Investigate how to make build more secure when download/install tools during build

[zdtsw]

We have checkFingerprint() which uses checksum to verify certain tools we download onto build machine (e.g freemarker, alsa)

But we also have code e.g in build-farm/platform-specific-configurations/*.sh directly download jdk from API server. It is difficult to use checksum to verify these binaries due to nightly builds. Might be more places we are using "curl / wget " to do similar things.

This ticket is to investigate from security perspective how can we make our builds more stable and secured

[jiekang]

Just noting for easier reference, the download from API server is here atm: https://github.com/adoptium/temurin-build/blob/master/build-farm/platform-specific-configurations/linux.sh#L155

[zdtsw]

ref: https://blog.adoptium.net/2022/07/gpg-signed-releases/

[sxa]

Looks like only alsa is remaining, and that is covered by a checksum to detect tampering, however https://www.alsa-project.org/files/pub/lib/ provides GPG signatures so we should use those (key ID A6E59C91), subject to fixing the GPG problems on Windows and macos. Interestingly the downloadFile function now ONLY seems to be used for ALSA, so perhaps we should revisit whether it is needed.

Note that freetype is also downloaded on the fly for some versions (e.g. Windows JDK8) but that is coming from a git clone of a specific SHA.

[sxa]

Also has been done in https://github.com/adoptium/temurin-build/pull/3351 and removed (since it's not used) on AIX+Solaris at https://github.com/adoptium/temurin-build/pull/3358. Closing.