Build cacerts during build from Mozilla's list, take 2 #2113
Conversation
🟢 PR TESTER RESULT 🟢✅ All pipelines passed! ✅ |
karianna
added
the
enhancement
|
@aahlenst What's the situation with this - are you looking to move it forward again now that the October releases have shipped? Are there any blockers? |
|
As I said, we need the tests first. Tests are there, but not integrated. Waiting for Shelley and myself to work this out. Do not expect any movement from my side before late next week. |
|
@aahlenst small merge conflict now as well |
|
Now that adoptium/aqa-tests#2049 has landed, this is safe to merge as soon as the releases are done and the tests were successful. adoptium/aqa-tests#1963 (comment) demonstrates that the test detect a broken trust store. |
The cacerts trust store provided by OpenJDK lacks a few common certificates (see adoptium/adoptium-support#13). We reached out to OpenJDK, but there was little interest to change the state of affairs (see https://mail.openjdk.java.net/pipermail/jdk-dev/2020-May/004305.html). Consequently, the AdoptOpenJDK TSC decided to replace the bundled trust store with the root CA certificates included in Mozilla Firefox. Mozilla runs a trusted root CA program and is used by, amongst others, most Linux distributions. Running our own root CA program was not an option (too much work, difficult). But we leave the option open to include CA certificates on a case-by-case basis. If anyone wants to build with the stock OpenJDK certificates, pass `--custom-cacerts false`. The list of CA certificates is not downloaded on demand but stored in the repository. This prevents intermittent download failures and makes it easier to inspect what certificates we have bundled with a certain release. Changes are also clearly visible in the revision history. This is also the reason that the cacerts file is built from source during the JDK build. The downside is that the list of certificates needs to be regularly updated. The cacerts trust store is built with keytool from the boot JDK to ensure that it is compatible with the built JDK version.
|
run tests |
🟠 PR TESTER RESULT 🟠❎ Some pipelines failed or the job was aborted! ❎ |
One annoying network issue on a mac machine (unrelated to this PR) |
Generates the CA certificate bundle at build time from Mozilla's list of trusted CA certificates.
For context see adoptium/adoptium-support#13. TSC approval is recorded in adoptium/adoptium-support#13 (comment).
There was a previous attempt that failed (#2033, #2083) because I forgot to lock the keystore format to JKS/SUN 🤦. Adding tests to ensure that everything works is being tracked in adoptium/aqa-tests#1963. Ideally, we wait for the tests to appear before merging this one.