Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provide (gpg ?) signed releases #1275

Closed
altiOnGithub opened this issue Sep 12, 2019 · 10 comments
Closed

provide (gpg ?) signed releases #1275

altiOnGithub opened this issue Sep 12, 2019 · 10 comments
Assignees
Labels
enhancement Issues that enhance the code or documentation of the repo in any way important High priority issues that are not buildbreakers but may still require more attention than others question Issues that are queries about the code base or potential problems that have been spotted windows Issues that affect or relate to the WINDOWS OS

Comments

@altiOnGithub
Copy link

Please provided code-signed releases. (checksums are good but not enough)

Currently only the following releases are signed:

However, all .zip and .tar.gz releases which are provided via https://adoptopenjdk.net only have a checksum next to them, but no (gpg ?) signature is provided.
Or do I miss anything?
So currently we can check for integrity but not for authenticity.

Please provided signed releases on https://adoptopenjdk.net

Thank you!

@karianna karianna added the bug Issues that are problems in the code as reported by the community label Sep 14, 2019
@karianna karianna added this to the September 2019 milestone Sep 14, 2019
@karianna karianna removed this from the September 2019 milestone Sep 14, 2019
@aahlenst aahlenst added enhancement Issues that enhance the code or documentation of the repo in any way and removed bug Issues that are problems in the code as reported by the community labels Aug 29, 2020
@andrew-m-leonard andrew-m-leonard self-assigned this Oct 21, 2020
@andrew-m-leonard
Copy link
Contributor

I will have a look into this.
Numerous Enterprises will only consume binaries that are digitally verifiable, eg.via pgp/gpg.
Red Hat OpenJDK jdk8/11 upstream binaries have pgp signatures for example.
eg: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-October/012817.html

@tellison tellison added the TSC-Agenda Issues that have been flagged as inclusions for a future TSC meeting label Nov 5, 2020
@tellison
Copy link
Contributor

tellison commented Nov 5, 2020

Flag for TSC discussion too.

@aahlenst
Copy link
Contributor

@andrew-m-leonard Do you still plan to work on it? Would be really useful.

@andrew-m-leonard andrew-m-leonard removed their assignment Feb 17, 2021
@andrew-m-leonard
Copy link
Contributor

@aahlenst not at the moment, so i've un-assigned myself thanks

@aahlenst aahlenst removed the TSC-Agenda Issues that have been flagged as inclusions for a future TSC meeting label Feb 26, 2021
@aahlenst
Copy link
Contributor

Why this is important (apart from the immediate security benefits): It allows mirroring our binaries and consuming them from 3rd party servers. This is also required as part of our move to Eclipse. The challenge here is where to sign and how. Having key material on the build machines is undesirable. Signing on the Jenkins master might be doable, but there only seems to be a plug-in for Maven. Using an Eclipse signing service would probably be best, but those are only accessible from selected machines controlled by the Eclipse Foundation.

@M-Davies M-Davies added the important High priority issues that are not buildbreakers but may still require more attention than others label Feb 26, 2021
@andrew-m-leonard andrew-m-leonard self-assigned this Apr 7, 2021
@bmarwell
Copy link

Related: require sigs in API: adoptium/api.adoptium.net#138

@github-actions github-actions bot added question Issues that are queries about the code base or potential problems that have been spotted windows Issues that affect or relate to the WINDOWS OS labels Aug 18, 2021
@jerboaa
Copy link
Contributor

jerboaa commented Jan 27, 2022

@gdams @tellison I think it would be useful to get implemented. The question I have is does Eclipse support gpg signing tarballs/zips? If so the obvious gpg key would be the one from Eclipse Foundation. Then OpenJDK update stream leads could sign their public key.

@sxa sxa self-assigned this Feb 22, 2022
@sxa
Copy link
Member

sxa commented Jun 24, 2022

@bmarwell
Copy link

IBM releases are already signed: https://github.com/ibmruntimes/semeru17-binaries/releases/tag/jdk-17.0.3%2B7_openj9-0.32.0.

@sxa
Copy link
Member

sxa commented Aug 10, 2022

Done and blog post is available at https://blog.adoptium.net/2022/07/gpg-signed-releases/

@sxa sxa closed this as completed Aug 10, 2022
Repository owner moved this from In Progress to Done in Secure Software Development Activities Aug 10, 2022
Repository owner moved this from In Progress to Done in Adoptium August 2022 Plan Aug 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Issues that enhance the code or documentation of the repo in any way important High priority issues that are not buildbreakers but may still require more attention than others question Issues that are queries about the code base or potential problems that have been spotted windows Issues that affect or relate to the WINDOWS OS
Projects
No open projects
Development

No branches or pull requests

10 participants