Hi,

On Tue, 2025-05-20 at 14:12 +0200, Armin Schrenk wrote: 
> Hi all,
> 
> I need to build the JDK due to a strict security environment. The
> build system is Ubuntu 22.04 x64 6.8.0 kernel inside a VM.
> 
> I read about JEP 493 (https://openjdk.org/jeps/493) and used the
> option "--enable-linkable-runtime". My configure command is:
>  configure \
>      --with-conf-name=coffeelibs-openjdk-24 \
>      --with-boot-jdk=/path/to/jdk23 \ 
>      --with-version-pre= \
>      --with-version-string="24.0.1+9" \
>      --with-version-opt=coffeelibs \
>      --with-native-debug-symbols=none \
>      --enable-linkable-runtime
> 
>  The jlink tool of this JDK is used later on. But when i try to build
> a minial jre with "coffeelibs-openjdk-24/bin/jlink --output runtime -
> -module-path "coffeelibs-openjdk-24/jmods" --add-modules java.base",
>  it throws the "... has been modified" error mentioned in the JEP,
> not for cacerts or other config files, **but binaries (e.g. java or
> lib/libextnet.so ).**
> 
> Does anyone know where the problem is?

When that error happens it means the sha512sum of the binary/library in
the installation (without JMODs) differs from the binary/library that
was present when the linkable runtime was being generated at JDK build
time (which uses the JMOD's version of the binary/library to generate
the SHA 512 sum for that file and includes it in the jdk.jlink module
as a resource file).

This can happen for a number of reasons. For example some sort of post-
processing is being done by the operating system/build tool (e.g. dpkg)
after the JDK has been built. You need to figure out what kind of
processing happens and why. If you can prevent that from happening a
link from the run-time image should work.

Aside: You seem to be using --module-path when generating a runtime
from the run-time image (and pointing it to a directory which doesn't
find the JMODs; otherwise a JMOD-based link would be performed). That
seems confusing. Add `--verbose` and you'll see what "source" for JDK
modules the JDK is using when running jlink.

Thanks,
Severin

Reply via email to