fix timezone

GoogleContainerTools · Nov 30, 2023 · a74d1fb · a74d1fb
1 parent af39150
commit a74d1fb
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 256 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -10,6 +10,10 @@ common --enable_bzlmod
 # https://bazelbuild.slack.com/archives/C014RARENH0/p1691158021917459?thread_ts=1691156601.420349&cid=C014RARENH0
 common --check_direct_dependencies=off
 
+
+# Use a hermetic Java version
+build --java_runtime_version=remotejdk_17
+
 # Load any settings specific to the current user.
 # .bazelrc.user should appear in .gitignore so that settings are not shared with team members
 # This needs to be last statement in this

diff --git a/distroless/private/java_keystore.bzl b/distroless/private/java_keystore.bzl
@@ -7,17 +7,17 @@ _DOC = """Create a java keystore (database) of cryptographic keys, X.509 certifi
 Currently only public  X.509 are supported as part of the PUBLIC API contract.
 """
 
-def _find_keytool(java_runtime):
-    for f in java_runtime.files.to_list():
+def _find_keytool(java):
+    for f in java.java_runtime.files.to_list():
         if f.basename == "keytool":
             return f
     fail("java toolchain does not contain `keytool`.")
 
 def _java_keystore_impl(ctx):
-    jdk = ctx.toolchains["@bazel_tools//tools/jdk:runtime_toolchain_type"]
+    jdk = ctx.toolchains["@bazel_tools//tools/jdk:toolchain_type"]
     coreutils = ctx.toolchains["@aspect_bazel_lib//lib:coreutils_toolchain_type"]
     bsdtar = ctx.toolchains[tar_lib.TOOLCHAIN_TYPE]
-    keytool = _find_keytool(jdk.java_runtime)
+    keytool = _find_keytool(jdk.java)
 
     jks = ctx.actions.declare_file(ctx.attr.name + ".jks")
 
@@ -70,7 +70,7 @@ java_keystore = rule(
     implementation = _java_keystore_impl,
     toolchains = [
         tar_lib.TOOLCHAIN_TYPE,
-        "@bazel_tools//tools/jdk:runtime_toolchain_type",
+        "@bazel_tools//tools/jdk:toolchain_type",
         "@aspect_bazel_lib//lib:coreutils_toolchain_type",
     ],
 )
diff --git a/distroless/tests/asserts.bzl b/distroless/tests/asserts.bzl
@@ -44,7 +44,7 @@ def assert_jks_listing(name, actual, expected):
         cmd = """
 BINS=($(locations @rules_java//toolchains:current_java_runtime))
 KEYTOOL=$$(dirname $${BINS[1]})/keytool
-$$KEYTOOL -list -v -keystore $(location %s) -storepass changeit > $@
+TZ="UTC" $$KEYTOOL -list -keystore $(location %s) -storepass changeit > $@
 """ % actual,
     )
 

diff --git a/examples/java_keystore/BUILD.bazel b/examples/java_keystore/BUILD.bazel
@@ -32,6 +32,6 @@ assert_tar_listing(
 ./etc/ssl time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./etc/ssl/certs time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./etc/ssl/certs/java time=1672560000.0 mode=755 gid=0 uid=0 type=dir
-./etc/ssl/certs/java/cacerts nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=6230 cksum=2439835119 sha1digest=525ab823d4735763050000c0d85d00b401f6ce7f
+./etc/ssl/certs/java/cacerts nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=6230 cksum=1520748722 sha1digest=fa7c324a0b750e87dd8c8631be005184fb46e915
 """,
 )
diff --git a/examples/java_keystore/expected.jks.output b/examples/java_keystore/expected.jks.output
@@ -3,252 +3,13 @@ Keystore provider: SUN
 
 Your keystore contains 5 entries
 
-Alias name: /c=us/o=amazon/cn=amazonrootca1
-Creation date: Nov. 17, 2023
-Entry type: trustedCertEntry
-
-Owner: CN=Amazon Root CA 1, O=Amazon, C=US
-Issuer: CN=Amazon Root CA 1, O=Amazon, C=US
-Serial number: 66c9fcf99bf8c0a39e2f0788a43e696365bca
-Valid from: Mon May 25 17:00:00 PDT 2015 until: Sat Jan 16 16:00:00 PST 2038
-Certificate fingerprints:
-	 SHA1: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
-	 SHA256: 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
-Signature algorithm name: SHA256withRSA
-Subject Public Key Algorithm: 2048-bit RSA key
-Version: 3
-
-Extensions: 
-
-#1: ObjectId: 2.5.29.19 Criticality=true
-BasicConstraints:[
-  CA:true
-  PathLen: no limit
-]
-
-#2: ObjectId: 2.5.29.15 Criticality=true
-KeyUsage [
-  DigitalSignature
-  Key_CertSign
-  Crl_Sign
-]
-
-#3: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: 84 18 CC 85 34 EC BC 0C   94 94 2E 08 59 9C C7 B2  ....4.......Y...
-0010: 10 4E 0A 08                                        .N..
-]
-]
-
-
-
-*******************************************
-*******************************************
-
-
-Alias name: /c=us/o=digicertinc/ou=www.digicert.com/cn=digicertassuredidrootca
-Creation date: Nov. 17, 2023
-Entry type: trustedCertEntry
-
-Owner: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
-Issuer: CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
-Serial number: ce7e0e517d846fe8fe560fc1bf03039
-Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031
-Certificate fingerprints:
-	 SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
-	 SHA256: 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C
-Signature algorithm name: SHA1withRSA
-Subject Public Key Algorithm: 2048-bit RSA key
-Version: 3
-
-Extensions: 
-
-#1: ObjectId: 2.5.29.35 Criticality=false
-AuthorityKeyIdentifier [
-KeyIdentifier [
-0000: 45 EB A2 AF F4 92 CB 82   31 2D 51 8B A7 A7 21 9D  E.......1-Q...!.
-0010: F3 6D C8 0F                                        .m..
-]
-]
-
-#2: ObjectId: 2.5.29.19 Criticality=true
-BasicConstraints:[
-  CA:true
-  PathLen: no limit
-]
-
-#3: ObjectId: 2.5.29.15 Criticality=true
-KeyUsage [
-  DigitalSignature
-  Key_CertSign
-  Crl_Sign
-]
-
-#4: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: 45 EB A2 AF F4 92 CB 82   31 2D 51 8B A7 A7 21 9D  E.......1-Q...!.
-0010: F3 6D C8 0F                                        .m..
-]
-]
-
-
-
-*******************************************
-*******************************************
-
-
-Alias name: /c=us/o=verisign,inc./ou=verisigntrustnetwork/ou=(c)2008verisign,inc.-forauthorizeduseonly/cn=verisignuniversalrootcertificationauthority
-Creation date: Nov. 17, 2023
-Entry type: trustedCertEntry
-
-Owner: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
-Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
-Serial number: 401ac46421b31321030ebbe4121ac51d
-Valid from: Tue Apr 01 17:00:00 PDT 2008 until: Tue Dec 01 15:59:59 PST 2037
-Certificate fingerprints:
-	 SHA1: 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54
-	 SHA256: 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C
-Signature algorithm name: SHA256withRSA
-Subject Public Key Algorithm: 2048-bit RSA key
-Version: 3
-
-Extensions: 
-
-#1: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
-0000: 30 5F A1 5D A0 5B 30 59   30 57 30 55 16 09 69 6D  0_.].[0Y0W0U..im
-0010: 61 67 65 2F 67 69 66 30   21 30 1F 30 07 06 05 2B  age/gif0!0.0...+
-0020: 0E 03 02 1A 04 14 8F E5   D3 1A 86 AC 8D 8E 6B C3  ..............k.
-0030: CF 80 6A D4 48 18 2C 7B   19 2E 30 25 16 23 68 74  ..j.H.,...0%.#ht
-0040: 74 70 3A 2F 2F 6C 6F 67   6F 2E 76 65 72 69 73 69  tp://logo.verisi
-0050: 67 6E 2E 63 6F 6D 2F 76   73 6C 6F 67 6F 2E 67 69  gn.com/vslogo.gi
-0060: 66                                                 f
-
-
-#2: ObjectId: 2.5.29.19 Criticality=true
-BasicConstraints:[
-  CA:true
-  PathLen: no limit
-]
-
-#3: ObjectId: 2.5.29.15 Criticality=true
-KeyUsage [
-  Key_CertSign
-  Crl_Sign
-]
-
-#4: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: B6 77 FA 69 48 47 9F 53   12 D5 C2 EA 07 32 76 07  .w.iHG.S.....2v.
-0010: D1 97 07 19                                        ....
-]
-]
-
-
-
-*******************************************
-*******************************************
-
-
-Alias name: /ou=globalsignrootca-r2/o=globalsign/cn=globalsign
-Creation date: Nov. 17, 2023
-Entry type: trustedCertEntry
-
-Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
-Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
-Serial number: 400000000010f8626e60d
-Valid from: Fri Dec 15 00:00:00 PST 2006 until: Wed Dec 15 00:00:00 PST 2021
-Certificate fingerprints:
-	 SHA1: 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
-	 SHA256: CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
-Signature algorithm name: SHA1withRSA
-Subject Public Key Algorithm: 2048-bit RSA key
-Version: 3
-
-Extensions: 
-
-#1: ObjectId: 2.5.29.35 Criticality=false
-AuthorityKeyIdentifier [
-KeyIdentifier [
-0000: 9B E2 07 57 67 1C 1E C0   6A 06 DE 59 B4 9A 2D DF  ...Wg...j..Y..-.
-0010: DC 19 86 2E                                        ....
-]
-]
-
-#2: ObjectId: 2.5.29.19 Criticality=true
-BasicConstraints:[
-  CA:true
-  PathLen: no limit
-]
-
-#3: ObjectId: 2.5.29.31 Criticality=false
-CRLDistributionPoints [
-  [DistributionPoint:
-     [URIName: http://crl.globalsign.net/root-r2.crl]
-]]
-
-#4: ObjectId: 2.5.29.15 Criticality=true
-KeyUsage [
-  Key_CertSign
-  Crl_Sign
-]
-
-#5: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: 9B E2 07 57 67 1C 1E C0   6A 06 DE 59 B4 9A 2D DF  ...Wg...j..Y..-.
-0010: DC 19 86 2E                                        ....
-]
-]
-
-
-
-*******************************************
-*******************************************
-
-
-Alias name: /ou=globalsignrootca-r3/o=globalsign/cn=globalsign
-Creation date: Nov. 17, 2023
-Entry type: trustedCertEntry
-
-Owner: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
-Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
-Serial number: 4000000000121585308a2
-Valid from: Wed Mar 18 03:00:00 PDT 2009 until: Sun Mar 18 03:00:00 PDT 2029
-Certificate fingerprints:
-	 SHA1: D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD
-	 SHA256: CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B
-Signature algorithm name: SHA256withRSA
-Subject Public Key Algorithm: 2048-bit RSA key
-Version: 3
-
-Extensions: 
-
-#1: ObjectId: 2.5.29.19 Criticality=true
-BasicConstraints:[
-  CA:true
-  PathLen: no limit
-]
-
-#2: ObjectId: 2.5.29.15 Criticality=true
-KeyUsage [
-  Key_CertSign
-  Crl_Sign
-]
-
-#3: ObjectId: 2.5.29.14 Criticality=false
-SubjectKeyIdentifier [
-KeyIdentifier [
-0000: 8F F0 4B 7F A8 2E 45 24   AE 4D 50 FA 63 9A 8B DE  ..K...E$.MP.c...
-0010: E2 DD 1B BC                                        ....
-]
-]
-
-
-
-*******************************************
-*******************************************
-
-
+/c=us/o=amazon/cn=amazonrootca1, Nov. 30, 2023, trustedCertEntry, 
+Certificate fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
+/c=us/o=digicertinc/ou=www.digicert.com/cn=digicertassuredidrootca, Nov. 30, 2023, trustedCertEntry, 
+Certificate fingerprint (SHA-256): 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C
+/c=us/o=verisign,inc./ou=verisigntrustnetwork/ou=(c)2008verisign,inc.-forauthorizeduseonly/cn=verisignuniversalrootcertificationauthority, Nov. 30, 2023, trustedCertEntry, 
+Certificate fingerprint (SHA-256): 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C
+/ou=globalsignrootca-r2/o=globalsign/cn=globalsign, Nov. 30, 2023, trustedCertEntry, 
+Certificate fingerprint (SHA-256): CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
+/ou=globalsignrootca-r3/o=globalsign/cn=globalsign, Nov. 30, 2023, trustedCertEntry, 
+Certificate fingerprint (SHA-256): CB:B5:22:D7:B7:F1:27:AD:6A:01:13:86:5B:DF:1C:D4:10:2E:7D:07:59:AF:63:5A:7C:F4:72:0D:C9:63:C5:3B