length > 0) {
+             System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
+             System.exit(1);
+         }
++        sysroot = System.getenv("SYSROOT");
++        if (sysroot == null)
++            sysroot = "";
+ 
+         try {
+-            UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
++            UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
+             // Force reading of inputstream in UTF-8
+             uc.processChanges(new InputStreamReader(System.in, "UTF8"));
+             uc.finish();
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
new file mode 100755
index 0000000..f01fe36
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
@@ -0,0 +1,64 @@
+#!/bin/sh -eu
+
+# As per the debian package, three cases when we can be called:
+#   1) as part of update-ca-certificates -> add / remove certs as instructed
+#   2) if first time install -> add all certs
+#   3) package update -> do nothing
+# We have no way to easily distinguish between first time install
+# and package update in OE, so the distinction between cases 2)
+# and 3) isn't perfect.
+
+self=$(basename $0)
+jvm_libdir="@@libdir_jvm@@"
+
+if [ -n "${D:-}" ] ; then
+    # called from postinst as part of image build on host
+    if [ -z "${JVM_LIBDIR:-}" ] ; then
+        # should never happen, this is supposed to be passed in
+        echo "$0: no JVM_LIBDIR specified" >&2
+        false
+    fi
+fi
+if [ -n "${JVM_LIBDIR:-}" ] ; then
+    jvm_libdir="${JVM_LIBDIR}"
+fi
+
+for JAVA in icedtea7-native/bin/java \
+            openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
+         ; do
+    if [ -x "${jvm_libdir}/${JAVA}" ] ; then
+        JAVA="${jvm_libdir}/${JAVA}"
+        break
+    fi
+done
+
+if [ ! -x "${JAVA}" ] ; then
+    # shouldn't really happen, as we RDEPEND on java
+    echo "$0: JAVA not found" >&2
+    false
+fi
+
+if [ "${self}" = "ca-certificates-java-hook" ] ; then
+    # case 1) from above
+    # the list of (changed) files is passed via stdin
+    while read input ; do
+        echo "${input}"
+    done
+elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 3) from above
+    # do nothing, as the trustStore exists already
+    return
+else
+    # we were executed explicitly (not via ca-cacertificates hook)
+    # case 2) from above
+    # the trustStore doesn't exist yet, create it as this is
+    # a first time install (e.g. during image build)
+    find $D${sysconfdir}/ssl/certs -name '*.pem' | \
+    while read filename ; do
+        echo "+${filename}"
+    done
+fi | SYSROOT="${D:-}" ${JAVA} -Xmx64m \
+                              -jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
+                              -storepass changeit
+
diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
new file mode 100644
index 0000000..0b149d2
--- /dev/null
+++ b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
@@ -0,0 +1,107 @@
+SUMMARY = "Common CA certificates (JKS trustStore)"
+DESCRIPTION = "This package uses the hooks of the ca-certificates \
+package to update the cacerts JKS trustStore used for many java runtimes."
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "\
+	file://debian/copyright;md5=ab0f6b6900f6564dc3e273dfa36fcc72 \
+	file://src/main/java/org/debian/security/InvalidKeystorePasswordException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+	file://src/main/java/org/debian/security/KeyStoreHandler.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
+	file://src/main/java/org/debian/security/UnableToSaveKeystoreException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+	file://src/main/java/org/debian/security/UnknownInputException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
+	file://src/main/java/org/debian/security/UpdateCertificates.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
+"
+DEPENDS = "virtual/javac-native fastjar-native"
+# We can't use virtual/javac-native, because that would create a
+# keystore that can't be read on the target (as virtual/javac-native
+# usually is either too old, or plain incompatible with this)
+PACKAGE_WRITE_DEPS += "openjdk-8-native"
+
+SRC_URI = "\
+	git://anonscm.debian.org/pkg-java/ca-certificates-java.git \
+	file://0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch \
+	file://${BPN}.hook.in \
+"
+
+SRCREV = "53651f7939e6f35694ee31e5ef0376f1bfce7e55"
+
+inherit java allarch
+
+S = "${WORKDIR}/git"
+B = "${WORKDIR}/build"
+
+JARFILENAME = "${BPN}.jar"
+
+python () {
+    runtime = d.getVar("PREFERRED_RPROVIDER_java2-runtime") or ""
+    if not runtime in ("openjdk-8", "openjre-8"):
+        raise bb.parse.SkipRecipe("PREFERRED_RPROVIDER_java2-runtime '%s' unsupported" % runtime)
+}
+
+do_patch_append () {
+    bb.build.exec_func('do_fix_sysconfdir', d)
+}
+
+do_fix_sysconfdir () {
+	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
+	    -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
+}
+
+do_compile () {
+	mkdir -p build # simplify in-tree builds (externalsrc)
+	javac -g \
+	    -source 1.7 -target 1.7 -encoding ISO8859-1 \
+	    -d build \
+	    -sourcepath ${S}/src/main/java \
+	    $(find ${S}/src/main/java -name '*.java' -type f)
+
+	# needs to end with two empty lines
+	cat << EOF > ${B}/manifest
+Manifest-Version: 1.0
+Main-Class: org.debian.security.UpdateCertificates
+
+EOF
+	fastjar -cfm ${JARFILENAME} ${B}/manifest -C build .
+}
+
+do_install () {
+	oe_jarinstall ${JARFILENAME}
+
+	mkdir -p ${D}${sysconfdir}/ssl/certs/java
+	install -Dm0755 ${WORKDIR}/${BPN}.hook.in ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
+	sed -e 's|@@datadir_java@@|${datadir_java}|' \
+	    -e 's|@@libdir_jvm@@|${libdir_jvm}|' \
+	    -e 's|@@JARFILENAME@@|${JARFILENAME}|' \
+	    -i ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
+
+	install -d -m0755 ${D}${sbindir}
+	ln -s ${@os.path.relpath("${sysconfdir}/ca-certificates/update.d/${BPN}-hook", "${sbindir}")} \
+	      ${D}${sbindir}/create-ca-certificates-java
+}
+
+pkg_postinst_${PN} () {
+	if [ -n "$D" ] ; then
+	    # In this case we want to use the Java in the image recipe's
+	    # native sysroot (native Java, not qemu target Java) to
+	    # generate the trustStore.
+	    # None of the supported Java versions are in PATH, though, so
+	    # we have to find a satisfactory one ourselves below $libdir_jvm.
+	    # We really need the $NATIVE_ROOT variable for that to work,
+	    # as STAGING_LIBDIR_JVM_NATIVE resolves to this recipe's native
+	    # sysroot during recipe build time, so it's of no use during
+	    # image build time.
+	    if [ -z $NATIVE_ROOT ] ; then
+		echo "$0: NATIVE_ROOT not known"
+		false
+	    fi
+	    JVM_LIBDIR=$NATIVE_ROOT${libdir_jvm}
+	fi
+	JVM_LIBDIR=$JVM_LIBDIR $D${sbindir}/create-ca-certificates-java
+}
+
+RDEPENDS_${PN} = "ca-certificates"
+RDEPENDS_${PN}_append_class-target = " java2-runtime"
+RDEPENDS_${PN}_append_class-native = " virtual/java-native"
+
+FILES_${PN} += "${datadir_java}"
+
+BBCLASSEXTEND = "native"
-- 
2.16.2

Re: [meta-java][PATCH 0/3] Java CA certificates updates

[Maxin B. John]

Hi,

On Fri, Mar 30, 2018 at 09:40:16AM +0100, André Draszik wrote:
> openjdk-8 and openjre-8 use a trustStore that has nothing to do with
> the system trusted CA certificates as provided by the ca-certificates
> package.
> 
> These patches fix both to use the system CA certificates instead.
> 
> The depend on oe-core patch
>    ca-certificates: use relative symlinks from $ETCCERTSDIR
>    http://lists.openembedded.org/pipermail/openembedded-core/2018-March/149359.html
> to be merged first.

Merged to master-next now. 

Since "ca-certificates-java" relies on "PREFERRED_RPROVIDER_java2-runtime" set to
"OpenJDK-8/OpenJRE-8", we should update the usage instructions in "README" to avoid
confusion.

Thanks and Regards,
Maxin

Re: [yocto] [meta-java][PATCH v2] ca-certificates-java: add recipe to generate trustStore

[Richard Leitner]

Hi André,
this commit of yours breaks the build on meta-java's current
master-next branch with following message:

ERROR: ca-certificates-java-20170930-r0 do_fetch: Fetcher failure for URL: 'git://anonscm.debian.org/pkg-java/ca-certificates-java.git'. Unable to fetch URL from any source.

Therefore it will be removed from master-next.

It would be great if you could send an fixed version with
the correct SRC_URI, which I think is:
	https://salsa.debian.org/java-team/ca-certificates-java.git

Furthermore may you also please update it to the latest
version (20180516 if it's possible)?

Thank you very much!

regards;Richard.L

On 04/02/2018 08:43 AM, André Draszik wrote:
> From: André Draszik <andre.draszik@jci.com>
> 
> The OpenJDK-8 package currently comes with a trustStore
> that was generated at OpenJDK-8-native build time from
> *all* certificates available in the system, not just from
> those that are marked as trusted.
> 
> This isn't right...
> 
> So this recipe hooks into the ca-certificates package and
> (re-) creates the Java trustStore based on the
> certificates trusted by the system, whenever they are
> updated. This works both at image build time, as well as
> during runtime on the target.
> 
> It works by installing a hook into ca-certificates'
> $SYSROOT/etc/ca-certificates/update.d/ that is passed the
> added/removed certificates as arguments. That hook is then
> updating the Java trustStore and storing it in
> $SYSROOT/etc/ssl/certs/java/cacerts.
> 
> The whole idea as well as the implementation of the hook
> is borrowed from debian's ca-certificate-java package,
> version 20170930 (the latest as of this commit).
> Looking at the debian package, it appears like the same
> binary trustStore ($SYSROOT/etc/ssl/certs/java/cacerts)
> can be used by different versions of Java:
>   * OpenJDK-7, 8, 9
>   * Oracle Java 7, 8, 9
> 
> The Java sources here can be compiled by any compatible
> Java compiler, but the resulting jar file should only be
> run by one of the compatible Java versions mentioned
> above, so as to create a trustStore that can be read by
> any of the Java versions mentioned above. We try to ensure
> this using PACKAGE_WRITE_DEPS during image build time,
> and by trying to find a compatible Java version inside
> ${libdir_jvm} at runtime both during image build time and
> on the target.
> 
> Given there is nothing that we can RDEPENDS on that would
> satisfy any of the above Java versions (either JDK or JRE),
> we simply RDEPENDS on java2-runtime, and test
> PREFERRED_RPROVIDER_java2-runtime to be satisfactory.
> Given I can only test OpenJDK/OpenJRE 8 at the moment, only
> those are actually allowed at the moment, though. This can
> easily be extended upon confirmation.
> 
> Final note - as per the debian package, there are three
> cases when we can be called:
>   1) as part of update-ca-certificates -> add / remove certs as instructed
>   2) if first time install -> add all certs
>   3) package update -> do nothing
> We have no way to easily distinguish between first time install
> and package update in OE, so the distinction between cases 2)
> and 3) isn't perfect.
> 
> Signed-off-by: André Draszik <andre.draszik@jci.com>
> 
> ---
> v2:
> * Works with rm_work enabled. We can't use STAGING_LIBDIR_JVM_NATIVE
>   in pkg_postinst as that is statically resolved to this recipe's
>   native sysroot, which is of no use when building an image.
>   Use the NATIVE_ROOT variable instead
> * make the ca-certificates hook script less verbose (remove set -x)
> ---
>  ...ficates-handle-SYSROOT-environment-variab.patch |  43 +++++++++
>  .../ca-certificates-java.hook.in                   |  64 ++++++++++++
>  .../ca-certificates-java_20170930.bb               | 107 +++++++++++++++++++++
>  3 files changed, 214 insertions(+)
>  create mode 100644 recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
>  create mode 100755 recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
>  create mode 100644 recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
> 
> diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
> new file mode 100644
> index 0000000..ca052ab
> --- /dev/null
> +++ b/recipes-core/ca-certificates-java/ca-certificates-java/0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch
> @@ -0,0 +1,43 @@
> +From 70cd9999d3c139230aa05816e98cdc3e50ead713 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
> +Date: Tue, 27 Mar 2018 16:50:39 +0100
> +Subject: [PATCH] UpdateCertificates: handle SYSROOT environment variable for
> + cacerts
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +We can now pass in the sysroot, so that the trustStore
> +is written to /etc/ssl/certs/java/cacerts below $SYSROOT.
> +
> +Upstream-Status: Inappropriate [OE specific]
> +Signed-off-by: André Draszik <andre.draszik@jci.com>
> +---
> + src/main/java/org/debian/security/UpdateCertificates.java | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/main/java/org/debian/security/UpdateCertificates.java b/src/main/java/org/debian/security/UpdateCertificates.java
> +index e4f8205..dba9a7b 100644
> +--- a/src/main/java/org/debian/security/UpdateCertificates.java
> ++++ b/src/main/java/org/debian/security/UpdateCertificates.java
> +@@ -40,15 +40,19 @@ public class UpdateCertificates {
> + 
> +     public static void main(String[] args) throws IOException, GeneralSecurityException {
> +         String passwordString = "changeit";
> ++        String sysroot;
> +         if (args.length == 2 && args[0].equals("-storepass")) {
> +             passwordString = args[1];
> +         } else if (args.length > 0) {
> +             System.err.println("Usage: java org.debian.security.UpdateCertificates [-storepass <password>]");
> +             System.exit(1);
> +         }
> ++        sysroot = System.getenv("SYSROOT");
> ++        if (sysroot == null)
> ++            sysroot = "";
> + 
> +         try {
> +-            UpdateCertificates uc = new UpdateCertificates("/etc/ssl/certs/java/cacerts", passwordString);
> ++            UpdateCertificates uc = new UpdateCertificates(sysroot + "/etc/ssl/certs/java/cacerts", passwordString);
> +             // Force reading of inputstream in UTF-8
> +             uc.processChanges(new InputStreamReader(System.in, "UTF8"));
> +             uc.finish();
> diff --git a/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
> new file mode 100755
> index 0000000..f01fe36
> --- /dev/null
> +++ b/recipes-core/ca-certificates-java/ca-certificates-java/ca-certificates-java.hook.in
> @@ -0,0 +1,64 @@
> +#!/bin/sh -eu
> +
> +# As per the debian package, three cases when we can be called:
> +#   1) as part of update-ca-certificates -> add / remove certs as instructed
> +#   2) if first time install -> add all certs
> +#   3) package update -> do nothing
> +# We have no way to easily distinguish between first time install
> +# and package update in OE, so the distinction between cases 2)
> +# and 3) isn't perfect.
> +
> +self=$(basename $0)
> +jvm_libdir="@@libdir_jvm@@"
> +
> +if [ -n "${D:-}" ] ; then
> +    # called from postinst as part of image build on host
> +    if [ -z "${JVM_LIBDIR:-}" ] ; then
> +        # should never happen, this is supposed to be passed in
> +        echo "$0: no JVM_LIBDIR specified" >&2
> +        false
> +    fi
> +fi
> +if [ -n "${JVM_LIBDIR:-}" ] ; then
> +    jvm_libdir="${JVM_LIBDIR}"
> +fi
> +
> +for JAVA in icedtea7-native/bin/java \
> +            openjdk-8-native/bin/java openjdk-8/bin/java openjre-8/bin/java \
> +         ; do
> +    if [ -x "${jvm_libdir}/${JAVA}" ] ; then
> +        JAVA="${jvm_libdir}/${JAVA}"
> +        break
> +    fi
> +done
> +
> +if [ ! -x "${JAVA}" ] ; then
> +    # shouldn't really happen, as we RDEPEND on java
> +    echo "$0: JAVA not found" >&2
> +    false
> +fi
> +
> +if [ "${self}" = "ca-certificates-java-hook" ] ; then
> +    # case 1) from above
> +    # the list of (changed) files is passed via stdin
> +    while read input ; do
> +        echo "${input}"
> +    done
> +elif [ -s $D${sysconfdir}/ssl/certs/java/cacerts ] ; then
> +    # we were executed explicitly (not via ca-cacertificates hook)
> +    # case 3) from above
> +    # do nothing, as the trustStore exists already
> +    return
> +else
> +    # we were executed explicitly (not via ca-cacertificates hook)
> +    # case 2) from above
> +    # the trustStore doesn't exist yet, create it as this is
> +    # a first time install (e.g. during image build)
> +    find $D${sysconfdir}/ssl/certs -name '*.pem' | \
> +    while read filename ; do
> +        echo "+${filename}"
> +    done
> +fi | SYSROOT="${D:-}" ${JAVA} -Xmx64m \
> +                              -jar ${D:-}@@datadir_java@@/@@JARFILENAME@@ \
> +                              -storepass changeit
> +
> diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
> new file mode 100644
> index 0000000..0b149d2
> --- /dev/null
> +++ b/recipes-core/ca-certificates-java/ca-certificates-java_20170930.bb
> @@ -0,0 +1,107 @@
> +SUMMARY = "Common CA certificates (JKS trustStore)"
> +DESCRIPTION = "This package uses the hooks of the ca-certificates \
> +package to update the cacerts JKS trustStore used for many java runtimes."
> +LICENSE = "GPLv2+"
> +LIC_FILES_CHKSUM = "\
> +	file://debian/copyright;md5=ab0f6b6900f6564dc3e273dfa36fcc72 \
> +	file://src/main/java/org/debian/security/InvalidKeystorePasswordException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
> +	file://src/main/java/org/debian/security/KeyStoreHandler.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
> +	file://src/main/java/org/debian/security/UnableToSaveKeystoreException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
> +	file://src/main/java/org/debian/security/UnknownInputException.java;endline=17;md5=f9150bf1ca3139a38ddb54f9e1c0eb9b \
> +	file://src/main/java/org/debian/security/UpdateCertificates.java;endline=18;md5=3fd0e26abbca2ec481cf3698431574ae \
> +"
> +DEPENDS = "virtual/javac-native fastjar-native"
> +# We can't use virtual/javac-native, because that would create a
> +# keystore that can't be read on the target (as virtual/javac-native
> +# usually is either too old, or plain incompatible with this)
> +PACKAGE_WRITE_DEPS += "openjdk-8-native"
> +
> +SRC_URI = "\
> +	git://anonscm.debian.org/pkg-java/ca-certificates-java.git \
> +	file://0001-UpdateCertificates-handle-SYSROOT-environment-variab.patch \
> +	file://${BPN}.hook.in \
> +"
> +
> +SRCREV = "53651f7939e6f35694ee31e5ef0376f1bfce7e55"
> +
> +inherit java allarch
> +
> +S = "${WORKDIR}/git"
> +B = "${WORKDIR}/build"
> +
> +JARFILENAME = "${BPN}.jar"
> +
> +python () {
> +    runtime = d.getVar("PREFERRED_RPROVIDER_java2-runtime") or ""
> +    if not runtime in ("openjdk-8", "openjre-8"):
> +        raise bb.parse.SkipRecipe("PREFERRED_RPROVIDER_java2-runtime '%s' unsupported" % runtime)
> +}
> +
> +do_patch_append () {
> +    bb.build.exec_func('do_fix_sysconfdir', d)
> +}
> +
> +do_fix_sysconfdir () {
> +	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
> +	    -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
> +}
> +
> +do_compile () {
> +	mkdir -p build # simplify in-tree builds (externalsrc)
> +	javac -g \
> +	    -source 1.7 -target 1.7 -encoding ISO8859-1 \
> +	    -d build \
> +	    -sourcepath ${S}/src/main/java \
> +	    $(find ${S}/src/main/java -name '*.java' -type f)
> +
> +	# needs to end with two empty lines
> +	cat << EOF > ${B}/manifest
> +Manifest-Version: 1.0
> +Main-Class: org.debian.security.UpdateCertificates
> +
> +EOF
> +	fastjar -cfm ${JARFILENAME} ${B}/manifest -C build .
> +}
> +
> +do_install () {
> +	oe_jarinstall ${JARFILENAME}
> +
> +	mkdir -p ${D}${sysconfdir}/ssl/certs/java
> +	install -Dm0755 ${WORKDIR}/${BPN}.hook.in ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
> +	sed -e 's|@@datadir_java@@|${datadir_java}|' \
> +	    -e 's|@@libdir_jvm@@|${libdir_jvm}|' \
> +	    -e 's|@@JARFILENAME@@|${JARFILENAME}|' \
> +	    -i ${D}${sysconfdir}/ca-certificates/update.d/${BPN}-hook
> +
> +	install -d -m0755 ${D}${sbindir}
> +	ln -s ${@os.path.relpath("${sysconfdir}/ca-certificates/update.d/${BPN}-hook", "${sbindir}")} \
> +	      ${D}${sbindir}/create-ca-certificates-java
> +}
> +
> +pkg_postinst_${PN} () {
> +	if [ -n "$D" ] ; then
> +	    # In this case we want to use the Java in the image recipe's
> +	    # native sysroot (native Java, not qemu target Java) to
> +	    # generate the trustStore.
> +	    # None of the supported Java versions are in PATH, though, so
> +	    # we have to find a satisfactory one ourselves below $libdir_jvm.
> +	    # We really need the $NATIVE_ROOT variable for that to work,
> +	    # as STAGING_LIBDIR_JVM_NATIVE resolves to this recipe's native
> +	    # sysroot during recipe build time, so it's of no use during
> +	    # image build time.
> +	    if [ -z $NATIVE_ROOT ] ; then
> +		echo "$0: NATIVE_ROOT not known"
> +		false
> +	    fi
> +	    JVM_LIBDIR=$NATIVE_ROOT${libdir_jvm}
> +	fi
> +	JVM_LIBDIR=$JVM_LIBDIR $D${sbindir}/create-ca-certificates-java
> +}
> +
> +RDEPENDS_${PN} = "ca-certificates"
> +RDEPENDS_${PN}_append_class-target = " java2-runtime"
> +RDEPENDS_${PN}_append_class-native = " virtual/java-native"
> +
> +FILES_${PN} += "${datadir_java}"
> +
> +BBCLASSEXTEND = "native"
> 

Re: [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java

[Richard Leitner]

Hi,
this commit of yours breaks the build on meta-java's current
mater-next branch (when building an image containing openjre-8
or openjdk-8) with following message:

ERROR: openjre-8-test-image-1.0-r0 do_rootfs: [log_check] openjre-8-test-image: found 1 error message in the logfile:
[log_check] E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.

ERROR: openjre-8-test-image-1.0-r0 do_rootfs: Function failed: do_rootfs
ERROR: Logfile of failure stored in: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/temp/log.do_rootfs.19892
ERROR: Task (/yocto/meta-java-test/meta-java/recipes-images/images/openjre-8-test-image.bb:do_rootfs) failed with exit code '1'


The logfile contains following error:

Running hooks in /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d...
/yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook: no JVM_LIBDIR specified
E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.
done.


Therefore it will be removed from master-next.

It would be great if you could send an fixed version.

Thank you!

regards;Richard.L


On 03/30/2018 10:40 AM, André Draszik wrote:
> From: André Draszik <andre.draszik@jci.com>
> 
> The OpenJDK-8 package currently comes with a trustStore
> that was generated at OpenJDK-8-native build time from
> *all* certificates available in the system, not just from
> those that are marked as trusted.
> 
> This isn't right...
> 
> openjdk-8 and openjre-8 now RDEPENDS on (and use) the CA
> certificates as provided by the ca-certificates-java
> package just added.
> 
> This makes sure that Java now uses the same trusted CA
> certificates as the rest of the system.
> 
> Signed-off-by: André Draszik <andre.draszik@jci.com>
> ---
>  recipes-core/openjdk/openjdk-8-common.inc |  2 ++
>  recipes-core/openjdk/openjdk-8-cross.inc  | 12 +++++++++++-
>  2 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-core/openjdk/openjdk-8-common.inc b/recipes-core/openjdk/openjdk-8-common.inc
> index b2020c3..c8d157e 100644
> --- a/recipes-core/openjdk/openjdk-8-common.inc
> +++ b/recipes-core/openjdk/openjdk-8-common.inc
> @@ -254,3 +254,5 @@ def version_specific_cflags(d):
>  CFLAGS_append = " ${@version_specific_cflags(d)}"
>  CXXFLAGS_append = " ${@version_specific_cflags(d)}"
>  CXX_append = " -std=gnu++98"
> +
> +RDEPENDS_${PN} = "ca-certificates-java"
> diff --git a/recipes-core/openjdk/openjdk-8-cross.inc b/recipes-core/openjdk/openjdk-8-cross.inc
> index d70c946..6795c92 100644
> --- a/recipes-core/openjdk/openjdk-8-cross.inc
> +++ b/recipes-core/openjdk/openjdk-8-cross.inc
> @@ -57,7 +57,6 @@ EXTRA_OECONF_append = "\
>      --with-sys-root=${STAGING_DIR_HOST} \
>      --with-tools-dir=${STAGING_DIR_NATIVE} \
>      --with-boot-jdk=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native \
> -    --with-cacerts-file=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native/jre/lib/security/cacerts \
>      \
>      --disable-precompiled-headers \
>      --disable-zip-debug-info \
> @@ -88,6 +87,17 @@ do_install_append() {
>                pack200 --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "$0"'
>        fi
>      fi
> +
> +    if [ -d ${D}${JDK_HOME} ] ; then
> +      rm ${D}${JDK_HOME}/jre/lib/security/cacerts
> +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JDK_HOME}/jre/lib/security/cacerts")} \
> +            ${D}${JDK_HOME}/jre/lib/security/cacerts
> +    fi
> +    if [ -d ${D}${JRE_HOME} ] ; then
> +      rm ${D}${JRE_HOME}/lib/security/cacerts
> +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JRE_HOME}/lib/security/cacerts")} \
> +            ${D}${JRE_HOME}/lib/security/cacerts
> +    fi
>  }
>  
>  export MAKE_VERBOSE = "y"
> 

Re: [yocto] [meta-java][PATCH v2] ca-certificates-java: add recipe to generate trustStore

[Richard Leitner]

Hi André,
I've sent a patch [1] for master-next which fixes this issue.
Therefore you can simply ignore the request for an updated
version of this patch.

regards;Richard.L

[1] https://patchwork.openembedded.org/patch/151727/

On 06/13/2018 11:22 AM, richard.leitner@skidata.com wrote:
> Hi André,
> this commit of yours breaks the build on meta-java's current
> master-next branch with following message:
> 
> ERROR: ca-certificates-java-20170930-r0 do_fetch: Fetcher failure for URL: 'git://anonscm.debian.org/pkg-java/ca-certificates-java.git'. Unable to fetch URL from any source.
> 
> Therefore it will be removed from master-next.
> 
> It would be great if you could send an fixed version with
> the correct SRC_URI, which I think is:
> 	https://salsa.debian.org/java-team/ca-certificates-java.git
> 
> Furthermore may you also please update it to the latest
> version (20180516 if it's possible)?
> 
> Thank you very much!
> 
> regards;Richard.L
> 
> On 04/02/2018 08:43 AM, André Draszik wrote:
>> From: André Draszik <andre.draszik@jci.com>
>>
>> The OpenJDK-8 package currently comes with a trustStore
>> that was generated at OpenJDK-8-native build time from
>> *all* certificates available in the system, not just from
>> those that are marked as trusted.
>>
>> This isn't right...
>>
>> So this recipe hooks into the ca-certificates package and
>> (re-) creates the Java trustStore based on the
>> certificates trusted by the system, whenever they are
>> updated. This works both at image build time, as well as
>> during runtime on the target.
>>
>> It works by installing a hook into ca-certificates'
>> $SYSROOT/etc/ca-certificates/update.d/ that is passed the
>> added/removed certificates as arguments. That hook is then
>> updating the Java trustStore and storing it in
>> $SYSROOT/etc/ssl/certs/java/cacerts.
>>
>> The whole idea as well as the implementation of the hook
>> is borrowed from debian's ca-certificate-java package,
>> version 20170930 (the latest as of this commit).
>> Looking at the debian package, it appears like the same
>> binary trustStore ($SYSROOT/etc/ssl/certs/java/cacerts)
>> can be used by different versions of Java:
>>   * OpenJDK-7, 8, 9
>>   * Oracle Java 7, 8, 9
>>
>> The Java sources here can be compiled by any compatible
>> Java compiler, but the resulting jar file should only be
>> run by one of the compatible Java versions mentioned
>> above, so as to create a trustStore that can be read by
>> any of the Java versions mentioned above. We try to ensure
>> this using PACKAGE_WRITE_DEPS during image build time,
>> and by trying to find a compatible Java version inside
>> ${libdir_jvm} at runtime both during image build time and
>> on the target.
>>
>> Given there is nothing that we can RDEPENDS on that would
>> satisfy any of the above Java versions (either JDK or JRE),
>> we simply RDEPENDS on java2-runtime, and test
>> PREFERRED_RPROVIDER_java2-runtime to be satisfactory.
>> Given I can only test OpenJDK/OpenJRE 8 at the moment, only
>> those are actually allowed at the moment, though. This can
>> easily be extended upon confirmation.
>>
>> Final note - as per the debian package, there are three
>> cases when we can be called:
>>   1) as part of update-ca-certificates -> add / remove certs as instructed
>>   2) if first time install -> add all certs
>>   3) package update -> do nothing
>> We have no way to easily distinguish between first time install
>> and package update in OE, so the distinction between cases 2)
>> and 3) isn't perfect.
>>
>> Signed-off-by: André Draszik <andre.draszik@jci.com>
>>
>> ---
>> v2:
>> * Works with rm_work enabled. We can't use STAGING_LIBDIR_JVM_NATIVE
>>   in pkg_postinst as that is statically resolved to this recipe's
>>   native sysroot, which is of no use when building an image.
>>   Use the NATIVE_ROOT variable instead
>> * make the ca-certificates hook script less verbose (remove set -x)

[yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java

[Richard Leitner]

fyi, as this was posted on yocto@yoctoproject.org

@Otavio/Maxin/Henning: is it OK to just force-push to
master-next without this commit? Or should I push a
"revert" commit?

regards;Richard.L


-------- Forwarded Message --------
Subject: Re: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java
Date: Fri, 15 Jun 2018 10:00:38 +0200
From: Richard Leitner <richard.leitner@skidata.com>
To: André Draszik <git@andred.net>, yocto@yoctoproject.org
CC: Richard Leitner <Richard.Leitner@skidata.com>

Hi,
this commit of yours breaks the build on meta-java's current
mater-next branch (when building an image containing openjre-8
or openjdk-8) with following message:

ERROR: openjre-8-test-image-1.0-r0 do_rootfs: [log_check] openjre-8-test-image: found 1 error message in the logfile:
[log_check] E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.

ERROR: openjre-8-test-image-1.0-r0 do_rootfs: Function failed: do_rootfs
ERROR: Logfile of failure stored in: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/temp/log.do_rootfs.19892
ERROR: Task (/yocto/meta-java-test/meta-java/recipes-images/images/openjre-8-test-image.bb:do_rootfs) failed with exit code '1'


The logfile contains following error:

Running hooks in /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d...
/yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook: no JVM_LIBDIR specified
E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.
done.


Therefore it will be removed from master-next.

It would be great if you could send an fixed version.

Thank you!

regards;Richard.L


On 03/30/2018 10:40 AM, André Draszik wrote:
> From: André Draszik <andre.draszik@jci.com>
> 
> The OpenJDK-8 package currently comes with a trustStore
> that was generated at OpenJDK-8-native build time from
> *all* certificates available in the system, not just from
> those that are marked as trusted.
> 
> This isn't right...
> 
> openjdk-8 and openjre-8 now RDEPENDS on (and use) the CA
> certificates as provided by the ca-certificates-java
> package just added.
> 
> This makes sure that Java now uses the same trusted CA
> certificates as the rest of the system.
> 
> Signed-off-by: André Draszik <andre.draszik@jci.com>
> ---
>  recipes-core/openjdk/openjdk-8-common.inc |  2 ++
>  recipes-core/openjdk/openjdk-8-cross.inc  | 12 +++++++++++-
>  2 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/recipes-core/openjdk/openjdk-8-common.inc b/recipes-core/openjdk/openjdk-8-common.inc
> index b2020c3..c8d157e 100644
> --- a/recipes-core/openjdk/openjdk-8-common.inc
> +++ b/recipes-core/openjdk/openjdk-8-common.inc
> @@ -254,3 +254,5 @@ def version_specific_cflags(d):
>  CFLAGS_append = " ${@version_specific_cflags(d)}"
>  CXXFLAGS_append = " ${@version_specific_cflags(d)}"
>  CXX_append = " -std=gnu++98"
> +
> +RDEPENDS_${PN} = "ca-certificates-java"
> diff --git a/recipes-core/openjdk/openjdk-8-cross.inc b/recipes-core/openjdk/openjdk-8-cross.inc
> index d70c946..6795c92 100644
> --- a/recipes-core/openjdk/openjdk-8-cross.inc
> +++ b/recipes-core/openjdk/openjdk-8-cross.inc
> @@ -57,7 +57,6 @@ EXTRA_OECONF_append = "\
>      --with-sys-root=${STAGING_DIR_HOST} \
>      --with-tools-dir=${STAGING_DIR_NATIVE} \
>      --with-boot-jdk=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native \
> -    --with-cacerts-file=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native/jre/lib/security/cacerts \
>      \
>      --disable-precompiled-headers \
>      --disable-zip-debug-info \
> @@ -88,6 +87,17 @@ do_install_append() {
>                pack200 --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "$0"'
>        fi
>      fi
> +
> +    if [ -d ${D}${JDK_HOME} ] ; then
> +      rm ${D}${JDK_HOME}/jre/lib/security/cacerts
> +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JDK_HOME}/jre/lib/security/cacerts")} \
> +            ${D}${JDK_HOME}/jre/lib/security/cacerts
> +    fi
> +    if [ -d ${D}${JRE_HOME} ] ; then
> +      rm ${D}${JRE_HOME}/lib/security/cacerts
> +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JRE_HOME}/lib/security/cacerts")} \
> +            ${D}${JRE_HOME}/lib/security/cacerts
> +    fi
>  }
>  
>  export MAKE_VERBOSE = "y"
> 

Re: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java

[Maxin B. John]

Hi Richard,

On Fri, Jun 15, 2018 at 10:19:06AM +0200, prvs=6977bbb5e=Richard.Leitner@skidata.com wrote:
> fyi, as this was posted on yocto@yoctoproject.org
> 
> @Otavio/Maxin/Henning: is it OK to just force-push to
> master-next without this commit? Or should I push a
> "revert" commit?

I think it is ok to force-push to the master-next branch 
(obviously not ok to force push to other branches).

> regards;Richard.L

Best Regards,
Maxin

> 
> -------- Forwarded Message --------
> Subject: Re: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java
> Date: Fri, 15 Jun 2018 10:00:38 +0200
> From: Richard Leitner <richard.leitner@skidata.com>
> To: André Draszik <git@andred.net>, yocto@yoctoproject.org
> CC: Richard Leitner <Richard.Leitner@skidata.com>
> 
> Hi,
> this commit of yours breaks the build on meta-java's current
> mater-next branch (when building an image containing openjre-8
> or openjdk-8) with following message:
> 
> ERROR: openjre-8-test-image-1.0-r0 do_rootfs: [log_check] openjre-8-test-image: found 1 error message in the logfile:
> [log_check] E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.
> 
> ERROR: openjre-8-test-image-1.0-r0 do_rootfs: Function failed: do_rootfs
> ERROR: Logfile of failure stored in: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/temp/log.do_rootfs.19892
> ERROR: Task (/yocto/meta-java-test/meta-java/recipes-images/images/openjre-8-test-image.bb:do_rootfs) failed with exit code '1'
> 
> 
> The logfile contains following error:
> 
> Running hooks in /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d...
> /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook: no JVM_LIBDIR specified
> E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.
> done.
> 
> 
> Therefore it will be removed from master-next.
> 
> It would be great if you could send an fixed version.
> 
> Thank you!
> 
> regards;Richard.L
> 
> 
> On 03/30/2018 10:40 AM, André Draszik wrote:
> > From: André Draszik <andre.draszik@jci.com>
> > 
> > The OpenJDK-8 package currently comes with a trustStore
> > that was generated at OpenJDK-8-native build time from
> > *all* certificates available in the system, not just from
> > those that are marked as trusted.
> > 
> > This isn't right...
> > 
> > openjdk-8 and openjre-8 now RDEPENDS on (and use) the CA
> > certificates as provided by the ca-certificates-java
> > package just added.
> > 
> > This makes sure that Java now uses the same trusted CA
> > certificates as the rest of the system.
> > 
> > Signed-off-by: André Draszik <andre.draszik@jci.com>
> > ---
> >  recipes-core/openjdk/openjdk-8-common.inc |  2 ++
> >  recipes-core/openjdk/openjdk-8-cross.inc  | 12 +++++++++++-
> >  2 files changed, 13 insertions(+), 1 deletion(-)
> > 
> > diff --git a/recipes-core/openjdk/openjdk-8-common.inc b/recipes-core/openjdk/openjdk-8-common.inc
> > index b2020c3..c8d157e 100644
> > --- a/recipes-core/openjdk/openjdk-8-common.inc
> > +++ b/recipes-core/openjdk/openjdk-8-common.inc
> > @@ -254,3 +254,5 @@ def version_specific_cflags(d):
> >  CFLAGS_append = " ${@version_specific_cflags(d)}"
> >  CXXFLAGS_append = " ${@version_specific_cflags(d)}"
> >  CXX_append = " -std=gnu++98"
> > +
> > +RDEPENDS_${PN} = "ca-certificates-java"
> > diff --git a/recipes-core/openjdk/openjdk-8-cross.inc b/recipes-core/openjdk/openjdk-8-cross.inc
> > index d70c946..6795c92 100644
> > --- a/recipes-core/openjdk/openjdk-8-cross.inc
> > +++ b/recipes-core/openjdk/openjdk-8-cross.inc
> > @@ -57,7 +57,6 @@ EXTRA_OECONF_append = "\
> >      --with-sys-root=${STAGING_DIR_HOST} \
> >      --with-tools-dir=${STAGING_DIR_NATIVE} \
> >      --with-boot-jdk=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native \
> > -    --with-cacerts-file=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native/jre/lib/security/cacerts \
> >      \
> >      --disable-precompiled-headers \
> >      --disable-zip-debug-info \
> > @@ -88,6 +87,17 @@ do_install_append() {
> >                pack200 --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "$0"'
> >        fi
> >      fi
> > +
> > +    if [ -d ${D}${JDK_HOME} ] ; then
> > +      rm ${D}${JDK_HOME}/jre/lib/security/cacerts
> > +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JDK_HOME}/jre/lib/security/cacerts")} \
> > +            ${D}${JDK_HOME}/jre/lib/security/cacerts
> > +    fi
> > +    if [ -d ${D}${JRE_HOME} ] ; then
> > +      rm ${D}${JRE_HOME}/lib/security/cacerts
> > +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JRE_HOME}/lib/security/cacerts")} \
> > +            ${D}${JRE_HOME}/lib/security/cacerts
> > +    fi
> >  }
> >  
> >  export MAKE_VERBOSE = "y"
> > 

Re: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java

[Henning Heinold]

On Fri, Jun 15, 2018 at 11:58:55AM +0300, Maxin B. John wrote:
> Hi Richard,
> 
> On Fri, Jun 15, 2018 at 10:19:06AM +0200, prvs=6977bbb5e=Richard.Leitner@skidata.com wrote:
> > fyi, as this was posted on yocto@yoctoproject.org
> > 
> > @Otavio/Maxin/Henning: is it OK to just force-push to
> > master-next without this commit? Or should I push a
> > "revert" commit?
> 
> I think it is ok to force-push to the master-next branch 
> (obviously not ok to force push to other branches).
> 
> > regards;Richard.L
> 
> Best Regards,
> Maxin

Hi,

I am fine with push-force in this case too.

Bye Henning

Re: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java

[Otavio Salvador]

On Fri, Jun 15, 2018 at 6:21 AM, Henning Heinold
<henning@itconsulting-heinold.de> wrote:
> On Fri, Jun 15, 2018 at 11:58:55AM +0300, Maxin B. John wrote:
>> Hi Richard,
>>
>> On Fri, Jun 15, 2018 at 10:19:06AM +0200, prvs=6977bbb5e=Richard.Leitner@skidata.com wrote:
>> > fyi, as this was posted on yocto@yoctoproject.org
>> >
>> > @Otavio/Maxin/Henning: is it OK to just force-push to>> > master-next without this commit? Or should I push a
>> > "revert" commit?
>>
>> I think it is ok to force-push to the master-next branch
>> (obviously not ok to force push to other branches).
>>
>> > regards;Richard.L
>>
>> Best Regards,
>> Maxin
>
> Hi,
>
> I am fine with push-force in this case too.
>
> Bye Henning



-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750

Re: [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java (was: Re: Fwd: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java)

[André Draszik]

Hi Richard,

What package manager are (were) you using when that failed for you?


Thanks,
Andre'

On Fri, 2018-06-15 at 10:19 +0200, Richard Leitner wrote:
> fyi, as this was posted on yocto@yoctoproject.org
> 
> @Otavio/Maxin/Henning: is it OK to just force-push to
> master-next without this commit? Or should I push a
> "revert" commit?
> 
> regards;Richard.L
> 
> 
> -------- Forwarded Message --------
> Subject: Re: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-
> certificates-java
> Date: Fri, 15 Jun 2018 10:00:38 +0200
> From: Richard Leitner <richard.leitner@skidata.com>
> To: André Draszik <git@andred.net>, yocto@yoctoproject.org
> CC: Richard Leitner <Richard.Leitner@skidata.com>
> 
> Hi,
> this commit of yours breaks the build on meta-java's current
> mater-next branch (when building an image containing openjre-8
> or openjdk-8) with following message:
> 
> ERROR: openjre-8-test-image-1.0-r0 do_rootfs: [log_check] openjre-8-test-
> image: found 1 error message in the logfile:
> [log_check] E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-
> gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-
> certificates/update.d/ca-certificates-java-hook exited with code 1.
> 
> ERROR: openjre-8-test-image-1.0-r0 do_rootfs: Function failed: do_rootfs
> ERROR: Logfile of failure stored in: /yocto/meta-java-
> test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-
> r0/temp/log.do_rootfs.19892
> ERROR: Task (/yocto/meta-java-test/meta-java/recipes-
> images/images/openjre-8-test-image.bb:do_rootfs) failed with exit code '1'
> 
> 
> The logfile contains following error:
> 
> Running hooks in /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-
> gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d...
> /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-
> test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-
> java-hook: no JVM_LIBDIR specified
> E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-
> gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-
> certificates/update.d/ca-certificates-java-hook exited with code 1.
> done.
> 
> 
> Therefore it will be removed from master-next.
> 
> It would be great if you could send an fixed version.
> 
> Thank you!
> 
> regards;Richard.L
> 
> 
> On 03/30/2018 10:40 AM, André Draszik wrote:
> > From: André Draszik <andre.draszik@jci.com>
> > 
> > The OpenJDK-8 package currently comes with a trustStore
> > that was generated at OpenJDK-8-native build time from
> > *all* certificates available in the system, not just from
> > those that are marked as trusted.
> > 
> > This isn't right...
> > 
> > openjdk-8 and openjre-8 now RDEPENDS on (and use) the CA
> > certificates as provided by the ca-certificates-java
> > package just added.
> > 
> > This makes sure that Java now uses the same trusted CA
> > certificates as the rest of the system.
> > 
> > Signed-off-by: André Draszik <andre.draszik@jci.com>
> > ---
> >  recipes-core/openjdk/openjdk-8-common.inc |  2 ++
> >  recipes-core/openjdk/openjdk-8-cross.inc  | 12 +++++++++++-
> >  2 files changed, 13 insertions(+), 1 deletion(-)
> > 
> > diff --git a/recipes-core/openjdk/openjdk-8-common.inc b/recipes-
> > core/openjdk/openjdk-8-common.inc
> > index b2020c3..c8d157e 100644
> > --- a/recipes-core/openjdk/openjdk-8-common.inc
> > +++ b/recipes-core/openjdk/openjdk-8-common.inc
> > @@ -254,3 +254,5 @@ def version_specific_cflags(d):
> >  CFLAGS_append = " ${@version_specific_cflags(d)}"
> >  CXXFLAGS_append = " ${@version_specific_cflags(d)}"
> >  CXX_append = " -std=gnu++98"
> > +
> > +RDEPENDS_${PN} = "ca-certificates-java"
> > diff --git a/recipes-core/openjdk/openjdk-8-cross.inc b/recipes-
> > core/openjdk/openjdk-8-cross.inc
> > index d70c946..6795c92 100644
> > --- a/recipes-core/openjdk/openjdk-8-cross.inc
> > +++ b/recipes-core/openjdk/openjdk-8-cross.inc
> > @@ -57,7 +57,6 @@ EXTRA_OECONF_append = "\
> >      --with-sys-root=${STAGING_DIR_HOST} \
> >      --with-tools-dir=${STAGING_DIR_NATIVE} \
> >      --with-boot-jdk=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native \
> > -    --with-cacerts-file=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-
> > native/jre/lib/security/cacerts \
> >      \
> >      --disable-precompiled-headers \
> >      --disable-zip-debug-info \
> > @@ -88,6 +87,17 @@ do_install_append() {
> >                pack200 --repack --effort=9 --segment-limit=-1 --
> > modification-time=latest --strip-debug "$0"'
> >        fi
> >      fi
> > +
> > +    if [ -d ${D}${JDK_HOME} ] ; then
> > +      rm ${D}${JDK_HOME}/jre/lib/security/cacerts
> > +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts",
> > "${JDK_HOME}/jre/lib/security/cacerts")} \
> > +            ${D}${JDK_HOME}/jre/lib/security/cacerts
> > +    fi
> > +    if [ -d ${D}${JRE_HOME} ] ; then
> > +      rm ${D}${JRE_HOME}/lib/security/cacerts
> > +      ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts",
> > "${JRE_HOME}/lib/security/cacerts")} \
> > +            ${D}${JRE_HOME}/lib/security/cacerts
> > +    fi
> >  }
> >  
> >  export MAKE_VERBOSE = "y"
> > 

Re: [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java (was: Re: Fwd: [yocto] [meta-java][PATCH 3/3] openjdk-8: use ca-certificates-java)

[Richard Leitner]

Hi André,

On 8/20/18 3:42 PM, André Draszik wrote:
> Hi Richard,
> 
> What package manager are (were) you using when that failed for you?

I'm pretty sure I used the default one (rpm)...

> 
> 
> Thanks,
> Andre'

regards;Richard.L