adoptium
Binaries could be signed by GnuPG and/or X509
Is your feature request related to a problem? Please describe.
Currently, all files have checksums. To see what I mean, consider this API call: https://api.adoptium.net/v3/assets/version/8.0.302%2B8?architecture=x64&heap_size=normal&image_type=jdk&jvm_impl=hotspot<s=true&os=linux&page=0&page_size=10&project=jdk&release_type=ga&sort_method=DEFAULT&sort_order=DESC&vendor=adoptium
[
{
"binaries": [
{
"architecture": "x64",
"download_count": 16509,
"heap_size": "normal",
"image_type": "jdk",
"jvm_impl": "hotspot",
"os": "linux",
"package": {
"checksum": "cc13f274becf9dd5517b6be583632819dfd4dd81e524b5c1b4f406bdaf0e063a",
"checksum_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.sha256.txt",
"download_count": 16509,
"link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz",
"metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.json",
"name": "OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz",
"size": 102954777
},
"project": "jdk",
"scm_ref": "jdk8u302-b08",
"updated_at": "2021-07-29T19:22:53Z"
}
],
"download_count": 30952,
"id": "MDc6UmVsZWFzZTQ3MDAwOTkx.ZZ5uD1yix/X1Qg==",
"release_link": "https://github.com/adoptium/temurin8-binaries/releases/tag/jdk8u302-b08",
"release_name": "jdk8u302-b08",
"release_type": "ga",
"timestamp": "2021-07-29T19:22:38Z",
"updated_at": "2021-07-29T19:22:38Z",
"vendor": "adoptium",
"version_data": {
"build": 8,
"major": 8,
"minor": 0,
"openjdk_version": "1.8.0_302-b08",
"security": 302,
"semver": "8.0.302+8"
}
}
]
Describe the solution you'd like
Like maven artefacts, the builds should have GnuPG and/or X509 signatures. There would also be the need of a file with all the signatures if using PGP, e.g. like so: https://github.com/mojohaus/mojohaus.github.io/blob/441259e6a034798b390dbea54e9c5ce4b04af30e/src/site/resources/KEYS
For X509, users would need a trusted PKI.
Describe alternatives you've considered
None. Authenticity and correct transfer are currently only done via TLS. However, an attacker could forge the checksum as well if he gained access to the artifact storage.
Additional context
It would be nice to set up a policy (and a check!) that marketplace releases also must have a signature.
To some extent this is already supported as the upstream builds do sign their binaries, for instance if you look at:
https://api.adoptopenjdk.net/v3/assets/version/%5B11%2C12%5D?vendor=openjdk
You can see that binaries also have a signature_link that links to the gpg signature for the binary. If temurin created signature files and added them to its releases, we could add those in the API too. This would however be a question for the temurin build rather than the API.
https://api.adoptopenjdk.net/v3/assets/version/%5B11%2C12%5D?vendor=openjdk
Thanks, missed the asset link
If temurin created signature files and added them to its releases, we could add those in the API too.
Not just temurin, I hope :)
This would however be a question for the temurin build rather than the API.
I wish it could be forced upon the binaries. What to do next?
See also this request in the build repo: https://github.com/adoptium/temurin-build/issues/1275
IBM releases are already signed: https://github.com/ibmruntimes/semeru17-binaries/releases/tag/jdk-17.0.3%2B7_openj9-0.32.0.
I don't need signatures for other runtimes atm, but I can leave it open if anyone else is interested.
