provide (gpg ?) signed releases

[altiOnGithub]

Please provided code-signed releases. (checksums are good but not enough)

Currently only the following releases are signed:

• windows MSI (from 'London Jamocha Community CIC')
• deb and rpm via jfrog.io repository (https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public)

However, all .zip and .tar.gz releases which are provided via https://adoptopenjdk.net only have a checksum next to them, but no (gpg ?) signature is provided.
Or do I miss anything?
So currently we can check for integrity but not for authenticity.

Please provided signed releases on https://adoptopenjdk.net

Thank you!

[andrew-m-leonard]

I will have a look into this.
Numerous Enterprises will only consume binaries that are digitally verifiable, eg.via pgp/gpg.
Red Hat OpenJDK jdk8/11 upstream binaries have pgp signatures for example.
eg: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-October/012817.html

[tellison]

Flag for TSC discussion too.

[aahlenst]

@andrew-m-leonard Do you still plan to work on it? Would be really useful.

[andrew-m-leonard]

@aahlenst not at the moment, so i've un-assigned myself thanks

[aahlenst]

Why this is important (apart from the immediate security benefits): It allows mirroring our binaries and consuming them from 3rd party servers. This is also required as part of our move to Eclipse. The challenge here is where to sign and how. Having key material on the build machines is undesirable. Signing on the Jenkins master might be doable, but there only seems to be a plug-in for Maven. Using an Eclipse signing service would probably be best, but those are only accessible from selected machines controlled by the Eclipse Foundation.

[bmarwell]

Related: require sigs in API: adoptium/api.adoptium.net#138

[jerboaa]

@gdams @tellison I think it would be useful to get implemented. The question I have is does Eclipse support gpg signing tarballs/zips? If so the obvious gpg key would be the one from Eclipse Foundation. Then OpenJDK update stream leads could sign their public key.

[sxa]

This is now progressing with an intention to have something usable for the July releases:

• Implement GPG signing of the binary build artifacts ci-jenkins-pipelines#320
• Move GPG signing to after installer generation so installers are signed too ci-jenkins-pipelines#337
• Publish GPG signature files github-release-scripts#88
• Add support for Temurin GPG signature retrieval api.adoptium.net#464

[bmarwell]

IBM releases are already signed: https://github.com/ibmruntimes/semeru17-binaries/releases/tag/jdk-17.0.3%2B7_openj9-0.32.0.

[sxa]

Done and blog post is available at https://blog.adoptium.net/2022/07/gpg-signed-releases/