Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binaries could be signed by GnuPG and/or X509 #138

Open
bmarwell opened this issue Aug 13, 2021 · 5 comments
Open

Binaries could be signed by GnuPG and/or X509 #138

bmarwell opened this issue Aug 13, 2021 · 5 comments
Assignees
@sxa
Labels
enhancement New feature or request

Comments

@bmarwell
Copy link
Contributor

bmarwell commented Aug 13, 2021
edited

Is your feature request related to a problem? Please describe.

Currently, all files have checksums.
To see what I mean, consider this API call:
https://api.adoptium.net/v3/assets/version/8.0.302%2B8?architecture=x64&heap_size=normal&image_type=jdk&jvm_impl=hotspot&lts=true&os=linux&page=0&page_size=10&project=jdk&release_type=ga&sort_method=DEFAULT&sort_order=DESC&vendor=adoptium


[
    {
        "binaries": [
            {
                "architecture": "x64",
                "download_count": 16509,
                "heap_size": "normal",
                "image_type": "jdk",
                "jvm_impl": "hotspot",
                "os": "linux",
                "package": {
                    "checksum": "cc13f274becf9dd5517b6be583632819dfd4dd81e524b5c1b4f406bdaf0e063a",
                    "checksum_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.sha256.txt",
                    "download_count": 16509,
                    "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz",
                    "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.json",
                    "name": "OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz",
                    "size": 102954777
                },
                "project": "jdk",
                "scm_ref": "jdk8u302-b08",
                "updated_at": "2021-07-29T19:22:53Z"
            }
        ],
        "download_count": 30952,
        "id": "MDc6UmVsZWFzZTQ3MDAwOTkx.ZZ5uD1yix/X1Qg==",
        "release_link": "https://github.com/adoptium/temurin8-binaries/releases/tag/jdk8u302-b08",
        "release_name": "jdk8u302-b08",
        "release_type": "ga",
        "timestamp": "2021-07-29T19:22:38Z",
        "updated_at": "2021-07-29T19:22:38Z",
        "vendor": "adoptium",
        "version_data": {
            "build": 8,
            "major": 8,
            "minor": 0,
            "openjdk_version": "1.8.0_302-b08",
            "security": 302,
            "semver": "8.0.302+8"
        }
    }
]

Describe the solution you'd like

Like maven artefacts, the builds should have GnuPG and/or X509 signatures.
There would also be the need of a file with all the signatures if using PGP, e.g. like so:
https://github.com/mojohaus/mojohaus.github.io/blob/441259e6a034798b390dbea54e9c5ce4b04af30e/src/site/resources/KEYS

For X509, users would need a trusted PKI.

Describe alternatives you've considered

None. Authenticity and correct transfer are currently only done via TLS. However, an attacker could forge the checksum as well if he gained access to the artifact storage.

Additional context

It would be nice to set up a policy (and a check!) that marketplace releases also must have a signature.
@bmarwell bmarwell added the enhancement New feature or request label Aug 13, 2021
@johnoliver
Copy link
Contributor

To some extent this is already supported as the upstream builds do sign their binaries, for instance if you look at:

https://api.adoptopenjdk.net/v3/assets/version/%5B11%2C12%5D?vendor=openjdk

You can see that binaries also have a signature_link that links to the gpg signature for the binary. If temurin created signature files and added them to its releases, we could add those in the API too. This would however be a question for the temurin build rather than the API.

@bmarwell
Copy link
Contributor Author

https://api.adoptopenjdk.net/v3/assets/version/%5B11%2C12%5D?vendor=openjdk

Thanks, missed the asset link

If temurin created signature files and added them to its releases, we could add those in the API too.

Not just temurin, I hope :)

This would however be a question for the temurin build rather than the API.

I wish it could be forced upon the binaries.
What to do next?

@bmarwell bmarwell mentioned this issue Aug 18, 2021
Closed
@sxa
Copy link
Member

sxa commented Aug 18, 2021

See also this request in the build repo: adoptium/temurin-build#1275

@bmarwell
Copy link
Contributor Author

IBM releases are already signed: https://github.com/ibmruntimes/semeru17-binaries/releases/tag/jdk-17.0.3%2B7_openj9-0.32.0.

I don't need signatures for other runtimes atm, but I can leave it open if anyone else is interested.

@sxa sxa self-assigned this Jun 24, 2022
@sophia-guo
Copy link

Believe it can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sxa sxa

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bmarwell @johnoliver @sxa @sophia-guo