From 68b316d15ba71717609fb8ff2a63d51253deaedc Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Tue, 25 Nov 2025 15:30:30 +0000 Subject: [PATCH 1/4] Add tagging scripts with signature checks and gating handling Resolves: RHEL-147634 --- java-25-openjdk.spec | 6 +- scripts/builds/build_rhel_7_portable_build.sh | 29 ------- scripts/builds/build_rhel_8.sh | 43 --------- scripts/builds/check_signatures.sh | 77 ++++++++++++++++ scripts/builds/tag_rhel.sh | 87 +++++++++++++++++++ scripts/builds/tag_rhel_10_embargoed_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_10_public_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_embargoed_pqc.sh | 67 ++++++++++++++ scripts/builds/tag_rhel_9_public_pqc.sh | 67 ++++++++++++++ 9 files changed, 437 insertions(+), 73 deletions(-) delete mode 100755 scripts/builds/build_rhel_7_portable_build.sh delete mode 100755 scripts/builds/build_rhel_8.sh create mode 100755 scripts/builds/check_signatures.sh create mode 100755 scripts/builds/tag_rhel.sh create mode 100755 scripts/builds/tag_rhel_10_embargoed_pqc.sh create mode 100755 scripts/builds/tag_rhel_10_public_pqc.sh create mode 100755 scripts/builds/tag_rhel_9_embargoed_pqc.sh create mode 100755 scripts/builds/tag_rhel_9_public_pqc.sh diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index d8992ba..c7cba2a 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -349,7 +349,7 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 3 +%global rpmrelease 4 # Settings used by the portable build %global portablerelease 3 # Portable suffix differs between RHEL and CentOS @@ -2614,6 +2614,10 @@ exit 0 %endif %changelog +* Thu Mar 12 2026 Andrew Hughes - 1:25.0.2.0.10-4 +- Add tagging scripts with signature checks and gating handling +- Resolves: RHEL-155327 + * Wed Mar 11 2026 Thomas Fitzsimmons - 1:25.0.2.0.10-3 - Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm - See: https://docs.testing-farm.io/Testing%20Farm/0.1/errors.html#TFE-1 diff --git a/scripts/builds/build_rhel_7_portable_build.sh b/scripts/builds/build_rhel_7_portable_build.sh deleted file mode 100755 index 0cf02d0..0000000 --- a/scripts/builds/build_rhel_7_portable_build.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2024 Red Hat, Inc. -# Written by: -# Andrew John Hughes -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -# Builds the portable on RHEL 7 - -rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check - -# Local Variables: -# compile-command: "shellcheck build_rhel_7_portable_build.sh" -# fill-column: 80 -# indent-tabs-mode: nil -# sh-basic-offset: 4 -# End: diff --git a/scripts/builds/build_rhel_8.sh b/scripts/builds/build_rhel_8.sh deleted file mode 100755 index c1ea948..0000000 --- a/scripts/builds/build_rhel_8.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh - -# Copyright (C) 2024 Red Hat, Inc. -# Written by: -# Andrew John Hughes -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . - -# Builds the RPM on RHEL 8 - -NVR=${1} -USER=${2} - -if test "${NVR}" = ""; then - echo "${0} "; - exit 1; -fi - -if test "${USER}" = ""; then - echo "${0} "; - exit 2; -fi - -METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}" -rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}" - -# Local Variables: -# compile-command: "shellcheck build_rhel_8.sh" -# fill-column: 80 -# indent-tabs-mode: nil -# sh-basic-offset: 4 -# End: diff --git a/scripts/builds/check_signatures.sh b/scripts/builds/check_signatures.sh new file mode 100755 index 0000000..815a97c --- /dev/null +++ b/scripts/builds/check_signatures.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Check the signatures (if any) in RHEL RPM buildinfo +# This is intended to be run from the tagging scripts + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found + +BUILDINFO=${1} +NEW_SIGNATURE="release4"; +OLD_SIGNATURE="fd431d51"; + +if test "${BUILDINFO}" = ""; then + echo "${0} "; + exit 1; +fi + +if ! test -e "${BUILDINFO}" ; then + echo "${BUILDINFO} not found."; + exit 2; +fi + +if cat ${BUILDINFO} | grep -q Signatures ; then + signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c); + uniq_count=$(echo ${signature} | wc -l); + if test ${uniq_count} -gt 1; then + echo "Multiple signature types found:"; + echo "${signature}"; + exit 4; + fi + sig_count=$(echo ${signature} | cut -d ' ' -f 1); + sig_type=$(echo ${signature} | cut -d ' ' -f 2); + echo "${sig_count} signatures of type ${sig_type} found"; + if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then + echo "PQC signature found."; + exit 5; + elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then + echo "Old pre-PQC signature found."; + exit 6; + else + echo "Unknown signature found."; + exit 7; + fi +else + echo "Build has no signatures."; + exit 3; +fi + +# Local Variables: +# compile-command: "shellcheck check_signatures.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel.sh b/scripts/builds/tag_rhel.sh new file mode 100755 index 0000000..7b733d8 --- /dev/null +++ b/scripts/builds/tag_rhel.sh @@ -0,0 +1,87 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag public RHEL RPMs into gating for all supported streams +# This is intended to be run from tag_rhel__(public|embargoed).sh + +BUILD="${1}" +BUILDLOG="${2}" +SUFFIX="${3}" +shift 3; +SUPPORTED_VERS="$*" + +CMD_SYNTAX="${0} "; +GATE_SUFFIX="gate" + +if test "${BUILD}" = ""; then + echo "${CMD_SYNTAX}"; + exit 1; +fi + +if test "${BUILDLOG}" = ""; then + echo "${CMD_SYNTAX}"; + exit 2; +fi + +if test "${SUPPORTED_VERS}" = ""; then + echo "${CMD_SYNTAX}"; + exit 3; +fi + +buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-) +echo "Build has tags ${buildtags}"; + +if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then + echo "Gating system can only handle one tag at a time." + echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate." + if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then + echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running."; + exit 1; + fi +fi + +done=0; +for ver in ${SUPPORTED_VERS}; do + vertag="rhel-${ver}"; + proposedtag="${vertag}-${SUFFIX}"; + echo "Checking if ${BUILD} has been added to ${vertag}..."; + if echo "${buildtags}" | grep -q "${vertag}" ; then + echo "${BUILD} has been tagged into ${proposedtag}"; + else + if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then + echo "Already added a tag. Need to tag ${proposedtag} in a future run."; + else + echo "Tagging ${BUILD} into ${proposedtag}"; + brew tag-build --nowait "${proposedtag}" "${BUILD}"; + done=1; + fi + fi +done +if [ "${done}" -eq 1 ]; then + brew watch-task --mine; +else + echo "Nothing to do."; +fi + +# Local Variables: +# compile-command: "shellcheck tag_rhel.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_10_embargoed_pqc.sh b/scripts/builds/tag_rhel_10_embargoed_pqc.sh new file mode 100755 index 0000000..63a1a2d --- /dev/null +++ b/scripts/builds/tag_rhel_10_embargoed_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC embargoed RHEL 10 RPMs into supported z-streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="10.1-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_10_embargoed_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_10_public_pqc.sh b/scripts/builds/tag_rhel_10_public_pqc.sh new file mode 100755 index 0000000..5f4a3c4 --- /dev/null +++ b/scripts/builds/tag_rhel_10_public_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC public RHEL 10 RPMs into gating for all supported streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="10.2 10.1-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_10_public_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_embargoed_pqc.sh b/scripts/builds/tag_rhel_9_embargoed_pqc.sh new file mode 100755 index 0000000..dfa79dd --- /dev/null +++ b/scripts/builds/tag_rhel_9_embargoed_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.7.0-z" +WORKING_DIR=$(dirname "${0}") +EMBARGOED_SUFFIX="nocompose-candidate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging embargoed build for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/tag_rhel_9_public_pqc.sh b/scripts/builds/tag_rhel_9_public_pqc.sh new file mode 100755 index 0000000..748ab69 --- /dev/null +++ b/scripts/builds/tag_rhel_9_public_pqc.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams + +BUILD=${1} + +if test "${BUILD}" = ""; then + echo "${0} "; + exit 1; +fi + +BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") +SUPPORTED_VERS="9.8.0 9.7.0-z" +WORKING_DIR=$(dirname "${0}") +GATE_SUFFIX="gate" + +echo "Obtaining buildinfo for ${BUILD}..."; +brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null + +echo "Checking signatures for ${BUILD}..."; +"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}" + +# Return codes: +# - 1 - Buildinfo file not specified +# - 2 = Missing buildinfo file +# - 3 = No signatures +# - 4 = Multiple signature types found +# - 5 = PQC signature found +# - 6 = Old signature (fd431d51) found +# - 7 = Unknown signature found +ret=$?; +if [ "${ret}" -eq 6 ] ; then + echo "Build has old signatures which should not be the case for OpenJDK 25"; + exit 2; +elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then + echo "Signature check failed."; + exit 3; +fi + +echo "Tagging build into gating for ${SUPPORTED_VERS}..."; +"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}" + +rm -f "${BUILDLOG}" + +# Local Variables: +# compile-command: "shellcheck tag_rhel_9_public_pqc.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: From fde787d90e420d4ff7baf07123f8020250279f12 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 12 Mar 2026 02:11:01 +0000 Subject: [PATCH 2/4] Update tagged versions to include 9.8.0-z, 9.9.0, 10.2-z & 10.3. Resolves: RHEL-155337 --- java-25-openjdk.spec | 2 ++ scripts/builds/tag_rhel_10_embargoed_pqc.sh | 2 +- scripts/builds/tag_rhel_10_public_pqc.sh | 2 +- scripts/builds/tag_rhel_9_embargoed_pqc.sh | 2 +- scripts/builds/tag_rhel_9_public_pqc.sh | 2 +- 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index c7cba2a..2f2f480 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -2616,7 +2616,9 @@ exit 0 %changelog * Thu Mar 12 2026 Andrew Hughes - 1:25.0.2.0.10-4 - Add tagging scripts with signature checks and gating handling +- Update tagged versions to include 9.8.0-z, 9.9.0, 10.2-z & 10.3. - Resolves: RHEL-155327 +- Resolves: RHEL-155337 * Wed Mar 11 2026 Thomas Fitzsimmons - 1:25.0.2.0.10-3 - Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm diff --git a/scripts/builds/tag_rhel_10_embargoed_pqc.sh b/scripts/builds/tag_rhel_10_embargoed_pqc.sh index 63a1a2d..3fe9fae 100755 --- a/scripts/builds/tag_rhel_10_embargoed_pqc.sh +++ b/scripts/builds/tag_rhel_10_embargoed_pqc.sh @@ -27,7 +27,7 @@ if test "${BUILD}" = ""; then fi BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") -SUPPORTED_VERS="10.1-z" +SUPPORTED_VERS="10.2-z 10.1-z" WORKING_DIR=$(dirname "${0}") EMBARGOED_SUFFIX="nocompose-candidate" diff --git a/scripts/builds/tag_rhel_10_public_pqc.sh b/scripts/builds/tag_rhel_10_public_pqc.sh index 5f4a3c4..be996ca 100755 --- a/scripts/builds/tag_rhel_10_public_pqc.sh +++ b/scripts/builds/tag_rhel_10_public_pqc.sh @@ -27,7 +27,7 @@ if test "${BUILD}" = ""; then fi BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") -SUPPORTED_VERS="10.2 10.1-z" +SUPPORTED_VERS="10.3 10.2-z 10.1-z" WORKING_DIR=$(dirname "${0}") GATE_SUFFIX="gate" diff --git a/scripts/builds/tag_rhel_9_embargoed_pqc.sh b/scripts/builds/tag_rhel_9_embargoed_pqc.sh index dfa79dd..59668d5 100755 --- a/scripts/builds/tag_rhel_9_embargoed_pqc.sh +++ b/scripts/builds/tag_rhel_9_embargoed_pqc.sh @@ -27,7 +27,7 @@ if test "${BUILD}" = ""; then fi BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") -SUPPORTED_VERS="9.7.0-z" +SUPPORTED_VERS="9.8.0-z 9.7.0-z" WORKING_DIR=$(dirname "${0}") EMBARGOED_SUFFIX="nocompose-candidate" diff --git a/scripts/builds/tag_rhel_9_public_pqc.sh b/scripts/builds/tag_rhel_9_public_pqc.sh index 748ab69..8afe106 100755 --- a/scripts/builds/tag_rhel_9_public_pqc.sh +++ b/scripts/builds/tag_rhel_9_public_pqc.sh @@ -27,7 +27,7 @@ if test "${BUILD}" = ""; then fi BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX") -SUPPORTED_VERS="9.8.0 9.7.0-z" +SUPPORTED_VERS="9.9.0 9.8.0-z 9.7.0-z" WORKING_DIR=$(dirname "${0}") GATE_SUFFIX="gate" From a95cdd67f44b36e62b1372736a0d665465451ae2 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 20 Feb 2026 16:02:43 +0000 Subject: [PATCH 3/4] Add gating scripts to simplify obtaining results and waiving issues Resolves: RHEL-155339 --- java-25-openjdk.spec | 2 + scripts/builds/get_gating_results.sh | 63 +++++++++++ scripts/builds/query_build_gating.sh | 94 ++++++++++++++++ scripts/builds/waive_issue.sh | 132 +++++++++++++++++++++++ scripts/builds/waive_leapp_issue.sh | 46 ++++++++ scripts/builds/waive_rpminspect.sh | 53 +++++++++ scripts/builds/waive_usual_rpminspect.sh | 46 ++++++++ scripts/builds/waive_usual_tier0.sh | 47 ++++++++ 8 files changed, 483 insertions(+) create mode 100755 scripts/builds/get_gating_results.sh create mode 100755 scripts/builds/query_build_gating.sh create mode 100755 scripts/builds/waive_issue.sh create mode 100755 scripts/builds/waive_leapp_issue.sh create mode 100755 scripts/builds/waive_rpminspect.sh create mode 100755 scripts/builds/waive_usual_rpminspect.sh create mode 100755 scripts/builds/waive_usual_tier0.sh diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index 2f2f480..050765b 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -2617,8 +2617,10 @@ exit 0 * Thu Mar 12 2026 Andrew Hughes - 1:25.0.2.0.10-4 - Add tagging scripts with signature checks and gating handling - Update tagged versions to include 9.8.0-z, 9.9.0, 10.2-z & 10.3. +- Add gating scripts to simplify obtaining results and waiving issues - Resolves: RHEL-155327 - Resolves: RHEL-155337 +- Resolves: RHEL-155339 * Wed Mar 11 2026 Thomas Fitzsimmons - 1:25.0.2.0.10-3 - Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm diff --git a/scripts/builds/get_gating_results.sh b/scripts/builds/get_gating_results.sh new file mode 100755 index 0000000..82458d6 --- /dev/null +++ b/scripts/builds/get_gating_results.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Retrieve the results of a gating test using the ID from the JSON +# retrieved by query_build_gating.sh + +RESULT_ID=${1} + +if test "${RESULT_ID}" = ""; then + echo "No ID specified."; + echo "${0} "; + exit 1; +fi + +CURL=$(command -v curl) +JSON_TOOL=$(command -v jq) + +if test "${CURL}" = ""; then + echo "curl not found"; + exit 2; +fi + +if test "${JSON_TOOL}" = ""; then + echo "jq not found"; + exit 3; +fi + +URL="https://resultsdb-api.engineering.redhat.com/api/v2.0/results/${RESULT_ID}" +JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json) + +CMD=("${CURL}" --silent --show-error "${URL}") + +echo "${CMD[@]}" + +if command "${CMD[@]}" > "${JSON_OUT}" ; then + "${JSON_TOOL}" < "${JSON_OUT}" +else + echo "Failed to obtain JSON"; + exit 4; +fi + +# Local Variables: +# compile-command: "shellcheck get_gating_results.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/query_build_gating.sh b/scripts/builds/query_build_gating.sh new file mode 100755 index 0000000..f83f849 --- /dev/null +++ b/scripts/builds/query_build_gating.sh @@ -0,0 +1,94 @@ +#!/bin/bash + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Retrieve the status of a build's progress through gating + +RHEL_VER=${1} +NVR=${2} + +if test "${RHEL_VER}" = ""; then + echo "No RHEL version specified."; + echo "${0} "; + exit 1; +fi + +if test "${NVR}" = ""; then + echo "No NVR specified."; + echo "${0} "; + exit 2; +fi + +CURL=$(command -v curl) +JSON_TOOL=$(command -v jq) +JSON_FILE=$(mktemp --tmpdir query.XXXXXX.json) +JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json) +URL="https://greenwave.engineering.redhat.com/api/v1.0/decision" + +if test "${CURL}" = ""; then + echo "curl not found"; + exit 3; +fi + +if test "${JSON_TOOL}" = ""; then + echo "jq not found"; + exit 4; +fi + +{ + echo "{"; + printf "\t\"decision_context\":\"osci_compose_gate\",\n"; + printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}"; + printf "\t\"subject_type\":\"koji_build\",\n"; + printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}"; + printf "\t\"verbose\":false\n"; + echo "}"; +} > "${JSON_FILE}" + +echo "Sending the following JSON..."; +cat "${JSON_FILE}" + +CMD=("${CURL}" --silent --show-error -X POST) + +JSON_COMMAND="--json"; +# Check --json is available +${CURL} ${JSON_COMMAND} 2> /dev/null +if [ $? -eq 2 ] ; then + echo "--json unsupported; falling back on --data-ascii"; + CMD=("${CMD[@]}" --header Content-Type:application/json --data-ascii); +else + CMD=("${CMD[@]}" "${JSON_COMMAND}"); +fi + +CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}") + +echo "${CMD[@]}" + +if command "${CMD[@]}" > "${JSON_OUT}" ; then + "${JSON_TOOL}" < "${JSON_OUT}" +else + echo "Failed to obtain JSON"; + exit 5; +fi + +# Local Variables: +# compile-command: "shellcheck query_build_gating.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/waive_issue.sh b/scripts/builds/waive_issue.sh new file mode 100755 index 0000000..71fd299 --- /dev/null +++ b/scripts/builds/waive_issue.sh @@ -0,0 +1,132 @@ +#!/bin/bash + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Waive a gating issue + +RHEL_VER=${1} +NVR=${2} +TESTCASE=${3} +COMMENT=${4} + +CURL=$(command -v curl) +JSON_TOOL=$(command -v json_verify) +JSON_FORMAT=$(command -v jq) +JSON_FILE=$(mktemp --tmpdir waive.XXXXXX.json) +HEADER_FILE=$(mktemp --tmpdir waive.XXXXXX.headers) +JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json) + +CACERT=/etc/ssl/certs/2022-IT-Root-CA.pem +CACERT_DIR=$(dirname ${CACERT}) +URL="https://waiverdb.engineering.redhat.com/api/v1.0/waivers/" + +if test -z "${JSON_TOOL}" -o ! -x "${JSON_TOOL}" ; then + echo "JSON verifier not found. Skipping verification."; + SKIP_JSON=1; +else + SKIP_JSON=0; +fi + +if test "x${RHEL_VER}" = "x"; then + echo "No RHEL version specified."; + echo "${0} "; + exit 1; +fi + +if test "x${NVR}" = "x"; then + echo "No NVR specified."; + echo "${0} "; + exit 2; +fi + +if test "x${TESTCASE}" = "x"; then + echo "No testcase specified."; + echo "${0} "; + exit 3; +fi + +if test "x${COMMENT}" = "x"; then + COMMENT="Gating broken"; + echo "Setting COMMENT to default of '${COMMENT}'" +fi + +if test "${CURL}" = ""; then + echo "curl not found"; + exit 4; +fi + +if test "${JSON_FORMAT}" = ""; then + echo "jq not found"; + exit 5; +fi + +{ + echo "{"; + printf "\t\"subject_type\":\"brew-build\",\n"; + printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}"; + printf "\t\"testcase\":\"%s\",\n" "${TESTCASE}"; + printf "\t\"waived\":true,\n"; + printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}" + printf "\t\"comment\":\"%s\"\n" "${COMMENT}"; + echo "}" +} > "${JSON_FILE}" + +if [ "${SKIP_JSON}" -eq 0 ] ; then + "${JSON_TOOL}" < "${JSON_FILE}" || exit 6; +fi + +CMD=("${CURL}" --silent --show-error --capath "${CACERT_DIR}" --negotiate -u :) + +JSON_COMMAND="--json"; +# Check --json is available +${CURL} ${JSON_COMMAND} 2> /dev/null +if [ $? -eq 2 ] ; then + echo "--json unsupported; falling back on --data-binary"; + { + echo "Content-Type: application/json"; + echo "Accept: application/json"; + } > "${HEADER_FILE}" + echo "Header file:"; + cat "${HEADER_FILE}" + CMD=("${CMD[@]}" --header "@${HEADER_FILE}" --data-binary); +else + CMD=("${CMD[@]}" "${JSON_COMMAND}"); +fi +CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}") + +echo "Sending the following JSON..."; +cat "${JSON_FILE}" + +echo "${CMD[@]}" + +if command "${CMD[@]}" > "${JSON_OUT}" ; then + "${JSON_FORMAT}" < "${JSON_OUT}" +else + echo "Failed to file waiver"; + exit 7; +fi + +rm -v "${JSON_FILE}" +rm -v "${HEADER_FILE}" + +# Local Variables: +# compile-command: "shellcheck waive_issue.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/waive_leapp_issue.sh b/scripts/builds/waive_leapp_issue.sh new file mode 100755 index 0000000..2dc3e71 --- /dev/null +++ b/scripts/builds/waive_leapp_issue.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Waive the leapp gating test which never seems to work + +RHEL_VER=${1} +NVR=${2} + +WORKING_DIR=$(dirname "${0}") + +if test "x${RHEL_VER}" = "x"; then + echo "No RHEL version specified."; + echo "${0} "; + exit 1; +fi + +if test "x${NVR}" = "x"; then + echo "No NVR specified."; + echo "${0} "; + exit 2; +fi + +"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" leapp.brew-build.upgrade.distro "AWOL" + +# Local Variables: +# compile-command: "shellcheck waive_leapp_issue.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/waive_rpminspect.sh b/scripts/builds/waive_rpminspect.sh new file mode 100755 index 0000000..453b892 --- /dev/null +++ b/scripts/builds/waive_rpminspect.sh @@ -0,0 +1,53 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Waive a rpminspect gating issue + +RHEL_VER=${1} +NVR=${2} +COMMENT=${3} + +WORKING_DIR=$(dirname "${0}") + +if test "x${RHEL_VER}" = "x"; then + echo "No RHEL version specified."; + echo "${0} "; + exit 1; +fi + +if test "x${NVR}" = "x"; then + echo "No NVR specified."; + echo "${0} "; + exit 2; +fi + +if test "${COMMENT}" = ""; then + echo "No comment specified."; + echo "${0} "; + exit 3; +fi + +"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.rpminspect.static-analysis "${COMMENT}" + +# Local Variables: +# compile-command: "shellcheck waive_rpminspect.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/waive_usual_rpminspect.sh b/scripts/builds/waive_usual_rpminspect.sh new file mode 100755 index 0000000..5b4f26d --- /dev/null +++ b/scripts/builds/waive_usual_rpminspect.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Waive the recurring rpminspect gating issues +# Should be resolved by RHELPLAN-102267 + +RHEL_VER=${1} +NVR=${2} + +if test "x${RHEL_VER}" = "x"; then + echo "No RHEL version specified."; + echo "${0} "; + exit 1; +fi + +if test "x${NVR}" = "x"; then + echo "No NVR specified."; + echo "${0} "; + exit 2; +fi + +"${WORKING_DIR}"/waive_rpminspect.sh "${RHEL_VER}" "${NVR}" \ + "Usual failures we waived through rpmdiff; slowdebug unoptimised, RPATH and IPv4 functions" + +# Local Variables: +# compile-command: "shellcheck waive_usual_rpminspect.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: diff --git a/scripts/builds/waive_usual_tier0.sh b/scripts/builds/waive_usual_tier0.sh new file mode 100755 index 0000000..6e06564 --- /dev/null +++ b/scripts/builds/waive_usual_tier0.sh @@ -0,0 +1,47 @@ +#!/bin/sh + +# Copyright (C) 2026 Red Hat, Inc. +# Written by: +# Andrew John Hughes +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Waive the usual tier0 gating issue +# Should be resolved by OPENJDK-4517 + +RHEL_VER=${1} +NVR=${2} + +WORKING_DIR=$(dirname "${0}") + +if test "x${RHEL_VER}" = "x"; then + echo "No RHEL version specified."; + echo "${0} "; + exit 1; +fi + +if test "x${NVR}" = "x"; then + echo "No NVR specified."; + echo "${0} "; + exit 2; +fi + +"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.tier0.functional "Test unable to parse spec file" + +# Local Variables: +# compile-command: "shellcheck waive_usual_tier0.sh" +# fill-column: 80 +# indent-tabs-mode: nil +# sh-basic-offset: 4 +# End: From be99dd1d42605dfe5a7f1c03d30b8cf38d72dbde Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 12 Mar 2026 02:28:03 +0000 Subject: [PATCH 4/4] Sync the copy of the portable specfile with the latest update Related: RHEL-155000 Related: RHEL-146649 Related: RHEL-148327 Related: RHEL-148830 --- java-25-openjdk-portable.specfile | 70 +++++++++++++++---------------- java-25-openjdk.spec | 5 +++ 2 files changed, 39 insertions(+), 36 deletions(-) diff --git a/java-25-openjdk-portable.specfile b/java-25-openjdk-portable.specfile index f45ab50..f09dfe0 100644 --- a/java-25-openjdk-portable.specfile +++ b/java-25-openjdk-portable.specfile @@ -376,7 +376,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver df044414ef4 +%global fipsver e55ada9353e # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -391,7 +391,7 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 10 -%global rpmrelease 2 +%global rpmrelease 3 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -643,37 +643,9 @@ Source18: TestTranslations.java # as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: -# PR3183, RH1340845: Follow system wide crypto policy -# PR3695: Allow use of system crypto policy to be disabled by the user -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -# RH1929465: Improve system FIPS detection -# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -# RH1996182: Login to the NSS software token in FIPS mode -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# RH2021263: Resolve outstanding FIPS issues -# RH2052819: Fix FIPS reliance on crypto policies -# RH2052829: Detect NSS at Runtime for FIPS detection -# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -# RH2023467: Enable FIPS keys export -# RH2094027: SunEC runtime permission for FIPS -# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -# RH2090378: Revert to disabling system security properties and FIPS mode support together -# RH2104724: Avoid import/export of DH private keys -# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -# Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] -# RH2020290: Support TLS 1.3 in FIPS mode -# Add nss.fips.cfg support to OpenJDK tree -# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode -# Remove forgotten dead code from RH2020290 and RH2104724 -# OJ1357: Fix issue on FIPS with a SecurityManager in place -# RH2134669: Add missing attributes when registering services in FIPS mode. -# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class -# RH1940064: Enable XML Signature provider in FIPS mode -# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +# OPENJDK-2108: Internal __redhat_fips__ property +# OPENJDK-2123: Algorithms lockdown +# OPENJDK-4559: Red Hat Build of OpenJDK 25 should not restrict all the providers in FIPS Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# @@ -692,6 +664,15 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch # JDK-8372534: Update Libpng to 1.6.51 # Integrated in 25.0.3 Patch2001: jdk8372534-libpng-1.6.51.patch +# JDK-8375063: Update Libpng to 1.6.54 +# Integrated in 25.0.3 +Patch2002: jdk8375063-libpng-1.6.54.patch +# JDK-8375057: Update HarfBuzz to 12.3.2 +# Integrated in 25.0.3 +Patch2003: jdk8375057-harfbuzz-12.3.2.patch +# JDK-8377526: Update Libpng to 1.6.55 +# Integrated in 25.0.3 +Patch2004: jdk8377526-libpng-1.6.55.patch ############################################# # @@ -778,13 +759,13 @@ Provides: bundled(freetype) = 2.13.3 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.2 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h -Provides: bundled(harfbuzz) = 10.4.0 +Provides: bundled(harfbuzz) = 12.3.2 # Version in src/java.desktop/share/native/liblcms/lcms2.h Provides: bundled(lcms2) = 2.17.0 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h Provides: bundled(libjpeg) = 6b # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h -Provides: bundled(libpng) = 1.6.51 +Provides: bundled(libpng) = 1.6.55 # Version in src/java.base/share/native/libzip/zlib/zlib.h Provides: bundled(zlib) = 1.3.1 # We link statically against libstdc++ to increase portability @@ -1005,8 +986,11 @@ sh %{SOURCE12} %{top_level_dir_name} pushd %{top_level_dir_name} # Add crypto policy and FIPS support %patch -P1001 -p1 -# Add libpng update ahead of 25.0.3 +# Add libpng & harfbuzz updates ahead of 25.0.3 %patch -P2001 -p1 +%patch -P2002 -p1 +%patch -P2003 -p1 +%patch -P2004 -p1 popd # openjdk echo "Generating %{alt_java_name} man page" @@ -1974,6 +1958,20 @@ done %endif %changelog +* Tue Mar 03 2026 Andrew Hughes - 1:25.0.2.0.10-3 +- Update FIPS patch to e55ada9353e to include the fix for the too restrictive provider lockdown +- Fix FIPS issue list to represent the new 25u version +- Add JDK-8375063 libpng 1.6.54 ahead of 25.0.3 +- Add JDK-8375057 harfbuzz 12.3.2 ahead of 25.0.3 +- Add JDK-8377526 libpng 1.6.55 ahead of 25.0.3 +- Bump libpng version to 1.6.55 following JDK-8375063 & JDK-8377526 +- Bump harfbuzz version to 12.3.2 following JDK-8375057 +- Resolves: OPENJDK-4570 +- Resolves: OPENJDK-4304 +- Resolves: OPENJDK-4524 +- Resolves: OPENJDK-4544 +- Resolves: OPENJDK-4553 + * Mon Jan 12 2026 Andrew Hughes - 1:25.0.2.0.10-2 - Add JDK-8372534 libpng 1.6.51 ahead of 25.0.3 - Bump libpng version to 1.6.51 following JDK-8372534 diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec index 050765b..4947566 100644 --- a/java-25-openjdk.spec +++ b/java-25-openjdk.spec @@ -2618,9 +2618,14 @@ exit 0 - Add tagging scripts with signature checks and gating handling - Update tagged versions to include 9.8.0-z, 9.9.0, 10.2-z & 10.3. - Add gating scripts to simplify obtaining results and waiving issues +- Sync the copy of the portable specfile with the latest update - Resolves: RHEL-155327 - Resolves: RHEL-155337 - Resolves: RHEL-155339 +- Related: RHEL-155000 +- Related: RHEL-146649 +- Related: RHEL-148327 +- Related: RHEL-148830 * Wed Mar 11 2026 Thomas Fitzsimmons - 1:25.0.2.0.10-3 - Disable abidiff inspection in rpminspect.yaml to avoid an out-of-memory error on the CentOS test farm