Binaries could be signed by GnuPG and/or X509

bmarwell commented 3 years ago

Is your feature request related to a problem? Please describe.

Currently, all files have checksums. To see what I mean, consider this API call: https://api.adoptium.net/v3/assets/version/8.0.302%2B8?architecture=x64&heap_size=normal&image_type=jdk&jvm_impl=hotspot&lts=true&os=linux&page=0&page_size=10&project=jdk&release_type=ga&sort_method=DEFAULT&sort_order=DESC&vendor=adoptium


[
    {
        "binaries": [
            {
                "architecture": "x64",
                "download_count": 16509,
                "heap_size": "normal",
                "image_type": "jdk",
                "jvm_impl": "hotspot",
                "os": "linux",
                "package": {
                    "checksum": "cc13f274becf9dd5517b6be583632819dfd4dd81e524b5c1b4f406bdaf0e063a",
                    "checksum_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.sha256.txt",
                    "download_count": 16509,
                    "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz",
                    "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.json",
                    "name": "OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz",
                    "size": 102954777
                },
                "project": "jdk",
                "scm_ref": "jdk8u302-b08",
                "updated_at": "2021-07-29T19:22:53Z"
            }
        ],
        "download_count": 30952,
        "id": "MDc6UmVsZWFzZTQ3MDAwOTkx.ZZ5uD1yix/X1Qg==",
        "release_link": "https://github.com/adoptium/temurin8-binaries/releases/tag/jdk8u302-b08",
        "release_name": "jdk8u302-b08",
        "release_type": "ga",
        "timestamp": "2021-07-29T19:22:38Z",
        "updated_at": "2021-07-29T19:22:38Z",
        "vendor": "adoptium",
        "version_data": {
            "build": 8,
            "major": 8,
            "minor": 0,
            "openjdk_version": "1.8.0_302-b08",
            "security": 302,
            "semver": "8.0.302+8"
        }
    }
]

Describe the solution you'd like

Like maven artefacts, the builds should have GnuPG and/or X509 signatures. There would also be the need of a file with all the signatures if using PGP, e.g. like so: https://github.com/mojohaus/mojohaus.github.io/blob/441259e6a034798b390dbea54e9c5ce4b04af30e/src/site/resources/KEYS

For X509, users would need a trusted PKI.

Describe alternatives you've considered

None. Authenticity and correct transfer are currently only done via TLS. However, an attacker could forge the checksum as well if he gained access to the artifact storage.

Additional context

It would be nice to set up a policy (and a check!) that marketplace releases also must have a signature.

johnoliver commented 3 years ago

To some extent this is already supported as the upstream builds do sign their binaries, for instance if you look at:

https://api.adoptopenjdk.net/v3/assets/version/%5B11%2C12%5D?vendor=openjdk

You can see that binaries also have a signature_link that links to the gpg signature for the binary. If temurin created signature files and added them to its releases, we could add those in the API too. This would however be a question for the temurin build rather than the API.

bmarwell commented 3 years ago