rpms/java-25-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c10s
Branches Tags
rpms:c10s
rpms:c9s
rpms:a10s
rpms:a10s-portable
rpms:a10s-25.0.1.0.8-6.el10.alma.1
rpms:a9-portable
rpms:a9
rpms:c9
rpms:c10
rpms:a10s-portable-legacy
rpms:changed/a10s/java-25-openjdk-25.0.2.0.10-4.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.2.0.10-4.el10
rpms:changed/a10s/java-25-openjdk-25.0.2.0.10-3.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.2.0.10-3.el10
rpms:imports/c10s/java-25-openjdk-25.0.2.0.10-4.el10
rpms:imports/c10s/java-25-openjdk-25.0.2.0.10-3.el10
rpms:changed/a10s/java-25-openjdk-25.0.2.0.10-2.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.2.0.10-2.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-6.el10.alma.1-riscv
rpms:imports/c10s/java-25-openjdk-25.0.2.0.10-2.el10
rpms:changed/a9-portable/java-25-openjdk-25.0.2.0.10-1.el9
rpms:changed/a9/java-25-openjdk-25.0.2.0.10-1.el9.alma.1
rpms:imports/c9/java-25-openjdk-25.0.2.0.10-1.el9
rpms:imports/c10/java-25-openjdk-25.0.2.0.10-1.el10
rpms:imports/c10/java-25-openjdk-25.0.1.0.8-6.el10
rpms:changed/a9/java-25-openjdk-25.0.1.0.8-2.el9_7.alma.1
rpms:imports/c9/java-25-openjdk-25.0.1.0.8-2.el9_7
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-5.el10.alma.1
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-6.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-6.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-6.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-5.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-5.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-4.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-4.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-4.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-3.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-3.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-2.el10.alma.1
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-3.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.0.0.36-1.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-2.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-1.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-1.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-1.el10.alma.1
rpms:changed/a10s/java-25-openjdk-25.0.0.0.36-1.el10.alma.1
rpms:changed/a10s/java-25-openjdk-24.0.2.0.12-1.el10.alma.1
rpms:changed/a10s/java-25-openjdk-23.0.2.0.7-1.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-24.0.2.0.12-1.el10
rpms:changed/a10s-portable/java-25-openjdk-23.0.2.0.7-1.el10
rpms:imports/c10/java-25-openjdk-25.0.1.0.8-2.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-2.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-1.el10
rpms:imports/c10s/java-25-openjdk-25.0.0.0.36-1.el10
rpms:imports/c10s/java-25-openjdk-24.0.2.0.12-1.el10
rpms:imports/c10s/java-25-openjdk-23.0.2.0.7-1.el10
rpms:changed/a10s/java-25-openjdk-22.0.2.0.9-1.el10.alma.1
rpms:imports/c10s/java-25-openjdk-22.0.2.0.9-1.el10
..
compare: rpms:a10s-portable-legacy
Branches Tags
rpms:c9s
rpms:a10s
rpms:a10s-portable
rpms:c10s
rpms:a10s-25.0.1.0.8-6.el10.alma.1
rpms:a9-portable
rpms:a9
rpms:c9
rpms:c10
rpms:a10s-portable-legacy
rpms:changed/a10s/java-25-openjdk-25.0.2.0.10-4.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.2.0.10-4.el10
rpms:changed/a10s/java-25-openjdk-25.0.2.0.10-3.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.2.0.10-3.el10
rpms:imports/c10s/java-25-openjdk-25.0.2.0.10-4.el10
rpms:imports/c10s/java-25-openjdk-25.0.2.0.10-3.el10
rpms:changed/a10s/java-25-openjdk-25.0.2.0.10-2.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.2.0.10-2.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-6.el10.alma.1-riscv
rpms:imports/c10s/java-25-openjdk-25.0.2.0.10-2.el10
rpms:changed/a9-portable/java-25-openjdk-25.0.2.0.10-1.el9
rpms:changed/a9/java-25-openjdk-25.0.2.0.10-1.el9.alma.1
rpms:imports/c9/java-25-openjdk-25.0.2.0.10-1.el9
rpms:imports/c10/java-25-openjdk-25.0.2.0.10-1.el10
rpms:imports/c10/java-25-openjdk-25.0.1.0.8-6.el10
rpms:changed/a9/java-25-openjdk-25.0.1.0.8-2.el9_7.alma.1
rpms:imports/c9/java-25-openjdk-25.0.1.0.8-2.el9_7
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-5.el10.alma.1
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-6.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-6.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-6.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-5.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-5.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-4.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-4.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-4.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-3.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-3.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-2.el10.alma.1
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-3.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.0.0.36-1.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-2.el10
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-1.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-25.0.1.0.8-1.el10
rpms:changed/a10s/java-25-openjdk-25.0.1.0.8-1.el10.alma.1
rpms:changed/a10s/java-25-openjdk-25.0.0.0.36-1.el10.alma.1
rpms:changed/a10s/java-25-openjdk-24.0.2.0.12-1.el10.alma.1
rpms:changed/a10s/java-25-openjdk-23.0.2.0.7-1.el10.alma.1
rpms:changed/a10s-portable/java-25-openjdk-24.0.2.0.12-1.el10
rpms:changed/a10s-portable/java-25-openjdk-23.0.2.0.7-1.el10
rpms:imports/c10/java-25-openjdk-25.0.1.0.8-2.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-2.el10
rpms:imports/c10s/java-25-openjdk-25.0.1.0.8-1.el10
rpms:imports/c10s/java-25-openjdk-25.0.0.0.36-1.el10
rpms:imports/c10s/java-25-openjdk-24.0.2.0.12-1.el10
rpms:imports/c10s/java-25-openjdk-23.0.2.0.7-1.el10
rpms:changed/a10s/java-25-openjdk-22.0.2.0.9-1.el10.alma.1
rpms:imports/c10s/java-25-openjdk-22.0.2.0.9-1.el10

2 Commits
c10s ... a10s-porta

Author SHA1 Message Date
eabdullin
6c2ab26cd7 Exclude %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} from BR for bootstrap build 2025-10-08 18:55:39 +03:00
eabdullin
91dc9761a6 Portable 2025-10-07 14:50:13 +03:00
28 changed files with 161 additions and 43080 deletions
Show Stats Expand all files Collapse all files

7
.gitignore vendored
View File

@ -39,10 +39,3 @@
/openjdk-21.0.8+8-ea.tar.xz
/openjdk-21.0.8+9.tar.xz
/openjdk-22.0.2+9.tar.xz
/openjdk-23.0.2+7.tar.xz
/openjdk-24.0.2+12.tar.xz
/openjdk-25+36.tar.xz
/openjdk-25.0.1+8.tar.xz
/nssadapter-0.1.0.tar.xz
/openjdk-25.0.2+10.tar.xz
/nssadapter-0.1.1.tar.xz

942
NEWS
View File

File diff suppressed because it is too large Load Diff

70
TestSecurityProperties.java
View File

@ -21,32 +21,15 @@ import java.security.Security;
import java.util.Properties;
public class TestSecurityProperties {
private static final String JAVA_HOME = System.getProperty("java.home");
// JDK 11
private static final String JDK_PROPS_FILE_JDK_11 = JAVA_HOME + "/conf/security/java.security";
private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = JAVA_HOME + "/lib/security/java.security";
// JDK 25
// Omit fips.properties files since they are not relevant to this test.
// Omit JAVA_HOME + "/conf/security/redhat/crypto-policies.properties" which simply includes
// true/crypto-policies.properties in case redhat.crypto-policies is left undefined.
private static final String[] JDK_PROPS_FILES_JDK_25_ENABLED = {
JAVA_HOME + "/conf/security/redhat/true/crypto-policies.properties",
"/etc/crypto-policies/back-ends/java.config"
};
private static final String[] JDK_PROPS_FILES_JDK_25_DISABLED = {
JAVA_HOME + "/conf/security/redhat/false/crypto-policies.properties"
};
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
private static final String javaVersion = System.getProperty("java.version");
// float for java 1.8
private static final float JAVA_FEATURE = Float.parseFloat(System.getProperty("java.specification.version"));
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
@ -57,24 +40,18 @@ public class TestSecurityProperties {
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps, enabled);
loadProperties(jdkProps);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key : jdkProps.keySet()) {
String sKey = (String) key;
if (JAVA_FEATURE >= 25 && sKey.equals("include")) {
// Avoid the following exception on 25: IllegalArgumentException: Key 'include' is
// reserved and cannot be used as a Security property name. Hard-code the includes
// in JDK_PROPS_FILES_JDK_25_ENABLED and JDK_PROPS_FILES_JDK_25_DISABLED instead.
continue;
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
System.out.println(MSG_PREFIX + "Checking " + sKey);
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!jdkSecVal.equals(securityVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
@ -83,26 +60,17 @@ public class TestSecurityProperties {
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadPropertiesFile(Properties props, String propsFile) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadProperties(Properties props, boolean enabled) {
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
loadPropertiesFile(props, propsFile);
if (JAVA_FEATURE >= 25) {
for (String file : enabled ? JDK_PROPS_FILES_JDK_25_ENABLED : JDK_PROPS_FILES_JDK_25_DISABLED) {
System.out.println(MSG_PREFIX + "Loading " + file);
loadPropertiesFile(props, file);
}
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
@ -115,17 +83,3 @@ public class TestSecurityProperties {
}
}
/*
* Local Variables:
* compile-command: "\
* /usr/lib/jvm/java-25-openjdk/bin/javac TestSecurityProperties.java \
* && (/usr/lib/jvm/java-25-openjdk/bin/java TestSecurityProperties false ; [[ $? == 1 ]]) \
* && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true TestSecurityProperties false ; [[ $? == 1 ]]) \
* && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties true ; [[ $? == 1 ]]) \
* && /usr/lib/jvm/java-25-openjdk/bin/java TestSecurityProperties true \
* && /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true TestSecurityProperties true \
* && /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties false" \
* fill-column: 124
* End:
*/

6
TestTranslations.java
View File

@ -52,9 +52,9 @@ public class TestTranslations {
map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
"heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MST",
"heure des Rocheuses", "UTC\u221207:00", "MST"});
map.put(Locale.GERMANY, new String[] { "Rocky-Mountains-Normalzeit", "GMT-07:00", "MST",
"Rocky-Mountains-Sommerzeit", "GMT-06:00", "MST",
"Rocky-Mountains-Zeit", "GMT-07:00", "MST"});
map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST",
"Rocky-Mountain-Sommerzeit", "GMT-06:00", "MST",
"Rocky-Mountain-Zeit", "GMT-07:00", "MST"});
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
}

168
create-redhat-properties-files.bash
View File

@ -1,168 +0,0 @@
#!/bin/bash
#
# Create Red Hat OpenJDK security properties directory hierarchy.
#
# Copyright (C) 2025 IBM Corporation. All rights reserved.
#
# Written by:
# Francisco Ferrari Bihurriet <fferrari@redhat.com>
# Thomas Fitzsimmons <fitzsim@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Usage:
#
# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
#
# Example usage in spec file:
#
# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
# %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
#
# When you make changes to the file set here, also update the %files
# section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
# in TestSecurityProperties.java.
[[ $# == 2 ]] || exit 1
SECURITY="${1}"
NSSADAPTER="${2}"
VENDOR="${SECURITY}"/redhat
install --directory --mode=755 "${VENDOR}"
install --directory --mode=755 "${VENDOR}"/true
install --directory --mode=755 "${VENDOR}"/false
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
name = FIPS
library = ${NSSADAPTER}
slot = 3
nssUseSecmod = false
attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF'
# Empty on purpose, for ${redhat.crypto-policies}=false
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF'
#
# Apply the system-wide crypto policy
#
include /etc/crypto-policies/back-ends/java.config
#
# Apply the FIPS-specific security properties, if needed
#
include ../${__redhat_fips__}/fips.properties
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties
install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
#
# Default choice for the crypto-policies setup
#
include true/crypto-policies.properties
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties
install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
# Empty on purpose, for when FIPS is disabled.
EOF
# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties
install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
#
# Enable the downstream-patch RedHatFIPSFilter code
#
__redhat_fips_filter__=true
#
# FIPS mode Security Providers List
#
security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg
security.provider.2=SUN
security.provider.3=SunEC
security.provider.4=SunJSSE
security.provider.5=SunJCE
security.provider.6=SunRsaSign
security.provider.7=XMLDSig
security.provider.8=
# ^ empty on purpose, to finish the Providers List
#
# FIPS mode default keystore type
#
keystore.type=pkcs12
EOF
# Make sure java.security exists before appending
test -e "${SECURITY}"/java.security || ( echo "${SECURITY}/java.security not found" && false )
cat >> "${SECURITY}"/java.security <<'EOF'
#
# System-wide crypto-policies and FIPS setup
#
# The following crypto-policies setup automatically detects when the system
# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
# ignore the system and disable its FIPS setup, just disable the usage of
# the system crypto-policies, by any of the methods described below.
#
# The redhat.crypto-policies system property is a boolean switch that
# controls the usage on a per-run basis. For example, pass
# -Dredhat.crypto-policies=false to disable the system crypto-policies.
#
# This setup consists of the following files in $JAVA_HOME/conf/security:
#
# 'redhat/false/crypto-policies.properties' (policies usage disabled file)
# Empty file, applied when the boolean switch is passed as false.
#
# 'redhat/true/crypto-policies.properties' (policies usage enabled file)
# Performs the crypto-policies and FIPS setup, applied when the boolean
# switch is passed as true.
#
# 'redhat/crypto-policies.properties' (policies usage default file)
# Determines the default choice by including one of the previous files,
# applied when the boolean switch is not passed.
# The system crypto-policies usage is enabled by default:
# include true/crypto-policies.properties
#
# To enable or disable the usage of the crypto-policies on a per-deployment
# basis, edit the policies usage default file, changing the included file.
# For example, execute the following command to persistently disable the
# crypto-policies:
# sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties
# Applications can still override this on a per-run basis, for example by
# passing -Dredhat.crypto-policies=true.
#
# To disable the redhat.crypto-policies boolean switch, modify the following
# include directive as follows. Replace ${redhat.crypto-policies} by true to
# force-apply the system crypto-policies:
# include redhat/true/crypto-policies.properties
# Remove or comment out the include directive to force-disable the setup:
# #include redhat/${redhat.crypto-policies}/crypto-policies.properties
#
include redhat/${redhat.crypto-policies}/crypto-policies.properties
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# WARNING: anything placed after this include directive will apply on top
# of the described setup. Adding properties below this section is strongly
# discouraged, as it poses a risk of overriding the system crypto-policies
# or invalidating the FIPS deployment.
EOF
# Local Variables:
# compile-command: "shellcheck create-redhat-properties-files.bash"
# End:

87
fips-25u-e55ada9353e.patch
View File

@ -1,87 +0,0 @@
diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
index de2845fb550..60eeab678ca 100644
--- a/src/java.base/share/classes/java/security/Provider.java
+++ b/src/java.base/share/classes/java/security/Provider.java
@@ -1203,6 +1203,34 @@ public Service getService(String type, String algorithm) {
return serviceSet;
}
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ private static final class RedHatFIPSFilter {
+ static final boolean IS_ON = Boolean.parseBoolean(
+ Security.getProperty("__redhat_fips_filter__"));
+ private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
+ "SUN", Set.of(
+ "AlgorithmParameterGenerator",
+ "AlgorithmParameters", "CertificateFactory",
+ "CertPathBuilder", "CertPathValidator", "CertStore",
+ "Configuration", "KeyStore"),
+ "SunEC", Set.of(
+ "AlgorithmParameters", "KeyFactory"),
+ "SunJCE", Set.of(
+ "AlgorithmParameters",
+ "AlgorithmParameterGenerator", "KeyFactory",
+ "SecretKeyFactory"),
+ "SunRsaSign", Set.of(
+ "KeyFactory", "AlgorithmParameters")
+ );
+
+ static boolean isAllowed(String provName, String serviceType) {
+ Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
+ return allowedServiceTypes == null ||
+ allowedServiceTypes.contains(serviceType);
+ }
+ }
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
+
/**
* Add a service. If a service of the same type with the same algorithm
* name exists, and it was added using {@link #putService putService()},
@@ -1231,6 +1259,15 @@ protected void putService(Service s) {
("service.getProvider() must match this Provider object");
}
String type = s.getType();
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
+ if (debug != null) {
+ debug.println("The previous " + name + ".putService() call " +
+ "was skipped by " + RedHatFIPSFilter.class.getName());
+ }
+ return;
+ }
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
String algorithm = s.getAlgorithm();
ServiceKey key = new ServiceKey(type, algorithm, true);
implRemoveService(serviceMap.get(key));
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
index 6969fe8a8e1..4501d5971c4 100644
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
}
private static void initialize() {
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ /* This 'include'-directives-only magic property is an internal */
+ /* implementation detail that could (and probably will!) change. */
+ /* Red Hat customers should NOT rely on this for their own use. */
+ String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
+ boolean fipsModeOn;
+ try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
+ fipsModeOn = is.read() == '1';
+ } catch (IOException ioe) {
+ fipsModeOn = false;
+ if (sdebug != null) {
+ sdebug.println("Failed to read FIPS kernel file: " + ioe);
+ }
+ }
+ String fipsMagicPropName = "__redhat_fips__";
+ System.setProperty(fipsMagicPropName, "" + fipsModeOn);
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
SecPropLoader.loadAll();
+ /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
+ System.clearProperty(fipsMagicPropName);
+ /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
initialSecurityProperties = (Properties) props.clone();
if (sdebug != null) {
for (String key : props.stringPropertyNames()) {

235
java-25-openjdk-portable.specfile
View File

@ -226,7 +226,7 @@
# other targets since this target is configured to use in-tree
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
# and possibly others
%global static_libs_target static-libs-graal-image
%global static_libs_target static-libs-image
%else
%global static_libs_target %{nil}
%endif
@ -247,13 +247,6 @@
%global dtsversion 10
%endif
# Check if pandoc is available to generate docs (including man pages)
%if 0%{?rhel} == 8
%global pandoc_available 1
%else
%global pandoc_available 0
%endif
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
@ -334,7 +327,8 @@
%endif
# New Version-String scheme-style defines
%global featurever 25
%global featurever 22
%global fakefeaturever 25
%global interimver 0
%global updatever 2
%global patchver 0
@ -351,6 +345,21 @@
%global lts_designator ""
%global lts_designator_zip ""
%endif
# JDK to use for bootstrapping
%global bootjdkpkg java-%{fakefeaturever}-openjdk
%ifarch %{fastdebug_arches}
%global bootdebugpkg fastdebug
%endif
%global bootjdkzip %{_jvmdir}/%{bootjdkpkg}-*.portable%{?bootdebugpkg:.%{bootdebugpkg}}.jdk.%{_arch}.tar.xz
%global bootjdk %{_builddir}/%{bootjdkpkg}.boot
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
# This will only work where the bootstrap JDK is the same major version
# as the JDK being built
%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
%global build_hotspot_first 1
%else
%global build_hotspot_first 0
%endif
# Define vendor information used by OpenJDK
%global oj_vendor Red Hat, Inc.
@ -376,10 +385,11 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver e55ada9353e
%global fipsver 9203d50836c
# Define JDK versions
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
%global javaver %{featurever}
# Force 25 until we are actually ready to build that JDK version
%global javaver %{fakefeaturever}
# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
# The tag used to create the OpenJDK tarball
@ -390,8 +400,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 10
%global rpmrelease 3
%global buildver 9
%global rpmrelease 2
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -426,16 +436,16 @@
%endif
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global compatiblename java-%{fakefeaturever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
# images directories from upstream build
%global jdkimage jdk
%global static_libs_image static-libs-graal
%global static_libs_image static-libs
# output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
%define buildoutputdir() %{expand:build/jdk%{fakefeaturever}.build%{?1}}
%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}}
%global altjavaoutputdir install/altjava.install
%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
%define packageoutputdir() %{expand:packages/jdk%{fakefeaturever}.packages%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
# main id and dir of this jdk
@ -458,22 +468,6 @@
%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g")
%define miscportablearchive() %{miscportablename}.tar.xz
# JDK to use for bootstrapping
%global bootjdkpkg java-%{featurever}-%{origin}
%ifarch %{fastdebug_arches}
%global bootdebugpkg fastdebug
%endif
%global bootjdkzip %{_jvmdir}/%{bootjdkpkg}-*.portable%{?bootdebugpkg:.%{bootdebugpkg}}.jdk.%{_arch}.tar.xz
%global bootjdk %{_builddir}/%{uniquesuffix -- ""}/%{bootjdkpkg}.boot
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
# This will only work where the bootstrap JDK is the same major version
# as the JDK being built
%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
%global build_hotspot_first 1
%else
%global build_hotspot_first 0
%endif
#################################################################
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
@ -603,7 +597,7 @@ Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
# Systemtap tapsets. Zipped up to keep it small.
Source8: tapsets-icedtea-%{icedteaver}.tar.xz
Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
# Desktop files. Adapted from IcedTea
# Disabled in portables
@ -640,13 +634,41 @@ Source18: TestTranslations.java
############################################
# Crypto policy and FIPS support patches
# Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# OPENJDK-2108: Internal __redhat_fips__ property
# OPENJDK-2123: Algorithms lockdown
# OPENJDK-4559: Red Hat Build of OpenJDK 25 should not restrict all the providers in FIPS
Patch1001: fips-%{featurever}u-%{fipsver}.patch
# PR3183, RH1340845: Follow system wide crypto policy
# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
# RH1929465: Improve system FIPS detection
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
# RH1996182: Login to the NSS software token in FIPS mode
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
# RH2021263: Resolve outstanding FIPS issues
# RH2052819: Fix FIPS reliance on crypto policies
# RH2052829: Detect NSS at Runtime for FIPS detection
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
# RH2023467: Enable FIPS keys export
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
# RH2104724: Avoid import/export of DH private keys
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
# Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
# RH2020290: Support TLS 1.3 in FIPS mode
# Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724
# OJ1357: Fix issue on FIPS with a SecurityManager in place
# RH2134669: Add missing attributes when registering services in FIPS mode.
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
# RH1940064: Enable XML Signature provider in FIPS mode
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch
#############################################
#
@ -661,18 +683,8 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
# OpenJDK patches which missed last update
#
#############################################
# JDK-8372534: Update Libpng to 1.6.51
# Integrated in 25.0.3
Patch2001: jdk8372534-libpng-1.6.51.patch
# JDK-8375063: Update Libpng to 1.6.54
# Integrated in 25.0.3
Patch2002: jdk8375063-libpng-1.6.54.patch
# JDK-8375057: Update HarfBuzz to 12.3.2
# Integrated in 25.0.3
Patch2003: jdk8375057-harfbuzz-12.3.2.patch
# JDK-8377526: Update Libpng to 1.6.55
# Integrated in 25.0.3
Patch2004: jdk8377526-libpng-1.6.55.patch
# Currently empty
#############################################
#
@ -726,14 +738,13 @@ BuildRequires: zip
BuildRequires: tar
BuildRequires: unzip
BuildRequires: javapackages-filesystem
BuildRequires: %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} >= %{buildjdkver}
# Zero-assembler build requirement
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
# Full documentation build requirements
# pandoc is only available on RHEL/CentOS 8
%if %{pandoc_available}
%if 0%{?rhel} == 8
BuildRequires: graphviz
BuildRequires: pandoc
%endif
@ -759,13 +770,13 @@ Provides: bundled(freetype) = 2.13.3
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.2
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
Provides: bundled(harfbuzz) = 12.3.2
Provides: bundled(harfbuzz) = 10.4.0
# Version in src/java.desktop/share/native/liblcms/lcms2.h
Provides: bundled(lcms2) = 2.17.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
Provides: bundled(libpng) = 1.6.55
Provides: bundled(libpng) = 1.6.47
# Version in src/java.base/share/native/libzip/zlib/zlib.h
Provides: bundled(zlib) = 1.3.1
# We link statically against libstdc++ to increase portability
@ -985,20 +996,10 @@ sh %{SOURCE12} %{top_level_dir_name}
# rpmbuild.
pushd %{top_level_dir_name}
# Add crypto policy and FIPS support
%patch -P1001 -p1
# Add libpng & harfbuzz updates ahead of 25.0.3
%patch -P2001 -p1
%patch -P2002 -p1
%patch -P2003 -p1
%patch -P2004 -p1
# Disabled until 25
#%patch -P1001 -p1
popd # openjdk
echo "Generating %{alt_java_name} man page"
altjavamanpage=%{top_level_dir_name}/src/java.base/share/man/%{alt_java_name}.md
altjavatext="Hardened java binary recommended for launching untrusted code from the Web e.g. javaws"
sed -r -e 's|([^/.])java([^./])|\1alt-java\2|g' %{top_level_dir_name}/src/java.base/share/man/java.md | \
sed -e 's|JAVA(|ALT-JAVA(|' | \
sed -e "s|java - launch a Java application|alt-java - ${altjavatext}|" >> ${altjavamanpage}
# The OpenJDK version file includes the current
# upstream version information. For some reason,
@ -1064,7 +1065,7 @@ pushd %{_jvmdir}
sha256sum --check %{bootjdkzip}.sha256sum
popd
tar -xJf %{bootjdkzip}
mv java-%{featurever}-openjdk-%{buildjdkver}* %{bootjdk}
mv java-%{fakefeaturever}-openjdk-%{featurever}* %{bootjdk}
# Print release information
echo "Installed boot JDK:"
cat %{bootjdk}/release
@ -1359,7 +1360,6 @@ function installjdk() {
# legacy-jre-image target does not install any man pages for the JRE
# We copy the jdk man directory and then remove pages for binaries that
# don't exist in the JRE
%if %{pandoc_available}
cp -a ${jdkimagepath}/man ${jreimagepath}
for manpage in $(find ${jreimagepath}/man -name '*.1'); do
filename=$(basename ${manpage});
@ -1369,7 +1369,6 @@ function installjdk() {
rm -f ${manpage};
fi;
done
%endif
for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
@ -1520,7 +1519,7 @@ function packagejdk() {
%if %{with_systemtap}
cp -a ${tapsetdir}* ${miscname}
%endif
cp -av ${altjavadir}/%{alt_java_name} ${miscname}
cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname}
createtar ${miscname} ${miscarchive}
genchecksum ${miscarchive}
fi
@ -1561,6 +1560,10 @@ function packagejdk() {
echo "Building %{SOURCE11}"
mkdir -p %{altjavaoutputdir}
LD_LIBRARY_PATH="${LIBPATH}" ${GCC} ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
echo "Generating %{alt_java_name} man page"
altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage}
cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage}
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
@ -1710,23 +1713,18 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
%endif
# Check blocked.certs is valid (OPENJDK-4362)
jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java
jtreg_dir=$(dirname ${jtreg_test})
$JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test}
# Check src.zip has all sources. See RHBZ#1130490
unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
# Check class files include useful debugging information
$JAVA_HOME/bin/javap -c -l java.lang.Object | grep "Compiled from"
$JAVA_HOME/bin/javap -c -l java.lang.Object | grep LineNumberTable
$JAVA_HOME/bin/javap -c -l java.lang.Object | grep LocalVariableTable
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
# Check generated class files include useful debugging information
$JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep LocalVariableTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
%else
@ -1958,77 +1956,6 @@ done
%endif
%changelog
* Tue Mar 03 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-3
- Update FIPS patch to e55ada9353e to include the fix for the too restrictive provider lockdown
- Fix FIPS issue list to represent the new 25u version
- Add JDK-8375063 libpng 1.6.54 ahead of 25.0.3
- Add JDK-8375057 harfbuzz 12.3.2 ahead of 25.0.3
- Add JDK-8377526 libpng 1.6.55 ahead of 25.0.3
- Bump libpng version to 1.6.55 following JDK-8375063 & JDK-8377526
- Bump harfbuzz version to 12.3.2 following JDK-8375057
- Resolves: OPENJDK-4570
- Resolves: OPENJDK-4304
- Resolves: OPENJDK-4524
- Resolves: OPENJDK-4544
- Resolves: OPENJDK-4553
* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-2
- Add JDK-8372534 libpng 1.6.51 ahead of 25.0.3
- Bump libpng version to 1.6.51 following JDK-8372534
- Add CVEs for 25.0.2 to NEWS
- Correct version and date for this upcoming release in NEWS
- Related: OPENJDK-4359
* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-1
- Update to jdk-25.0.2+10 (GA)
- Update release notes to 25.0.2+10
- Add test to ensure blocked.certs is valid (OPENJDK-4362)
- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. **
- Resolves: OPENJDK-4359
- Resolves: OPENJDK-4362
* Tue Dec 02 2025 Severin Gehwolf <sgehwolf@redhat.com> - 1:25.0.1.0.8-2
- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a
- Resolves: OPENJDK-4197
* Tue Dec 02 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
- Incorporate new FIPS patch for 25u
- Resolves: OPENJDK-4184
* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
- Update to jdk-25.0.1+8 (GA)
- Update release notes to 25.0.1+8
- Related: RHELBU-3203
* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.0.0.36-2
- Drop fakefeaturever and rebuild with ourselves now we have reached OpenJDK 25
- Related: RHELBU-3203
* Sun Nov 09 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.0.0.36-1
- Update to jdk-25.0.0+36 (GA)
- Update release notes with features of JDK 25
- Mention finalisation JEP for features finalised in JDK 22, 23 & 24
- Resolves: RHELBU-3203
* Wed Nov 05 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:24.0.2.0.12-1
- Update to jdk-24.0.2+12 (GA)
- Update release notes with features of JDK 24
- Generate alt-java.md during prep following removal of pre-generated man pages in JDK-8344056
- Introduce pandoc_available global for conditional handling of both pandoc dependency and manpages
- Adjust TestTranslations.java with updated German translations from CLDR 46 (JDK-8333582) (Mountain->Mountains)
- Run javap with the disassembled code (-c) option now required for -l by JDK-8345145
- Related: RHELBU-3203
* Sat Oct 25 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:23.0.2.0.7-1
- Update to jdk-23.0.2+7 (GA)
- Update release notes with features of JDK 23
- Switch buildjdkver to featurever + 1
- Use buildjdkver in the path to the extracted bootstrap JDK
- Move bootstrap declarations later so they can use variables like uniquesuffix
- Fix bootjdk so it uses our build subdirectory created in setup (_builddir only gives the top-level BUILD)
- Fix double '%' in specification of IcedTea sources
- Related: RHELBU-3203
* Mon Sep 22 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:22.0.2.0.9-2
- Build using ourselves rather than the system JDK as java-25-openjdk is unavailable on older systems
- Switch buildjdkver back to featurever temporarily for this rebuild

2774
java-25-openjdk.spec
View File

File diff suppressed because it is too large Load Diff

1
java-25-openjdk.spec Symbolic link
View File

@ -0,0 +1 @@
java-25-openjdk-portable.specfile

1598
jdk8372534-libpng-1.6.51.patch
View File

File diff suppressed because it is too large Load Diff

31844
jdk8375057-harfbuzz-12.3.2.patch
View File

File diff suppressed because it is too large Load Diff

4384
jdk8375063-libpng-1.6.54.patch
View File

File diff suppressed because it is too large Load Diff

248
jdk8377526-libpng-1.6.55.patch
View File

@ -1,248 +0,0 @@
commit b64f9e043d63b113682ea395e5bd8df2a26327ef
Author: Sergey Bylokhov <serb@openjdk.org>
AuthorDate: Mon Mar 2 18:56:22 2026 +0000
Commit: Sergey Bylokhov <serb@openjdk.org>
CommitDate: Mon Mar 2 18:56:22 2026 +0000
8377526: Update Libpng to 1.6.55
Backport-of: fd74232d5dc4c6bfbcddb82e1b2621289aa2f65a
diff --git a/src/java.desktop/share/legal/libpng.md b/src/java.desktop/share/legal/libpng.md
index 80d12248ec4..a2ffcca1974 100644
--- a/src/java.desktop/share/legal/libpng.md
+++ b/src/java.desktop/share/legal/libpng.md
@@ -1,4 +1,4 @@
-## libpng v1.6.54
+## libpng v1.6.55
### libpng License
<pre>
@@ -170,6 +170,7 @@ ### AUTHORS File Information
* Guy Eric Schalnat
* James Yu
* John Bowler
+ * Joshua Inscoe
* Kevin Bracey
* Lucas Chollet
* Magnus Holmgren
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES b/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
index 3bb1baecd23..af9fcff6eb3 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/CHANGES
@@ -5988,7 +5988,7 @@ Version 1.6.32rc01 [August 18, 2017]
Version 1.6.32rc02 [August 22, 2017]
Added contrib/oss-fuzz directory which contains files used by the oss-fuzz
- project (https://github.com/google/oss-fuzz/tree/master/projects/libpng).
+ project <https://github.com/google/oss-fuzz/tree/master/projects/libpng>.
Version 1.6.32 [August 24, 2017]
No changes.
@@ -6323,15 +6323,21 @@ Version 1.6.53 [December 5, 2025]
Version 1.6.54 [January 12, 2026]
Fixed CVE-2026-22695 (medium severity):
- Heap buffer over-read in `png_image_read_direct_scaled.
+ Heap buffer over-read in `png_image_read_direct_scaled`.
(Reported and fixed by Petr Simecek.)
Fixed CVE-2026-22801 (medium severity):
Integer truncation causing heap buffer over-read in `png_image_write_*`.
Implemented various improvements in oss-fuzz.
(Contributed by Philippe Antoine.)
+Version 1.6.55 [February 9, 2026]
+ Fixed CVE-2026-25646 (high severity):
+ Heap buffer overflow in `png_set_quantize`.
+ (Reported and fixed by Joshua Inscoe.)
+ Resolved an oss-fuzz build issue involving nalloc.
+ (Contributed by Philippe Antoine.)
Send comments/corrections/commendations to png-mng-implement at lists.sf.net.
Subscription is required; visit
-https://lists.sourceforge.net/lists/listinfo/png-mng-implement
+<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>
to subscribe.
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/README b/src/java.desktop/share/native/libsplashscreen/libpng/README
index 63d1376edf7..6e0d1e33137 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/README
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/README
@@ -1,4 +1,4 @@
-README for libpng version 1.6.54
+README for libpng version 1.6.55
================================
See the note about version numbers near the top of `png.h`.
@@ -24,14 +24,14 @@ for more things than just PNG files. You can use zlib as a drop-in
replacement for `fread()` and `fwrite()`, if you are so inclined.
zlib should be available at the same place that libpng is, or at
-https://zlib.net .
+<https://zlib.net>.
You may also want a copy of the PNG specification. It is available
as an RFC, a W3C Recommendation, and an ISO/IEC Standard. You can find
-these at http://www.libpng.org/pub/png/pngdocs.html .
+these at <http://www.libpng.org/pub/png/pngdocs.html>.
-This code is currently being archived at https://libpng.sourceforge.io
-in the download area, and at http://libpng.download/src .
+This code is currently being archived at <https://libpng.sourceforge.io>
+in the download area, and at <http://libpng.download/src>.
This release, based in a large way on Glenn's, Guy's and Andreas'
earlier work, was created and will be supported by myself and the PNG
@@ -39,12 +39,12 @@ development group.
Send comments, corrections and commendations to `png-mng-implement`
at `lists.sourceforge.net`. (Subscription is required; visit
-https://lists.sourceforge.net/lists/listinfo/png-mng-implement
+<https://lists.sourceforge.net/lists/listinfo/png-mng-implement>
to subscribe.)
Send general questions about the PNG specification to `png-mng-misc`
at `lists.sourceforge.net`. (Subscription is required; visit
-https://lists.sourceforge.net/lists/listinfo/png-mng-misc
+<https://lists.sourceforge.net/lists/listinfo/png-mng-misc>
to subscribe.)
Historical notes
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/png.c b/src/java.desktop/share/native/libsplashscreen/libpng/png.c
index 5636b4a754e..955fda8dd7e 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/png.c
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/png.c
@@ -42,7 +42,7 @@
#include "pngpriv.h"
/* Generate a compiler error if there is an old png.h in the search path. */
-typedef png_libpng_version_1_6_54 Your_png_h_is_not_version_1_6_54;
+typedef png_libpng_version_1_6_55 Your_png_h_is_not_version_1_6_55;
/* Sanity check the chunks definitions - PNG_KNOWN_CHUNKS from pngpriv.h and the
* corresponding macro definitions. This causes a compile time failure if
@@ -849,7 +849,7 @@ png_get_copyright(png_const_structrp png_ptr)
return PNG_STRING_COPYRIGHT
#else
return PNG_STRING_NEWLINE \
- "libpng version 1.6.54" PNG_STRING_NEWLINE \
+ "libpng version 1.6.55" PNG_STRING_NEWLINE \
"Copyright (c) 2018-2026 Cosmin Truta" PNG_STRING_NEWLINE \
"Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
PNG_STRING_NEWLINE \
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/png.h b/src/java.desktop/share/native/libsplashscreen/libpng/png.h
index ab8876a9626..e95c0444399 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/png.h
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/png.h
@@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
- * libpng version 1.6.54
+ * libpng version 1.6.55
*
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
@@ -43,7 +43,7 @@
* libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger
* libpng versions 0.97, January 1998, through 1.6.35, July 2018:
* Glenn Randers-Pehrson
- * libpng versions 1.6.36, December 2018, through 1.6.54, January 2026:
+ * libpng versions 1.6.36, December 2018, through 1.6.55, February 2026:
* Cosmin Truta
* See also "Contributing Authors", below.
*/
@@ -267,7 +267,7 @@
* ...
* 1.5.30 15 10530 15.so.15.30[.0]
* ...
- * 1.6.54 16 10654 16.so.16.54[.0]
+ * 1.6.55 16 10655 16.so.16.55[.0]
*
* Henceforth the source version will match the shared-library major and
* minor numbers; the shared-library major version number will be used for
@@ -303,7 +303,7 @@
*/
/* Version information for png.h - this should match the version in png.c */
-#define PNG_LIBPNG_VER_STRING "1.6.54"
+#define PNG_LIBPNG_VER_STRING "1.6.55"
#define PNG_HEADER_VERSION_STRING " libpng version " PNG_LIBPNG_VER_STRING "\n"
/* The versions of shared library builds should stay in sync, going forward */
@@ -314,7 +314,7 @@
/* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */
#define PNG_LIBPNG_VER_MAJOR 1
#define PNG_LIBPNG_VER_MINOR 6
-#define PNG_LIBPNG_VER_RELEASE 54
+#define PNG_LIBPNG_VER_RELEASE 55
/* This should be zero for a public release, or non-zero for a
* development version.
@@ -345,7 +345,7 @@
* From version 1.0.1 it is:
* XXYYZZ, where XX=major, YY=minor, ZZ=release
*/
-#define PNG_LIBPNG_VER 10654 /* 1.6.54 */
+#define PNG_LIBPNG_VER 10655 /* 1.6.55 */
/* Library configuration: these options cannot be changed after
* the library has been built.
@@ -455,7 +455,7 @@ extern "C" {
/* This triggers a compiler error in png.c, if png.c and png.h
* do not agree upon the version number.
*/
-typedef char *png_libpng_version_1_6_54;
+typedef char *png_libpng_version_1_6_55;
/* Basic control structions. Read libpng-manual.txt or libpng.3 for more info.
*
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h b/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
index 959c604edbc..b957f8b5061 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/pngconf.h
@@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
- * libpng version 1.6.54
+ * libpng version 1.6.55
*
* Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h b/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
index b413b510acf..ae1ab462072 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/pnglibconf.h
@@ -31,7 +31,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*/
-/* libpng version 1.6.54 */
+/* libpng version 1.6.55 */
/* Copyright (c) 2018-2026 Cosmin Truta */
/* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */
diff --git a/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c b/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
index 7680fe64828..fcce80da1cb 100644
--- a/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
+++ b/src/java.desktop/share/native/libsplashscreen/libpng/pngrtran.c
@@ -29,7 +29,7 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
- * Copyright (c) 2018-2025 Cosmin Truta
+ * Copyright (c) 2018-2026 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
* Copyright (c) 1996-1997 Andreas Dilger
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@@ -737,8 +737,8 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
break;
t->next = hash[d];
- t->left = (png_byte)i;
- t->right = (png_byte)j;
+ t->left = png_ptr->palette_to_index[i];
+ t->right = png_ptr->palette_to_index[j];
hash[d] = t;
}
}

1
rpminspect.yaml
View File

@ -1,4 +1,3 @@
---
inspections:
javabytecode: off
abidiff: off

26
scripts/builds/waive_usual_tier0.sh → scripts/builds/build_rhel_7_portable_build.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Copyright (C) 2024 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
@ -17,30 +17,12 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive the usual tier0 gating issue
# Should be resolved by OPENJDK-4517
# Builds the portable on RHEL 7
RHEL_VER=${1}
NVR=${2}
WORKING_DIR=$(dirname "${0}")
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.tier0.functional "Test unable to parse spec file"
rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check
# Local Variables:
# compile-command: "shellcheck waive_usual_tier0.sh"
# compile-command: "shellcheck build_rhel_7_portable_build.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4

25
scripts/builds/waive_leapp_issue.sh → scripts/builds/build_rhel_8.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Copyright (C) 2024 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
@ -17,29 +17,26 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive the leapp gating test which never seems to work
# Builds the RPM on RHEL 8
RHEL_VER=${1}
NVR=${2}
NVR=${1}
USER=${2}
WORKING_DIR=$(dirname "${0}")
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
if test "${NVR}" = ""; then
echo "${0} <NVR> <USER>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
if test "${USER}" = ""; then
echo "${0} <NVR> <USER>";
exit 2;
fi
"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" leapp.brew-build.upgrade.distro "AWOL"
METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}"
rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}"
# Local Variables:
# compile-command: "shellcheck waive_leapp_issue.sh"
# compile-command: "shellcheck build_rhel_8.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4

77
scripts/builds/check_signatures.sh
View File

@ -1,77 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Check the signatures (if any) in RHEL RPM buildinfo
# This is intended to be run from the tagging scripts
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
BUILDINFO=${1}
NEW_SIGNATURE="release4";
OLD_SIGNATURE="fd431d51";
if test "${BUILDINFO}" = ""; then
echo "${0} <BUILDINFO>";
exit 1;
fi
if ! test -e "${BUILDINFO}" ; then
echo "${BUILDINFO} not found.";
exit 2;
fi
if cat ${BUILDINFO} | grep -q Signatures ; then
signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c);
uniq_count=$(echo ${signature} | wc -l);
if test ${uniq_count} -gt 1; then
echo "Multiple signature types found:";
echo "${signature}";
exit 4;
fi
sig_count=$(echo ${signature} | cut -d ' ' -f 1);
sig_type=$(echo ${signature} | cut -d ' ' -f 2);
echo "${sig_count} signatures of type ${sig_type} found";
if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then
echo "PQC signature found.";
exit 5;
elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then
echo "Old pre-PQC signature found.";
exit 6;
else
echo "Unknown signature found.";
exit 7;
fi
else
echo "Build has no signatures.";
exit 3;
fi
# Local Variables:
# compile-command: "shellcheck check_signatures.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

63
scripts/builds/get_gating_results.sh
View File

@ -1,63 +0,0 @@
#!/bin/bash
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Retrieve the results of a gating test using the ID from the JSON
# retrieved by query_build_gating.sh
RESULT_ID=${1}
if test "${RESULT_ID}" = ""; then
echo "No ID specified.";
echo "${0} <RESULT_ID>";
exit 1;
fi
CURL=$(command -v curl)
JSON_TOOL=$(command -v jq)
if test "${CURL}" = ""; then
echo "curl not found";
exit 2;
fi
if test "${JSON_TOOL}" = ""; then
echo "jq not found";
exit 3;
fi
URL="https://resultsdb-api.engineering.redhat.com/api/v2.0/results/${RESULT_ID}"
JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
CMD=("${CURL}" --silent --show-error "${URL}")
echo "${CMD[@]}"
if command "${CMD[@]}" > "${JSON_OUT}" ; then
"${JSON_TOOL}" < "${JSON_OUT}"
else
echo "Failed to obtain JSON";
exit 4;
fi
# Local Variables:
# compile-command: "shellcheck get_gating_results.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

94
scripts/builds/query_build_gating.sh
View File

@ -1,94 +0,0 @@
#!/bin/bash
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Retrieve the status of a build's progress through gating
RHEL_VER=${1}
NVR=${2}
if test "${RHEL_VER}" = ""; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "${NVR}" = ""; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
CURL=$(command -v curl)
JSON_TOOL=$(command -v jq)
JSON_FILE=$(mktemp --tmpdir query.XXXXXX.json)
JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
URL="https://greenwave.engineering.redhat.com/api/v1.0/decision"
if test "${CURL}" = ""; then
echo "curl not found";
exit 3;
fi
if test "${JSON_TOOL}" = ""; then
echo "jq not found";
exit 4;
fi
{
echo "{";
printf "\t\"decision_context\":\"osci_compose_gate\",\n";
printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}";
printf "\t\"subject_type\":\"koji_build\",\n";
printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}";
printf "\t\"verbose\":false\n";
echo "}";
} > "${JSON_FILE}"
echo "Sending the following JSON...";
cat "${JSON_FILE}"
CMD=("${CURL}" --silent --show-error -X POST)
JSON_COMMAND="--json";
# Check --json is available
${CURL} ${JSON_COMMAND} 2> /dev/null
if [ $? -eq 2 ] ; then
echo "--json unsupported; falling back on --data-ascii";
CMD=("${CMD[@]}" --header Content-Type:application/json --data-ascii);
else
CMD=("${CMD[@]}" "${JSON_COMMAND}");
fi
CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}")
echo "${CMD[@]}"
if command "${CMD[@]}" > "${JSON_OUT}" ; then
"${JSON_TOOL}" < "${JSON_OUT}"
else
echo "Failed to obtain JSON";
exit 5;
fi
# Local Variables:
# compile-command: "shellcheck query_build_gating.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

87
scripts/builds/tag_rhel.sh
View File

@ -1,87 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag public RHEL RPMs into gating for all supported streams
# This is intended to be run from tag_rhel_<ver>_(public|embargoed).sh
BUILD="${1}"
BUILDLOG="${2}"
SUFFIX="${3}"
shift 3;
SUPPORTED_VERS="$*"
CMD_SYNTAX="${0} <BUILD> <BUILDLOG> <SUFFIX> <SUPPORTED_VERS>";
GATE_SUFFIX="gate"
if test "${BUILD}" = ""; then
echo "${CMD_SYNTAX}";
exit 1;
fi
if test "${BUILDLOG}" = ""; then
echo "${CMD_SYNTAX}";
exit 2;
fi
if test "${SUPPORTED_VERS}" = ""; then
echo "${CMD_SYNTAX}";
exit 3;
fi
buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-)
echo "Build has tags ${buildtags}";
if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then
echo "Gating system can only handle one tag at a time."
echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate."
if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then
echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running.";
exit 1;
fi
fi
done=0;
for ver in ${SUPPORTED_VERS}; do
vertag="rhel-${ver}";
proposedtag="${vertag}-${SUFFIX}";
echo "Checking if ${BUILD} has been added to ${vertag}...";
if echo "${buildtags}" | grep -q "${vertag}" ; then
echo "${BUILD} has been tagged into ${proposedtag}";
else
if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then
echo "Already added a tag. Need to tag ${proposedtag} in a future run.";
else
echo "Tagging ${BUILD} into ${proposedtag}";
brew tag-build --nowait "${proposedtag}" "${BUILD}";
done=1;
fi
fi
done
if [ "${done}" -eq 1 ]; then
brew watch-task --mine;
else
echo "Nothing to do.";
fi
# Local Variables:
# compile-command: "shellcheck tag_rhel.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_10_embargoed_pqc.sh
View File

@ -1,67 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC embargoed RHEL 10 RPMs into supported z-streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="10.2-z 10.1-z"
WORKING_DIR=$(dirname "${0}")
EMBARGOED_SUFFIX="nocompose-candidate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_10_embargoed_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_10_public_pqc.sh
View File

@ -1,67 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC public RHEL 10 RPMs into gating for all supported streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="10.3 10.2-z 10.1-z"
WORKING_DIR=$(dirname "${0}")
GATE_SUFFIX="gate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging build into gating for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_10_public_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_9_embargoed_pqc.sh
View File

@ -1,67 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="9.8.0-z 9.7.0-z"
WORKING_DIR=$(dirname "${0}")
EMBARGOED_SUFFIX="nocompose-candidate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

67
scripts/builds/tag_rhel_9_public_pqc.sh
View File

@ -1,67 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams
BUILD=${1}
if test "${BUILD}" = ""; then
echo "${0} <BUILD>";
exit 1;
fi
BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
SUPPORTED_VERS="9.9.0 9.8.0-z 9.7.0-z"
WORKING_DIR=$(dirname "${0}")
GATE_SUFFIX="gate"
echo "Obtaining buildinfo for ${BUILD}...";
brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
echo "Checking signatures for ${BUILD}...";
"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
# Return codes:
# - 1 - Buildinfo file not specified
# - 2 = Missing buildinfo file
# - 3 = No signatures
# - 4 = Multiple signature types found
# - 5 = PQC signature found
# - 6 = Old signature (fd431d51) found
# - 7 = Unknown signature found
ret=$?;
if [ "${ret}" -eq 6 ] ; then
echo "Build has old signatures which should not be the case for OpenJDK 25";
exit 2;
elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
echo "Signature check failed.";
exit 3;
fi
echo "Tagging build into gating for ${SUPPORTED_VERS}...";
"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
rm -f "${BUILDLOG}"
# Local Variables:
# compile-command: "shellcheck tag_rhel_9_public_pqc.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

132
scripts/builds/waive_issue.sh
View File

@ -1,132 +0,0 @@
#!/bin/bash
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive a gating issue
RHEL_VER=${1}
NVR=${2}
TESTCASE=${3}
COMMENT=${4}
CURL=$(command -v curl)
JSON_TOOL=$(command -v json_verify)
JSON_FORMAT=$(command -v jq)
JSON_FILE=$(mktemp --tmpdir waive.XXXXXX.json)
HEADER_FILE=$(mktemp --tmpdir waive.XXXXXX.headers)
JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
CACERT=/etc/ssl/certs/2022-IT-Root-CA.pem
CACERT_DIR=$(dirname ${CACERT})
URL="https://waiverdb.engineering.redhat.com/api/v1.0/waivers/"
if test -z "${JSON_TOOL}" -o ! -x "${JSON_TOOL}" ; then
echo "JSON verifier not found. Skipping verification.";
SKIP_JSON=1;
else
SKIP_JSON=0;
fi
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
exit 2;
fi
if test "x${TESTCASE}" = "x"; then
echo "No testcase specified.";
echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
exit 3;
fi
if test "x${COMMENT}" = "x"; then
COMMENT="Gating broken";
echo "Setting COMMENT to default of '${COMMENT}'"
fi
if test "${CURL}" = ""; then
echo "curl not found";
exit 4;
fi
if test "${JSON_FORMAT}" = ""; then
echo "jq not found";
exit 5;
fi
{
echo "{";
printf "\t\"subject_type\":\"brew-build\",\n";
printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}";
printf "\t\"testcase\":\"%s\",\n" "${TESTCASE}";
printf "\t\"waived\":true,\n";
printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}"
printf "\t\"comment\":\"%s\"\n" "${COMMENT}";
echo "}"
} > "${JSON_FILE}"
if [ "${SKIP_JSON}" -eq 0 ] ; then
"${JSON_TOOL}" < "${JSON_FILE}" || exit 6;
fi
CMD=("${CURL}" --silent --show-error --capath "${CACERT_DIR}" --negotiate -u :)
JSON_COMMAND="--json";
# Check --json is available
${CURL} ${JSON_COMMAND} 2> /dev/null
if [ $? -eq 2 ] ; then
echo "--json unsupported; falling back on --data-binary";
{
echo "Content-Type: application/json";
echo "Accept: application/json";
} > "${HEADER_FILE}"
echo "Header file:";
cat "${HEADER_FILE}"
CMD=("${CMD[@]}" --header "@${HEADER_FILE}" --data-binary);
else
CMD=("${CMD[@]}" "${JSON_COMMAND}");
fi
CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}")
echo "Sending the following JSON...";
cat "${JSON_FILE}"
echo "${CMD[@]}"
if command "${CMD[@]}" > "${JSON_OUT}" ; then
"${JSON_FORMAT}" < "${JSON_OUT}"
else
echo "Failed to file waiver";
exit 7;
fi
rm -v "${JSON_FILE}"
rm -v "${HEADER_FILE}"
# Local Variables:
# compile-command: "shellcheck waive_issue.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

53
scripts/builds/waive_rpminspect.sh
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive a rpminspect gating issue
RHEL_VER=${1}
NVR=${2}
COMMENT=${3}
WORKING_DIR=$(dirname "${0}")
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR> <COMMENT>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR> <COMMENT>";
exit 2;
fi
if test "${COMMENT}" = ""; then
echo "No comment specified.";
echo "${0} <RHEL_VER> <NVR> <COMMENT>";
exit 3;
fi
"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.rpminspect.static-analysis "${COMMENT}"
# Local Variables:
# compile-command: "shellcheck waive_rpminspect.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

46
scripts/builds/waive_usual_rpminspect.sh
View File

@ -1,46 +0,0 @@
#!/bin/sh
# Copyright (C) 2026 Red Hat, Inc.
# Written by:
# Andrew John Hughes <gnu.andrew@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Waive the recurring rpminspect gating issues
# Should be resolved by RHELPLAN-102267
RHEL_VER=${1}
NVR=${2}
if test "x${RHEL_VER}" = "x"; then
echo "No RHEL version specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 1;
fi
if test "x${NVR}" = "x"; then
echo "No NVR specified.";
echo "${0} <RHEL_VER> <NVR>";
exit 2;
fi
"${WORKING_DIR}"/waive_rpminspect.sh "${RHEL_VER}" "${NVR}" \
"Usual failures we waived through rpmdiff; slowdebug unoptimised, RPATH and IPv4 functions"
# Local Variables:
# compile-command: "shellcheck waive_usual_rpminspect.sh"
# fill-column: 80
# indent-tabs-mode: nil
# sh-basic-offset: 4
# End:

2
scripts/openjdk_news.sh
View File

@ -98,7 +98,7 @@ else
echo "No apparent backouts.";
fi
printf "\nChecking for bundled library updates...";
if grep -iE ':( \(tz\))? (update|upgrade).*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then
if grep -iE ':( \(tz\))? update.*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then
printf "found.\nWARNING: Review the following with respect to bundled provides:\n";
cat "${TMPDIR}/bundles";
echo "Compare the output of $(dirname "${0}")/get_bundle_versions.sh with the RPM using the JDK source tree"

3
sources
View File

@ -1,3 +1,2 @@
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
SHA512 (openjdk-25.0.2+10.tar.xz) = 238580373693cb0221f8678df1b1c838b9ae6fc8311c2ece496908444bee640315cba8a3e439866b647021f471b96f011aad35eb3e7ae2369a19d9489c6ddb2d
SHA512 (nssadapter-0.1.1.tar.xz) = 2b4675cfbfa2ccb6c9a4870a4b58ae555267f5b8c9bdb0cf37b075483e6e9ea929561c05070453cf0d67b0b029de5408274555bf2ff50e9533219e898b2717f9
SHA512 (openjdk-22.0.2+9.tar.xz) = 960746381f56cb516a2298f75dbf877554b59e73752dc29b040b8629b153174d2ea2f612d3479b511aaac293e4d336c798a58fd1ba4d2b9d5933899f64d04313