Hi, On Tue, 2025-05-20 at 14:12 +0200, Armin Schrenk wrote: > Hi all, > > I need to build the JDK due to a strict security environment. The > build system is Ubuntu 22.04 x64 6.8.0 kernel inside a VM. > > I read about JEP 493 (https://openjdk.org/jeps/493) and used the > option "--enable-linkable-runtime". My configure command is: > configure \ > --with-conf-name=coffeelibs-openjdk-24 \ > --with-boot-jdk=/path/to/jdk23 \ > --with-version-pre= \ > --with-version-string="24.0.1+9" \ > --with-version-opt=coffeelibs \ > --with-native-debug-symbols=none \ > --enable-linkable-runtime > > The jlink tool of this JDK is used later on. But when i try to build > a minial jre with "coffeelibs-openjdk-24/bin/jlink --output runtime - > -module-path "coffeelibs-openjdk-24/jmods" --add-modules java.base", > it throws the "... has been modified" error mentioned in the JEP, > not for cacerts or other config files, **but binaries (e.g. java or > lib/libextnet.so ).** > > Does anyone know where the problem is?
When that error happens it means the sha512sum of the binary/library in the installation (without JMODs) differs from the binary/library that was present when the linkable runtime was being generated at JDK build time (which uses the JMOD's version of the binary/library to generate the SHA 512 sum for that file and includes it in the jdk.jlink module as a resource file). This can happen for a number of reasons. For example some sort of post- processing is being done by the operating system/build tool (e.g. dpkg) after the JDK has been built. You need to figure out what kind of processing happens and why. If you can prevent that from happening a link from the run-time image should work. Aside: You seem to be using --module-path when generating a runtime from the run-time image (and pointing it to a directory which doesn't find the JMODs; otherwise a JMOD-based link would be performed). That seems confusing. Add `--verbose` and you'll see what "source" for JDK modules the JDK is using when running jlink. Thanks, Severin