From: André Draszik <andre.draszik@...>

The OpenJDK-8 package currently comes with a trustStore
that was generated at OpenJDK-8-native build time from
*all* certificates available in the system, not just from
those that are marked as trusted.

This isn't right...

openjdk-8 and openjre-8 now RDEPENDS on (and use) the CA
certificates as provided by the ca-certificates-java
package just added.

This makes sure that Java now uses the same trusted CA
certificates as the rest of the system.

Signed-off-by: André Draszik <andre.draszik@...>
---
recipes-core/openjdk/openjdk-8-common.inc | 2 ++
recipes-core/openjdk/openjdk-8-cross.inc | 12 +++++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/recipes-core/openjdk/openjdk-8-common.inc b/recipes-core/openjdk/openjdk-8-common.inc
index b2020c3..c8d157e 100644
--- a/recipes-core/openjdk/openjdk-8-common.inc
+++ b/recipes-core/openjdk/openjdk-8-common.inc
@@ -254,3 +254,5 @@ def version_specific_cflags(d):
CFLAGS_append = " ${@version_specific_cflags(d)}"
CXXFLAGS_append = " ${@version_specific_cflags(d)}"
CXX_append = " -std=gnu++98"
+
+RDEPENDS_${PN} = "ca-certificates-java"
diff --git a/recipes-core/openjdk/openjdk-8-cross.inc b/recipes-core/openjdk/openjdk-8-cross.inc
index d70c946..6795c92 100644
--- a/recipes-core/openjdk/openjdk-8-cross.inc
+++ b/recipes-core/openjdk/openjdk-8-cross.inc
@@ -57,7 +57,6 @@ EXTRA_OECONF_append = "\
--with-sys-root=${STAGING_DIR_HOST} \
--with-tools-dir=${STAGING_DIR_NATIVE} \
--with-boot-jdk=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native \
- --with-cacerts-file=${STAGING_LIBDIR_NATIVE}/jvm/openjdk-8-native/jre/lib/security/cacerts \
\
--disable-precompiled-headers \
--disable-zip-debug-info \
@@ -88,6 +87,17 @@ do_install_append() {
pack200 --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "$0"'
fi
fi
+
+ if [ -d ${D}${JDK_HOME} ] ; then
+ rm ${D}${JDK_HOME}/jre/lib/security/cacerts
+ ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JDK_HOME}/jre/lib/security/cacerts")} \
+ ${D}${JDK_HOME}/jre/lib/security/cacerts
+ fi
+ if [ -d ${D}${JRE_HOME} ] ; then
+ rm ${D}${JRE_HOME}/lib/security/cacerts
+ ln -s ${@os.path.relpath("${sysconfdir}/ssl/certs/java/cacerts", "${JRE_HOME}/lib/security/cacerts")} \
+ ${D}${JRE_HOME}/lib/security/cacerts
+ fi
}

export MAKE_VERBOSE = "y"
--
2.16.2

Hi,
this commit of yours breaks the build on meta-java's current
mater-next branch (when building an image containing openjre-8
or openjdk-8) with following message:

ERROR: openjre-8-test-image-1.0-r0 do_rootfs: [log_check] openjre-8-test-image: found 1 error message in the logfile:
[log_check] E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.

ERROR: openjre-8-test-image-1.0-r0 do_rootfs: Function failed: do_rootfs
ERROR: Logfile of failure stored in: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/temp/log.do_rootfs.19892
ERROR: Task (/yocto/meta-java-test/meta-java/recipes-images/images/openjre-8-test-image.bb:do_rootfs) failed with exit code '1'


The logfile contains following error:

Running hooks in /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d...
/yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook: no JVM_LIBDIR specified
E: /yocto/meta-java-test/build/tmp/work/qemuarm-poky-linux-gnueabi/openjre-8-test-image/1.0-r0/rootfs/etc/ca-certificates/update.d/ca-certificates-java-hook exited with code 1.
done.


Therefore it will be removed from master-next.

It would be great if you could send an fixed version.

Thank you!

regards;Richard.L