rpms/java-25-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Use el9 portable packages

Browse Source
This commit is contained in:
Eduard Abdullin 2026-03-15 03:56:50 +00:00 committed by root
commit 114da8d47a
15 changed files with 905 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
java-25-openjdk-portable.specfile
View File

@ -376,7 +376,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver df044414ef4
%global fipsver e55ada9353e
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
@ -391,7 +391,7 @@
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
%global rpmrelease 2
%global rpmrelease 3
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -643,37 +643,9 @@ Source18: TestTranslations.java
# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
# RH1929465: Improve system FIPS detection
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
# RH1996182: Login to the NSS software token in FIPS mode
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
# RH2021263: Resolve outstanding FIPS issues
# RH2052819: Fix FIPS reliance on crypto policies
# RH2052829: Detect NSS at Runtime for FIPS detection
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
# RH2023467: Enable FIPS keys export
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
# RH2104724: Avoid import/export of DH private keys
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
# Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
# RH2020290: Support TLS 1.3 in FIPS mode
# Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724
# OJ1357: Fix issue on FIPS with a SecurityManager in place
# RH2134669: Add missing attributes when registering services in FIPS mode.
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
# RH1940064: Enable XML Signature provider in FIPS mode
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
# OPENJDK-2108: Internal __redhat_fips__ property
# OPENJDK-2123: Algorithms lockdown
# OPENJDK-4559: Red Hat Build of OpenJDK 25 should not restrict all the providers in FIPS
Patch1001: fips-%{featurever}u-%{fipsver}.patch
#############################################
@ -692,6 +664,15 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
# JDK-8372534: Update Libpng to 1.6.51
# Integrated in 25.0.3
Patch2001: jdk8372534-libpng-1.6.51.patch
# JDK-8375063: Update Libpng to 1.6.54
# Integrated in 25.0.3
Patch2002: jdk8375063-libpng-1.6.54.patch
# JDK-8375057: Update HarfBuzz to 12.3.2
# Integrated in 25.0.3
Patch2003: jdk8375057-harfbuzz-12.3.2.patch
# JDK-8377526: Update Libpng to 1.6.55
# Integrated in 25.0.3
Patch2004: jdk8377526-libpng-1.6.55.patch
#############################################
#
@ -778,13 +759,13 @@ Provides: bundled(freetype) = 2.13.3
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.2
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
Provides: bundled(harfbuzz) = 10.4.0
Provides: bundled(harfbuzz) = 12.3.2
# Version in src/java.desktop/share/native/liblcms/lcms2.h
Provides: bundled(lcms2) = 2.17.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
Provides: bundled(libpng) = 1.6.51
Provides: bundled(libpng) = 1.6.55
# Version in src/java.base/share/native/libzip/zlib/zlib.h
Provides: bundled(zlib) = 1.3.1
# We link statically against libstdc++ to increase portability
@ -1005,8 +986,11 @@ sh %{SOURCE12} %{top_level_dir_name}
pushd %{top_level_dir_name}
# Add crypto policy and FIPS support
%patch -P1001 -p1
# Add libpng update ahead of 25.0.3
# Add libpng & harfbuzz updates ahead of 25.0.3
%patch -P2001 -p1
%patch -P2002 -p1
%patch -P2003 -p1
%patch -P2004 -p1
popd # openjdk
echo "Generating %{alt_java_name} man page"
@ -1974,6 +1958,20 @@ done
%endif
%changelog
* Tue Mar 03 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-3
- Update FIPS patch to e55ada9353e to include the fix for the too restrictive provider lockdown
- Fix FIPS issue list to represent the new 25u version
- Add JDK-8375063 libpng 1.6.54 ahead of 25.0.3
- Add JDK-8375057 harfbuzz 12.3.2 ahead of 25.0.3
- Add JDK-8377526 libpng 1.6.55 ahead of 25.0.3
- Bump libpng version to 1.6.55 following JDK-8375063 & JDK-8377526
- Bump harfbuzz version to 12.3.2 following JDK-8375057
- Resolves: OPENJDK-4570
- Resolves: OPENJDK-4304
- Resolves: OPENJDK-4524
- Resolves: OPENJDK-4544
- Resolves: OPENJDK-4553
* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-2
- Add JDK-8372534 libpng 1.6.51 ahead of 25.0.3
- Bump libpng version to 1.6.51 following JDK-8372534

17
java-25-openjdk.spec
View File

@ -349,7 +349,7 @@
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
%global rpmrelease 3
%global rpmrelease 4
# Settings used by the portable build
%global portablerelease 3
# Portable suffix differs between RHEL and CentOS
@ -2622,9 +2622,22 @@ exit 0
%endif
%changelog
* Thu Mar 12 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:25.0.2.0.10-3.alma.1
* Sun Mar 15 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:25.0.2.0.10-4.alma.1
- Use el9 portable packages
* Thu Mar 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-4
- Add tagging scripts with signature checks and gating handling
- Update tagged versions to include 9.8.0-z, 9.9.0, 10.2-z & 10.3.
- Add gating scripts to simplify obtaining results and waiving issues
- Sync the copy of the portable specfile with the latest update
- Resolves: RHEL-155327
- Resolves: RHEL-155337
- Resolves: RHEL-155339
- Related: RHEL-155000
- Related: RHEL-146649
- Related: RHEL-148327
- Related: RHEL-148830
* Wed Mar 11 2026 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.2.0.10-3
- Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm
- See: https://docs.testing-farm.io/Testing%20Farm/0.1/errors.html#TFE-1

77
scripts/builds/check_signatures.sh Executable file
View File

@ -0,0 +1,77 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Check the signatures (if any) in RHEL RPM buildinfo
# This is intended to be run from the tagging scripts
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
BUILDINFO=${1}
NEW_SIGNATURE="release4";
OLD_SIGNATURE="fd431d51";
if test "${BUILDINFO}" = ""; then
echo "${0} <BUILDINFO>";
exit 1;
fi
if ! test -e "${BUILDINFO}" ; then
echo "${BUILDINFO} not found.";
exit 2;
fi
if cat ${BUILDINFO} | grep -q Signatures ; then
signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c);
uniq_count=$(echo ${signature} | wc -l);
if test ${uniq_count} -gt 1; then
echo "Multiple signature types found:";
echo "${signature}";
exit 4;
fi
sig_count=$(echo ${signature} | cut -d ' ' -f 1);
sig_type=$(echo ${signature} | cut -d ' ' -f 2);
echo "${sig_count} signatures of type ${sig_type} found";
if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then
echo "PQC signature found.";
exit 5;
elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then
echo "Old pre-PQC signature found.";
exit 6;
else
echo "Unknown signature found.";
exit 7;
fi
else
echo "Build has no signatures.";
exit 3;
fi
# Local Variables:
# compile-command: "shellcheck check_signatures.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

63
scripts/builds/get_gating_results.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Retrieve the results of a gating test using the ID from the JSON
# retrieved by query_build_gating.sh
RESULT_ID=${1}
if test "${RESULT_ID}" = ""; then
echo "No ID specified.";
echo "${0} <RESULT_ID>";
exit 1;
fi
CURL=$(command -v curl)
JSON_TOOL=$(command -v jq)
if test "${CURL}" = ""; then
echo "curl not found";
exit 2;
fi
if test "${JSON_TOOL}" = ""; then
echo "jq not found";
exit 3;
fi
URL="https://resultsdb-api.engineering.redhat.com/api/v2.0/results/${RESULT_ID}"
JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
CMD=("${CURL}" --silent --show-error "${URL}")
echo "${CMD[@]}"
if command "${CMD[@]}" > "${JSON_OUT}" ; then
"${JSON_TOOL}" < "${JSON_OUT}"
else
echo "Failed to obtain JSON";
exit 4;
fi
# Local Variables:
# compile-command: "shellcheck get_gating_results.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

94
scripts/builds/query_build_gating.sh Executable file
View File

@ -0,0 +1,94 @@
#!/bin/bash
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Retrieve the status of a build's progress through gating
RHEL_VER=${1}
NVR=${2}
if test "${RHEL_VER}" = ""; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "${NVR}" = ""; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
CURL=$(command -v curl)
JSON_TOOL=$(command -v jq)
JSON_FILE=$(mktemp --tmpdir query.XXXXXX.json)
JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
URL="https://greenwave.engineering.redhat.com/api/v1.0/decision"
if test "${CURL}" = ""; then
echo "curl not found";
exit 3;
fi
if test "${JSON_TOOL}" = ""; then
echo "jq not found";
exit 4;
fi
{
echo "{";
printf "\t\"decision_context\":\"osci_compose_gate\",\n";
printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}";
printf "\t\"subject_type\":\"koji_build\",\n";
printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}";
printf "\t\"verbose\":false\n";
echo "}";
} > "${JSON_FILE}"
echo "Sending the following JSON...";
cat "${JSON_FILE}"
CMD=("${CURL}" --silent --show-error -X POST)
JSON_COMMAND="--json";
# Check --json is available
${CURL} ${JSON_COMMAND} 2> /dev/null
if [ $? -eq 2 ] ; then
echo "--json unsupported; falling back on --data-ascii";
CMD=("${CMD[@]}" --header Content-Type:application/json --data-ascii);
else
CMD=("${CMD[@]}" "${JSON_COMMAND}");
fi
CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}")
echo "${CMD[@]}"
if command "${CMD[@]}" > "${JSON_OUT}" ; then
"${JSON_TOOL}" < "${JSON_OUT}"
else
echo "Failed to obtain JSON";
exit 5;
fi
# Local Variables:
# compile-command: "shellcheck query_build_gating.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

87
scripts/builds/tag_rhel.sh Executable file
View File

@ -0,0 +1,87 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag public RHEL RPMs into gating for all supported streams
# This is intended to be run from tag_rhel_<ver>_(public|embargoed).sh
BUILD="${1}"
BUILDLOG="${2}"
SUFFIX="${3}"
shift 3;
SUPPORTED_VERS="$*"
CMD_SYNTAX="${0} <BUILD> <BUILDLOG> <SUFFIX> <SUPPORTED_VERS>";
GATE_SUFFIX="gate"
if test "${BUILD}" = ""; then
echo "${CMD_SYNTAX}";
exit 1;
fi
if test "${BUILDLOG}" = ""; then
echo "${CMD_SYNTAX}";
exit 2;
fi
if test "${SUPPORTED_VERS}" = ""; then
echo "${CMD_SYNTAX}";
exit 3;
fi
buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-)
echo "Build has tags ${buildtags}";
if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then
echo "Gating system can only handle one tag at a time."
echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate."
if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then
echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running.";
exit 1;
fi
fi
done=0;
for ver in ${SUPPORTED_VERS}; do
vertag="rhel-${ver}";
proposedtag="${vertag}-${SUFFIX}";
echo "Checking if ${BUILD} has been added to ${vertag}...";
if echo "${buildtags}" | grep -q "${vertag}" ; then
echo "${BUILD} has been tagged into ${proposedtag}";
else
if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then
echo "Already added a tag. Need to tag ${proposedtag} in a future run.";
else
echo "Tagging ${BUILD} into ${proposedtag}";
brew tag-build --nowait "${proposedtag}" "${BUILD}";
done=1;
fi
fi
done
if [ "${done}" -eq 1 ]; then
brew watch-task --mine;
else
echo "Nothing to do.";
fi
# Local Variables:
# compile-command: "shellcheck tag_rhel.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_10_embargoed_pqc.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC embargoed RHEL 10 RPMs into supported z-streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="10.2-z 10.1-z"
WORKING_DIR=$(dirname "${0}")
EMBARGOED_SUFFIX="nocompose-candidate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_10_embargoed_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_10_public_pqc.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC public RHEL 10 RPMs into gating for all supported streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="10.3 10.2-z 10.1-z"
WORKING_DIR=$(dirname "${0}")
GATE_SUFFIX="gate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging build into gating for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_10_public_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_9_embargoed_pqc.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="9.8.0-z 9.7.0-z"
WORKING_DIR=$(dirname "${0}")
EMBARGOED_SUFFIX="nocompose-candidate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_9_public_pqc.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="9.9.0 9.8.0-z 9.7.0-z"
WORKING_DIR=$(dirname "${0}")
GATE_SUFFIX="gate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging build into gating for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_9_public_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

132
scripts/builds/waive_issue.sh Executable file
View File

@ -0,0 +1,132 @@
#!/bin/bash
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive a gating issue
RHEL_VER=${1}
NVR=${2}
TESTCASE=${3}
COMMENT=${4}
CURL=$(command -v curl)
JSON_TOOL=$(command -v json_verify)
JSON_FORMAT=$(command -v jq)
JSON_FILE=$(mktemp --tmpdir waive.XXXXXX.json)
HEADER_FILE=$(mktemp --tmpdir waive.XXXXXX.headers)
JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
CACERT=/etc/ssl/certs/2022-IT-Root-CA.pem
CACERT_DIR=$(dirname ${CACERT})
URL="https://waiverdb.engineering.redhat.com/api/v1.0/waivers/"
if test -z "${JSON_TOOL}" -o ! -x "${JSON_TOOL}" ; then
echo "JSON verifier not found. Skipping verification.";
SKIP_JSON=1;
else
SKIP_JSON=0;
fi
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
exit 2;
fi
if test "x${TESTCASE}" = "x"; then
echo "No testcase specified.";
echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
exit 3;
fi
if test "x${COMMENT}" = "x"; then
COMMENT="Gating broken";
echo "Setting COMMENT to default of '${COMMENT}'"
fi
if test "${CURL}" = ""; then
echo "curl not found";
exit 4;
fi
if test "${JSON_FORMAT}" = ""; then
echo "jq not found";
exit 5;
fi
{
echo "{";
printf "\t\"subject_type\":\"brew-build\",\n";
printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}";
printf "\t\"testcase\":\"%s\",\n" "${TESTCASE}";
printf "\t\"waived\":true,\n";
printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}"
printf "\t\"comment\":\"%s\"\n" "${COMMENT}";
echo "}"
} > "${JSON_FILE}"
if [ "${SKIP_JSON}" -eq 0 ] ; then
"${JSON_TOOL}" < "${JSON_FILE}" || exit 6;
fi
CMD=("${CURL}" --silent --show-error --capath "${CACERT_DIR}" --negotiate -u :)
JSON_COMMAND="--json";
# Check --json is available
${CURL} ${JSON_COMMAND} 2> /dev/null
if [ $? -eq 2 ] ; then
echo "--json unsupported; falling back on --data-binary";
{
echo "Content-Type: application/json";
echo "Accept: application/json";
} > "${HEADER_FILE}"
echo "Header file:";
cat "${HEADER_FILE}"
CMD=("${CMD[@]}" --header "@${HEADER_FILE}" --data-binary);
else
CMD=("${CMD[@]}" "${JSON_COMMAND}");
fi
CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}")
echo "Sending the following JSON...";
cat "${JSON_FILE}"
echo "${CMD[@]}"
if command "${CMD[@]}" > "${JSON_OUT}" ; then
"${JSON_FORMAT}" < "${JSON_OUT}"
else
echo "Failed to file waiver";
exit 7;
fi
rm -v "${JSON_FILE}"
rm -v "${HEADER_FILE}"
# Local Variables:
# compile-command: "shellcheck waive_issue.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

25
scripts/builds/build_rhel_8.sh → scripts/builds/waive_leapp_issue.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (C) 2024 Red Hat, Inc.
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
@ -17,26 +17,29 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Builds the RPM on RHEL 8
# Waive the leapp gating test which never seems to work
NVR=${1}
USER=${2}
RHEL_VER=${1}
NVR=${2}
if test "${NVR}" = ""; then
echo "${0} <NVR> <USER>";
WORKING_DIR=$(dirname "${0}")
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "${USER}" = ""; then
echo "${0} <NVR> <USER>";
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}"
rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}"
"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" leapp.brew-build.upgrade.distro "AWOL"
# Local Variables:
# compile-command: "shellcheck build_rhel_8.sh"
# compile-command: "shellcheck waive_leapp_issue.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4

53
scripts/builds/waive_rpminspect.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive a rpminspect gating issue
RHEL_VER=${1}
NVR=${2}
COMMENT=${3}
WORKING_DIR=$(dirname "${0}")
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR> <COMMENT>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR> <COMMENT>";
exit 2;
fi
if test "${COMMENT}" = ""; then
echo "No comment specified.";
echo "${0} <RHEL_VER> <NVR> <COMMENT>";
exit 3;
fi
"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.rpminspect.static-analysis "${COMMENT}"
# Local Variables:
# compile-command: "shellcheck waive_rpminspect.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

46
scripts/builds/waive_usual_rpminspect.sh Executable file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive the recurring rpminspect gating issues
# Should be resolved by RHELPLAN-102267
RHEL_VER=${1}
NVR=${2}
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
"${WORKING_DIR}"/waive_rpminspect.sh "${RHEL_VER}" "${NVR}" \
"Usual failures we waived through rpmdiff; slowdebug unoptimised, RPATH and IPv4 functions"
# Local Variables:
# compile-command: "shellcheck waive_usual_rpminspect.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

26
scripts/builds/build_rhel_7_portable_build.sh → scripts/builds/waive_usual_tier0.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (C) 2024 Red Hat, Inc.
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
@ -17,12 +17,30 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Builds the portable on RHEL 7
# Waive the usual tier0 gating issue
# Should be resolved by OPENJDK-4517
rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check
RHEL_VER=${1}
NVR=${2}
WORKING_DIR=$(dirname "${0}")
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.tier0.functional "Test unable to parse spec file"
# Local Variables:
# compile-command: "shellcheck build_rhel_7_portable_build.sh"
# compile-command: "shellcheck waive_usual_tier0.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4