From 0440c07891f9a4698066b89c051a1e22c49272cf Mon Sep 17 00:00:00 2001 From: Andrew Leonard <31470007+andrew-m-leonard@users.noreply.github.com> Date: Fri, 9 Aug 2024 15:58:17 +0100 Subject: [PATCH] Blog and documentation for performing "3rd Party Reproducible Verification Builds" (#2949) * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Add reproducible build process doc Signed-off-by: Andrew Leonard * Update repro blog Signed-off-by: Andrew Leonard * Update repro blog Signed-off-by: Andrew Leonard * Repro x86_64 doc Signed-off-by: Andrew Leonard * Repro x86_64 doc Signed-off-by: Andrew Leonard * Repro x86_64 doc Signed-off-by: Andrew Leonard * Repro x86_64 doc Signed-off-by: Andrew Leonard * Repro x86_64 doc Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard * Reproducible verification build blog Signed-off-by: Andrew Leonard --------- Signed-off-by: Andrew Leonard --- .../index.adoc | 17 ++ .../reproduce-linux-aarch64/index.adoc | 286 ++++++++++++++++++ .../reproduce-linux-x64/index.adoc | 286 ++++++++++++++++++ .../reproduce-windows-x64/index.adoc | 258 ++++++++++++++++ .../index.md | 69 +++++ .../__snapshots__/docs.test.tsx.snap | 6 + src/pages/docs.tsx | 3 +- 7 files changed, 924 insertions(+), 1 deletion(-) create mode 100644 content/asciidoc-pages/docs/reproducible-verification-builds/index.adoc create mode 100644 content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc create mode 100644 content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-x64/index.adoc create mode 100644 content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-windows-x64/index.adoc create mode 100644 content/blog/adoptium-reproducible-verification-builds/index.md diff --git a/content/asciidoc-pages/docs/reproducible-verification-builds/index.adoc b/content/asciidoc-pages/docs/reproducible-verification-builds/index.adoc new file mode 100644 index 000000000..1c44cc85f --- /dev/null +++ b/content/asciidoc-pages/docs/reproducible-verification-builds/index.adoc @@ -0,0 +1,17 @@ += Third Party Reproducible Verification Build Instructions +:description: Instructions for independently reproducing an Eclipse Temurin release as part of a reproducible verification build +:keywords: Reproducible Builds SLSA Security Supply Chain +:orgname: Eclipse Adoptium +:lang: en +:page-authors: andrew-m-leonard + +To perform your own reproducible verification build of an Eclipse Temurin JDK 21+ official release, we have prepared a set of instructions for each platform that will guide you through the process of re-building the selected JDK 21+ Eclipse Temurin builds from upstream OpenJDK community source and with your own securely built toolchains and dependencies. + +Select your required platform instructions for the Eclipse Temurin release you wish to reproduce: + +- link:/docs/reproducible-verification-builds/reproduce-linux-x64[JDK 21+ Linux x64] +- link:/docs/reproducible-verification-builds/reproduce-linux-aarch64[JDK 21+ Linux aarch64] +- link:/docs/reproducible-verification-builds/reproduce-windows-x64[JDK 21+ Windows x64] + +link:/blog/2024/08/adoptium-reproducible-verification-builds[Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation] + diff --git a/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc b/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc new file mode 100644 index 000000000..dd39abb96 --- /dev/null +++ b/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc @@ -0,0 +1,286 @@ += Temurin Reproducible Verification Build on Linux aarch64 +:description: Temurin Reproducible Verification Build on Linux aarch64 +:keywords: Reproducible Builds Secure Supply Chain +:orgname: Eclipse Adoptium +:lang: en +:page-authors: andrew-m-leonard + +The following instructions detail the process of rebuilding identically from "source" in a secure build environment, a reproducible build for a given Eclipse Temurin release on the Linux aarch64 platform. The process is performed in a secure manner, using only the upstream sources and securely verified build tooling, so as to provide a mechanism to securely verify the given Eclipse Temurin release binary. This verification then helps determine the security of the supply chains used to build the Eclipse Temurin official release binaries. + +The procedure consists of the following steps: + +- Build environment setup +- Build the gcc DevKit from "source" identical to the one used by Eclipse Adoptium +- Determine the OpenJDK make configuration arguments matching the Eclipse Temurin options +- Build the local Eclipse Temurin JDK +- Compare the secure local Eclipse Temurin re-build to the official Eclipse Temurin binary + +== Linux aarch64 reproducible verification build procedure + +. Build Environment ++ +To re-build identically Eclipse Temurin on Linux aarch64, a suitable Centos or RHEL, of version 7 or 8, is required. + +. Install EPEL Tools ++ +Centos7/8: ++ +[source,] +---- +yum install epel-release +---- ++ +RHEL7: ++ +[source,] +---- +yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm +---- ++ +RHEL8: ++ +[source,] +---- +yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm +---- + +. Install Build Tools ++ +[source,] +---- +yum install -y tar git patch gcc gcc-c++ wget bison texinfo lbzip2 zip unzip glibc glibc-devel libgcc +yum install -y autoconf systemtap systemtap-sdt-devel +---- + +. GNU make version >= 4 ? ++ +GNU make must be at least version 4, in order to build the gcc DevKit. ++ +Check the GNU make version ++ +[source,] +---- +make --version +---- ++ +If not at least version 4, then download and build GNU make 4.3 as follows: ++ +[source,] +---- +curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz +curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz.sig +# Verify download: +gpg --keyserver keyserver.ubuntu.com --recv-keys 6D4EEB02AD834703510B117680CB727A20C79BB2 +# Reference: https://lists.gnu.org/archive/html/bug-make/2016-12/msg00002.html +gpg --verify make-4.3.tar.gz.sig make-4.3.tar.gz +# Check for “Good signature” +# Build +tar -xf make-4.3.tar.gz +(cd make-4.3 && ./configure --prefix=/usr/local && make clean && make && make install) +ln -s /usr/local/bin/make /usr/local/bin/gmake +---- + +. Set Timezone to UTC ++ +For identical builds, the build timezone must be UTC to ensure exact binary build output ++ +[source,] +---- +timedatectl set-timezone UTC +---- + +. Download Adoptium DevKit Toolchain make script files ++ +In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository. These scripts +and patches enable the DevKit make process to build with a Centos sysroot and also enables GPG verified downloading of the Centos RPMs for additional integrity checking. ++ +[source,] +---- +curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/make_devkit.sh +curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/Tools.gmk.patch +curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/binutils-2.39.patch +---- + +. Build the gcc DevKit Toolchain from source ++ +[source,] +---- +bash ./make_devkit.sh jdk21u aarch64 Centos 7.6.1810 +---- ++ +The built "DevKit path" will be in folder jdk21u/build/devkit/result/aarch64-linux-gnu-to-aarch64-linux-gnu ++ +Set LD_LIBRARY_PATH to locate the newly built DevKit libraries ++ +[source,] +---- + export LD_LIBRARY_PATH=/lib64:/lib +---- + +. Download SBOM of Eclipse Temurin build to be verified ++ +For example, to download the SBOM and SBOM-metadata for release jdk-21.0.4+7 ++ +[source,] +---- +curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_aarch64_linux_hotspot_21.0.4_7.json +curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_aarch64_linux_hotspot_21.0.4_7-metadata.json +---- + +. Determine upstream OpenJDK source tag to be built ++ +Open the SBOM json file and determine the "SCM Ref" the release was built from ++ +[source,] +---- + { + "name" : "SCM Ref", + "value" : "jdk-21.0.4+7_adopt" + }, +---- ++ +The upstream OpenJDK tag is this value without the "_adopt", eg. "jdk-21.0.4+7" + +. Download a suitable Boot JDK ++ +To build Temurin you need a suitable Boot JDK, open the SBOM json file and determine the version used to build the release ++ +[source,] +---- + { + "name" : "BOOTJDK", + "version" : "20.0.2+9" + }, +---- ++ +Securely download and verify the required version from the https://github.com/adoptium/temurin-binaries/releases ++ +[source,] +---- +# Download JDK tar.gz +curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz +# Download GPG sig file to verify +curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz.sig +# Verify JDK using Adoptium GPG key +gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B +echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key 3B04D753C9050D9A5D343F39843C48A565F8F04B trust; +gpg --verify OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz.sig OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz +---- ++ +Ensure "Good signature from Adoptium GPG Key (DEB/RPM Signing Key)" ++ +Unpack into a suitable folder ++ +[source,] +---- +tar -xf OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz +---- ++ +Add to PATH environment ++ +[source,] +---- +export PATH=/bin:$PATH +---- + +. Clone required upstream OpenJDK source ++ +Replace jdk21u with the upstream release being built ++ +[source,] +---- +git clone https://github.com/openjdk/jdk21u.git jdk21u_bld +# Checkout required tag to build +(cd jdk21u_bld && git checkout ) +---- + +. Create a local build directory ++ +[source,] +---- +mkdir openjdk_build +---- + +. Configure build ++ +Determine and edit the "configure args" to match your local environment ++ +.. Determine the configure arguments for this build ++ +Use the following grep to find the required configure arguments from the SBOM-metadata.json ++ +[source,] +---- +grep "using configure arguments" | sed -n -e "s/^.*using configure arguments '\(.*\)'\..*/\1/p" +---- +.. Replace -–with-devkit=, with path to the local built gcc DevKit "/jdk21u/build/devkit/result/aarch64-linux-gnu-to-aarch64-linux-gnu". +.. Remove -–with-cacerts-src=, as Temurin is built with Mozilla CA certs, whereas the local build will use the standard OpenJDK CA certs. +.. Replace -–with-boot-jdk=, with the path to your local un-tared boot jdk from above. ++ +Configure from the "openjdk_build" directory ++ +[source,] +---- +cd openjdk_build +bash ../jdk21u_bld/configure +---- + +. Build Temurin ++ +[source,] +---- +make images +---- + +. Remove built image output that is not relevant to the reproducible build comparison ++ +.. “cacerts” : Temurin builds with it’s own list of Mozilla CA certificates (needs removing from lib/security and java.base/lib/security) +.. “release” : “release” text description file differs due to different build OS environment and Temurin additional metadata +.. “demo” : Temurin does not ship the “demo” example files +.. “debuginfo” : Temurin JDK tarball does not contain debuginfo ++ +[source,] +---- +rm -f images/jdk/lib/security/cacerts +rm -f images/jdk/release +rm -rf images/jdk/demo +find "images/jdk" -type f -name "*.debuginfo" -delete +(mkdir images/jdk/jmods/java.base_expanded && jmod extract --dir images/jdk/jmods/java.base_expanded images/jdk/jmods/java.base.jmod && rm -f images/jdk/jmods/java.base.jmod) +rm -f images/jdk/jmods/java.base_expanded/lib/security/cacerts +# Change back to root directory +cd .. +---- + +. Download offical Eclipse Temurin release for "Verification" ++ +Download and unpack the Temurin JDK to be verified: ++ +[source,] +---- +curl -L -o temurin-linux-aarch64-jdk-21.0.4+7.tar.gz https://api.adoptium.net/v3/binary/version/jdk-21.0.4+7/linux/aarch64/jdk/hotspot/normal/adoptium +tar -xf temurin-linux-aarch64-jdk-21.0.4+7.tar.gz +---- + +. Remove the same non-relevant files ++ +[source,] +---- +rm -f jdk-21.0.4+7/lib/security/cacerts +rm -f jdk-21.0.4+7/release +rm -f jdk-21.0.4+7/NOTICE +(mkdir jdk-21.0.4+7/jmods/java.base_expanded && jmod extract --dir jdk-21.0.4+7/jmods/java.base_expanded jdk-21.0.4+7/jmods/java.base.jmod && rm -f jdk-21.0.4+7/jmods/java.base.jmod) +rm -f jdk-21.0.4+7/jmods/java.base_expanded/lib/security/cacerts +---- + +. Verify the local secure re-build is identical to the official Eclipse Temurin binary ++ +Compare the two images ++ +[source,] +---- +diff -r openjdk_build/images/jdk jdk-21.0.4+7 +---- ++ +For a successful verification there should be no differences. + + diff --git a/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-x64/index.adoc b/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-x64/index.adoc new file mode 100644 index 000000000..f9721bff7 --- /dev/null +++ b/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-linux-x64/index.adoc @@ -0,0 +1,286 @@ += Temurin Reproducible Verification Build on Linux x64 +:description: Temurin Reproducible Verification Build on Linux x64 +:keywords: Reproducible Builds Secure Supply Chain +:orgname: Eclipse Adoptium +:lang: en +:page-authors: andrew-m-leonard + +The following instructions detail the process of rebuilding identically from "source" in a secure build environment, a reproducible build for a given Eclipse Temurin release on the Linux x64 platform. The process is performed in a secure manner, using only the upstream sources and securely verified build tooling, so as to provide a mechanism to securely verify the given Eclipse Temurin release binary. This verification then helps determine the security of the supply chains used to build the Eclipse Temurin official release binaries. + +The procedure consists of the following steps: + +- Build environment setup +- Build the gcc DevKit from "source" identical to the one used by Eclipse Adoptium +- Determine the OpenJDK make configuration arguments matching the Eclipse Temurin options +- Build the local Eclipse Temurin JDK +- Compare the secure local Eclipse Temurin re-build to the official Eclipse Temurin binary + +== Linux x64 reproducible verification build procedure + +. Build Environment ++ +To re-build identically Eclipse Temurin on Linux x64, a suitable Centos or RHEL, of version 7 or 8, is required. + +. Install EPEL Tools ++ +Centos7/8: ++ +[source,] +---- +yum install epel-release +---- ++ +RHEL7: ++ +[source,] +---- +yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm +---- ++ +RHEL8: ++ +[source,] +---- +yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm +---- + +. Install Build Tools ++ +[source,] +---- +yum install -y tar git patch gcc gcc-c++ wget bison texinfo lbzip2 zip unzip glibc.x86_64 glibc-devel.x86_64 glibc.i686 glibc-devel.i686 libgcc.i686 +yum install -y autoconf systemtap systemtap-sdt-devel +---- + +. GNU make version >= 4 ? ++ +GNU make must be at least version 4, in order to build the gcc DevKit. ++ +Check the GNU make version ++ +[source,] +---- +make --version +---- ++ +If not at least version 4, then download and build GNU make 4.3 as follows: ++ +[source,] +---- +curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz +curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz.sig +# Verify download: +gpg --keyserver keyserver.ubuntu.com --recv-keys 6D4EEB02AD834703510B117680CB727A20C79BB2 +# Reference: https://lists.gnu.org/archive/html/bug-make/2016-12/msg00002.html +gpg --verify make-4.3.tar.gz.sig make-4.3.tar.gz +# Check for “Good signature” +# Build +tar -xf make-4.3.tar.gz +(cd make-4.3 && ./configure --prefix=/usr/local && make clean && make && make install) +ln -s /usr/local/bin/make /usr/local/bin/gmake +---- + +. Set Timezone to UTC ++ +For identical builds, the build timezone must be UTC to ensure exact binary build output ++ +[source,] +---- +timedatectl set-timezone UTC +---- + +. Download Adoptium DevKit Toolchain make script files ++ +In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository. These scripts +and patches enable the DevKit make process to build with a Centos sysroot and also enables GPG verified downloading of the Centos RPMs for additional integrity checking. ++ +[source,] +---- +curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/make_devkit.sh +curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/Tools.gmk.patch +curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/binutils-2.39.patch +---- + +. Build the gcc DevKit Toolchain from source ++ +[source,] +---- +bash ./make_devkit.sh jdk21u x86_64 Centos 7.9.2009 +---- ++ +The built "DevKit path" will be in folder jdk21u/build/devkit/result/x86_64-linux-gnu-to-x86_64-linux-gnu ++ +Set LD_LIBRARY_PATH to locate the newly built DevKit libraries ++ +[source,] +---- + export LD_LIBRARY_PATH=/lib64:/lib +---- + +. Download SBOM of Eclipse Temurin build to be verified ++ +For example, to download the SBOM and SBOM-metadata for release jdk-21.0.4+7 ++ +[source,] +---- +curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_x64_linux_hotspot_21.0.4_7.json +curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_x64_linux_hotspot_21.0.4_7-metadata.json +---- + +. Determine upstream OpenJDK source tag to be built ++ +Open the SBOM json file and determine the "SCM Ref" the release was built from ++ +[source,] +---- + { + "name" : "SCM Ref", + "value" : "jdk-21.0.4+7_adopt" + }, +---- ++ +The upstream OpenJDK tag is this value without the "_adopt", eg. "jdk-21.0.4+7" + +. Download a suitable Boot JDK ++ +To build Temurin you need a suitable Boot JDK, open the SBOM json file and determine the version used to build the release ++ +[source,] +---- + { + "name" : "BOOTJDK", + "version" : "20.0.2+9" + }, +---- ++ +Securely download and verify the required version from the https://github.com/adoptium/temurin-binaries/releases ++ +[source,] +---- +# Download JDK tar.gz +curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_x64_linux_hotspot_20.0.2_9.tar.gz +# Download GPG sig file to verify +curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_x64_linux_hotspot_20.0.2_9.tar.gz.sig +# Verify JDK using Adoptium GPG key +gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B +echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key 3B04D753C9050D9A5D343F39843C48A565F8F04B trust; +gpg --verify OpenJDK20U-jdk_x64_linux_hotspot_20.0.2_9.tar.gz.sig OpenJDK20U-jdk_x64_linux_hotspot_20.0.2_9.tar.gz +---- ++ +Ensure "Good signature from Adoptium GPG Key (DEB/RPM Signing Key)" ++ +Unpack into a suitable folder ++ +[source,] +---- +tar -xf OpenJDK20U-jdk_x64_linux_hotspot_20.0.2_9.tar.gz +---- ++ +Add to PATH environment ++ +[source,] +---- +export PATH=/bin:$PATH +---- + +. Clone required upstream OpenJDK source ++ +Replace jdk21u with the upstream release being built ++ +[source,] +---- +git clone https://github.com/openjdk/jdk21u.git jdk21u_bld +# Checkout required tag to build +(cd jdk21u_bld && git checkout ) +---- + +. Create a local build directory ++ +[source,] +---- +mkdir openjdk_build +---- + +. Configure build ++ +Determine and edit the "configure args" to match your local environment ++ +.. Determine the configure arguments for this build ++ +Use the following grep to find the required configure arguments from the SBOM-metadata.json ++ +[source,] +---- +grep "using configure arguments" | sed -n -e "s/^.*using configure arguments '\(.*\)'\..*/\1/p" +---- +.. Replace -–with-devkit=, with path to the local built gcc DevKit "/jdk21u/build/devkit/result/x86_64-linux-gnu-to-x86_64-linux-gnu". +.. Remove -–with-cacerts-src=, as Temurin is built with Mozilla CA certs, whereas the local build will use the standard OpenJDK CA certs. +.. Replace -–with-boot-jdk=, with the path to your local un-tared boot jdk from above. ++ +Configure from the "openjdk_build" directory ++ +[source,] +---- +cd openjdk_build +bash ../jdk21u_bld/configure +---- + +. Build Temurin ++ +[source,] +---- +make images +---- + +. Remove built image output that is not relevant to the reproducible build comparison ++ +.. “cacerts” : Temurin builds with it’s own list of Mozilla CA certificates (needs removing from lib/security and java.base/lib/security) +.. “release” : “release” text description file differs due to different build OS environment and Temurin additional metadata +.. “demo” : Temurin does not ship the “demo” example files +.. “debuginfo” : Temurin JDK tarball does not contain debuginfo ++ +[source,] +---- +rm -f images/jdk/lib/security/cacerts +rm -f images/jdk/release +rm -rf images/jdk/demo +find "images/jdk" -type f -name "*.debuginfo" -delete +(mkdir images/jdk/jmods/java.base_expanded && jmod extract --dir images/jdk/jmods/java.base_expanded images/jdk/jmods/java.base.jmod && rm -f images/jdk/jmods/java.base.jmod) +rm -f images/jdk/jmods/java.base_expanded/lib/security/cacerts +# Change back to root directory +cd .. +---- + +. Download offical Eclipse Temurin release for "Verification" ++ +Download and unpack the Temurin JDK to be verified: ++ +[source,] +---- +curl -L -o temurin-linux-x64-jdk-21.0.4+7.tar.gz https://api.adoptium.net/v3/binary/version/jdk-21.0.4+7/linux/x64/jdk/hotspot/normal/adoptium +tar -xf temurin-linux-x64-jdk-21.0.4+7.tar.gz +---- + +. Remove the same non-relevant files ++ +[source,] +---- +rm -f jdk-21.0.4+7/lib/security/cacerts +rm -f jdk-21.0.4+7/release +rm -f jdk-21.0.4+7/NOTICE +(mkdir jdk-21.0.4+7/jmods/java.base_expanded && jmod extract --dir jdk-21.0.4+7/jmods/java.base_expanded jdk-21.0.4+7/jmods/java.base.jmod && rm -f jdk-21.0.4+7/jmods/java.base.jmod) +rm -f jdk-21.0.4+7/jmods/java.base_expanded/lib/security/cacerts +---- + +. Verify the local secure re-build is identical to the official Eclipse Temurin binary ++ +Compare the two images ++ +[source,] +---- +diff -r openjdk_build/images/jdk jdk-21.0.4+7 +---- ++ +For a successful verification there should be no differences. + + diff --git a/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-windows-x64/index.adoc b/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-windows-x64/index.adoc new file mode 100644 index 000000000..f757dadb1 --- /dev/null +++ b/content/asciidoc-pages/docs/reproducible-verification-builds/reproduce-windows-x64/index.adoc @@ -0,0 +1,258 @@ += Temurin Reproducible Verification Build on Windows x64 +:description: Temurin Reproducible Verification Build on Windows x64 +:keywords: Reproducible Builds Secure Supply Chain +:orgname: Eclipse Adoptium +:lang: en +:page-authors: andrew-m-leonard + +The following instructions detail the process of rebuilding identically from "source" in a secure build environment, a reproducible build for a given Eclipse Temurin release on the Windows x64 platform. The process is performed in a secure manner, using only the upstream sources and official Microsoft Visual Studio build tooling, so as to provide a mechanism to securely verify the given Eclipse Temurin release binary. This verification then helps determine the security of the supply chains used to build the Eclipse Temurin official release binaries. + +The procedure consists of the following steps: + +- Build environment setup +- Install the required version of Microsoft Visual Studio Builds Tools edition for the C/C++ compiler +- Determine the OpenJDK make configuration arguments matching the Eclipse Temurin options +- Build the local Eclipse Temurin JDK +- Compare the secure local Eclipse Temurin re-build to the official Eclipse Temurin binary, using the Adoptium temurin-build comparison script that adjusts for comparing against "signed" native executables + +== Windows x64 reproducible verification build procedure + +. Build Environment ++ +To re-build identically Eclipse Temurin on Windows x64, a suitable Windows build environment with the exact same required Microsoft Visual Studio Build Tools is required, and it is necessary to remove any previous existing potential conflicting versions. ++ +Ensure any previous Microsoft Visual Studio components are uninstalled using Windows Settings->"Add or remove programs", including: ++ +- Visual Studio 20xx ... +- Microsoft C++ Redistributables +- Microsoft Visual Studio Installer +- Windows Software Development Kit +- Windows SDK Addon + +. Ensure Windows system Time zone is UTC to ensure an identical build ++ +Set the Windows "Time zone" to UTC, by checking the Windows Settings->"Time & Language" -> "Date & time" -> "Time zone" value. + +. Re-boot the Windows machine after uninstalling any programs or changing the Time Zone. + +. Install the required version of Microsoft Visual Studio ++ +Install Microsoft Visual Studio VS2022 “Build Tools” edition version 17.7.3 which contains version 19.37.32822 of the C/C++ compiler: ++ +- Download and execute: https://download.visualstudio.microsoft.com/download/pr/1d66edfe-3c83-476b-bf05-e8901c62ba7f/bac71effb5a23d7cd1a81e5f628a0c8dcb7e8a07e0aa7077c853ed84a862dceb/vs_BuildTools.exe +- Select “Workloads” - “Desktop development with C++” +- “Install” + +. Install required build dependencies: ++ +Install Cygwin with required dependencies to build OpenJDK: ++ +[source,] +---- +curl -L -O https://cygwin.com/setup-x86_64.exe +curl -l -O https://cygwin.com/setup-x86_64.exe.sig +# Verify download: Import "Cygwin " GPG key +gpg --keyserver keyserver.ubuntu.com --recv-keys 1A698DE9E2E56300 +gpg --verify setup-x86_64.exe.sig setup-x86_64.exe +# Check for “Good signature” +---- ++ +Assuming setup-x86_64.exe is secure and GPG verify reports "Good signature", then install Cygwin: ++ +[source,] +---- +setup-x86_64.exe --packages autoconf,automake,bsdtar,cmake,cpio,curl,gcc-core,git,gnupg,grep,jq,libtool,make,mingw64-x86_64-gcc-core,perl,rsync,unzip,wget,zip --download --local-install --delete-orphans --site https://mirrors.kernel.org/sourceware/cygwin/ --local-package-dir C:\cygwin_packages --root C:\cygwin64 +---- + +. Start a Cygwin terminal windows to perform the build from within ++ +Double click the "Cygwin Terminal" desktop icon to open a new Cygwin terminal running the bash shell + +. Determine required build configuration for reproducing the target Eclipse Temurin release ++ +For the required Eclipse Temurin release version, download the SBOM and SBOM-metadata from the official Adoptium release binaries repository, eg.for jdk-21.0.4+7: ++ +[source,] +---- +curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_x64_windows_hotspot_21.0.4_7.json +curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_x64_windows_hotspot_21.0.4_7-metadata.json +---- + +. Determine upstream OpenJDK source tag to be built ++ +Open the SBOM json file and determine the "SCM Ref" the release was built from ++ +[source,] +---- + { + "name" : "SCM Ref", + "value" : "jdk-21.0.4+7_adopt" + }, +---- ++ +The upstream OpenJDK tag is this value without the "_adopt", eg. "jdk-21.0.4+7" + +. Download a suitable Boot JDK ++ +To build Temurin you need a suitable Boot JDK, open the SBOM json file and determine the version used to build the release ++ +[source,] +---- + { + "name" : "BOOTJDK", + "version" : "20.0.2+9" + }, +---- ++ +Securely download and verify the required version from the https://github.com/adoptium/temurin-binaries/releases ++ +[source,] +---- +# Download JDK zip +curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_x64_windows_hotspot_20.0.2_9.zip +# Download GPG sig file to verify +curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_x64_windows_hotspot_20.0.2_9.zip.sig +# Verify JDK using Adoptium GPG key +gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B +echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key 3B04D753C9050D9A5D343F39843C48A565F8F04B trust; +gpg --verify OpenJDK20U-jdk_x64_windows_hotspot_20.0.2_9.zip.sig OpenJDK20U-jdk_x64_windows_hotspot_20.0.2_9.zip +---- ++ +Ensure "Good signature from Adoptium GPG Key (DEB/RPM Signing Key)" ++ +Unzip into a suitable folder ++ +[source,] +---- +unzip OpenJDK20U-jdk_x64_windows_hotspot_20.0.2_9.zip +---- ++ +Add to the PATH environment, so that java and javac tooling are available to scripts used later in these instructions. ++ +[source,] +---- +export PATH=/bin:$PATH +---- + +. Clone required upstream OpenJDK source ++ +Replace jdk21u with the upstream release being built ++ +[source,] +---- +git clone https://github.com/openjdk/jdk21u.git +# Checkout required tag to build +(cd jdk21u && git checkout ) +---- + +. Create a specific local build directory ++ +Note: This is required ONLY for jdk-21.0.4+7 due to a reproducible build issue (https://github.com/adoptium/temurin-build/issues/3790). For later versions this is unnecessary. ++ +Create the following exact local build directory for the build, the path must match this for the build to be identically reproducible. ++ +[source,] +---- +mkdir -p C:/workspace/openjdk-build/workspace/build/openjdkbuild +---- + +. Configure build ++ +Determine and edit the "configure args" to match your local environment ++ +.. Determine the configure arguments for this build ++ +Use the following grep to find the required configure arguments from the SBOM-metadata.json ++ +[source,] +---- +grep "using configure arguments" | sed -n -e "s/^.*using configure arguments '\(.*\)'\..*/\1/p" +---- +.. Remove -–with-cacerts-src=, as Temurin is built with Mozilla CA certs, whereas the local build will use the standard OpenJDK CA certs. +.. Update --with-ucrt-dll-dir=, to ensure it matches location on your local machine, specify: ++ +[source,] +---- +--with-ucrt-dll-dir='C:/Program Files (x86)/Windows Kits/10/Redist/10.0.22621.0/ucrt/DLLs/x64' +---- +.. Replace -–with-boot-jdk=, with the path to your local unzipped boot jdk from above. ++ +Configure from the "C:/workspace/openjdk-build/workspace/build/openjdkbuild" directory ++ +[source,] +---- +cd C:/workspace/openjdk-build/workspace/build/openjdkbuild +bash ~/jdk21u/configure +---- + +. Build Temurin ++ +[source,] +---- +make images +---- ++ +The built image will be available under directory: /cygdrive/c/workspace/openjdk-build/workspace/build/openjdkbuild/images/jdk + +. Download offical Eclipse Temurin release to be verified ++ +Download and unpack the Temurin JDK to be verified: ++ +[source,] +---- +curl -L -o temurin-windows-x64-jdk-21.0.4+7.zip https://api.adoptium.net/v3/binary/version/jdk-21.0.4+7/windows/x64/jdk/hotspot/normal/adoptium +unzip temurin-windows-x64-jdk-21.0.4+7.zip +---- + +. Download and setup the Adoptium temurin-build reproducible build comparison tooling for Windows ++ +Due to the Temurin “signing signatures” of the Windows .exe/dll’s, processing is necessary to remove the unique digital signatures using the Windows signtool.exe tool. To aid this process and perform the comparison the Adoptium temurin-build tooling provides a reproducible compare script. ++ +Perform the following steps to clone and setup your environment to run the temurin-build reproducible compare script: ++ +- git clone https://github.com/adoptium/temurin-build.git +- cd temurin-build/tooling +- Compile BinRepl.java: ++ +[source,] +---- +javac src/java/temurin/tools/BinRepl.java +---- +- Find “signtool.exe” and add to PATH, eg: ++ +[source,] +---- +export PATH=/cygdrive/c/progra~2/wi3cf2~1/10/bin/10.0.22621.0/x64:$PATH +---- +- Find “dumpbin.exe” and add to PATH, eg: ++ +[source,] +---- +export PATH=/cygdrive/c/progra~2/micros~2/2022/BuildTools/VC/Tools/MSVC/14.37.32822/bin/Hostx64/x64:$PATH +---- +- cd reproducible +- Set CLASSPATH to find the compiled BinRepl.class, eg. ++ +[source,] +---- +export CLASSPATH=../src/java +---- + +. Verify the local secure re-build is identical to the official Eclipse Temurin binary ++ +Compare the local re-build to the Eclipse Temurin official JDK. This script involves unpacking the jmod's and removing all the unique Temurin signing "Signatures", this process takes a while to complete (roughly 30 minutes): ++ +[source,] +---- +bash ./repro_compare.sh temurin ~/jdk-21.0.4+7 openjdk /cygdrive/c/workspace/openjdk-build/workspace/build/openjdkbuild/images/jdk CYGWIN +---- ++ +For a successful verification the script should report a reproducible result of 100%. ++ +[source,] +---- +Comparing /home/user/jdk-21.0.4+7 with /cygdrive/c/workspace/openjdk-build/workspace/build/openjdkbuild/images/jdk ... output to file: reprotest.diff +Number of differences: 0 +ReproduciblePercent = 100 % +---- + diff --git a/content/blog/adoptium-reproducible-verification-builds/index.md b/content/blog/adoptium-reproducible-verification-builds/index.md new file mode 100644 index 000000000..38a3d60a4 --- /dev/null +++ b/content/blog/adoptium-reproducible-verification-builds/index.md @@ -0,0 +1,69 @@ +--- +title: Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation +date: "2024-08-09T12:00:00+00:00" +author: andrewleonard +description: Eclipse Temurin JDK 21+ builds are fully reproducible. This blog explains how + third-party users can perform an independent secure verification of an Eclipse Temurin build to + validate the integrity of the supply chain, and why you would want to do this. +tags: + - temurin +--- + +### What is a third-party Reproducible Verification Build? + +A third-party reproducible verification build is a re-build of an official software product release, built purely from upstream sources and +securely obtained and verified tooling, in a secure and well defined build environment. Its purpose is to help maintain trust in the supply chain +by providing a mechanism for independent verification of the software integrity of the official releases. The trust of the supply chain is very +important from the perspective of ensuring no vulnerabilities or malware affect the released software. + +An important aspect for performing an +independent reproducible build is the security and source of the build environment. The upstream product sources, build scripts and toolchain +must be original securely obtained sources, and any system binaries must be securely verified by signatures. Once completed, a byte-for-byte identical +comparison with the official software product release binaries will then validate to a very high degree the security of the supply chain used and that the official +release binary is secure and has not been tampered with. + +### Eclipse Temurin JDK 21+ now "Fully Reproducible" + +In my previous blog [Reproducible Builds at Eclipse Adoptium](https://adoptium.net/blog/2022/06/adoptium-reproducible-builds/), I explained +how the Adoptium community has been working to achieve fully "Reproducible Builds" for the Eclipse Temurin JDK 21+ releases, +and how that helps provide better secure supply chain validation, and improved build pipeline quality and script verification. +Eclipse Temurin JDK 21+ releases are now fully reproducible for the platforms x64 Linux, aarch64 Linux, x64 Windows, x64 Mac and aarch64 Mac, +and we have introduced new [Eclipse AQAvit](https://projects.eclipse.org/projects/adoptium.aqavit) reproducible comparison tests for reproducibility. + +### Using a "GCC DevKit" to build Eclipse Temurin + +Up until recently Eclipse Temurin Linux builds were compiled using a custom Adoptium build of GCC from source, which due to its unique +source build nature, would mean in order for a third-party to identically re-build, then the very same Adoptium GCC +[compilers](https://ci.adoptium.net/userContent/gcc/) would need to be downloaded. This then presents a potential toolchain vulnerability +in relying on the very same GCC compiler binary. As of Eclipse Temurin JDK 21.0.3, the Adoptium build scripts and pipelines for the Linux +GCC build platforms, have been upgraded to use an "GCC DevKit". This defines an absolute definition of a GCC toolchain, +the GCC and dependency source versions, the sysroot used, and how it is exactly built. Eclipse Adoptium publishes the DevKits that are +used to in the repository [https://github.com/adoptium/devkit-binaries/releases](https://github.com/adoptium/devkit-binaries/releases). +Due to the way the DevKit is defined, a third-party can re-build the exact same toolchain purely from GPG-verified sources and GPG-verified sysroot RPMs. +This independent build of the GCC toolchain allows another secure level of validation of the supply chain used to build the compiler, +subsequently used to build the Eclipse Temurin binaries. + +## Independently fully reproducible Eclipse Temurin + +Combining the use of the "GCC DevKit", the well defined Eclipse Temurin reproducible build pipeline and the generated Software Bill +of Materials (SBOM), allows a documented and independent method for third-parties to perform a reproducible build. +By comparing the independently built binary with the official Eclipse Temurin release, any discrepancies or tampering can be detected, +ensuring that the release has been securely and correctly built. These third-party reproducible builds help maintain trust in the supply chain +by providing a mechanism for independent verification of software integrity of the Eclipse Temurin release binaries. + +## How to perform a third-party reproducible verification build + +To perform your own reproducible verification build of an Eclipse Temurin JDK 21+ official release, we have prepared a set of instructions +for each platform that will guide you through the process of rebuilding the selected JDK 21+ Eclipse Temurin builds from upstream +OpenJDK community sources and with your own securely built toolchains and dependencies. + +- [JDK 21+ Linux x64](/docs/reproducible-verification-builds/reproduce-linux-x64) +- [JDK 21+ Linux aarch64](/docs/reproducible-verification-builds/reproduce-linux-aarch64) +- [JDK 21+ Windows x64](/docs/reproducible-verification-builds/reproduce-windows-x64) + +### Summary + +Today's Enterprise Software needs to be more secure and safe from vulnerability attacks than ever before. Providing methods +for ensuring the security of the supply chain and ways of demonstrating the quality of the products delivered are essential. +The ability to perform secure verification using a third-party Eclipse Temurin reproducible build greatly extends the security +and confidence in the supply chains used by the Eclipse Adoptium community. diff --git a/src/pages/__tests__/__snapshots__/docs.test.tsx.snap b/src/pages/__tests__/__snapshots__/docs.test.tsx.snap index b061bb26d..7166ee3cf 100644 --- a/src/pages/__tests__/__snapshots__/docs.test.tsx.snap +++ b/src/pages/__tests__/__snapshots__/docs.test.tsx.snap @@ -601,6 +601,12 @@ exports[`Docs page > renders correctly 1`] = ` /> + + docs.reproducible.verification.builds + diff --git a/src/pages/docs.tsx b/src/pages/docs.tsx index 4bccbbba1..584b3a449 100644 --- a/src/pages/docs.tsx +++ b/src/pages/docs.tsx @@ -79,7 +79,8 @@ const DocumentationPage = ({ data }) => { { name: t('docs.secure.software.pratices', 'Secure Software Practices'), link: '/docs/secure-software' }, { name: t('docs.slsa.secure.supply.chain', 'SLSA Secure Supply Chain'), link: '/docs/slsa' }, { name: t('docs.vulnerability.reporting', 'Vulnerability Reporting'), link: 'https://github.com/adoptium/adoptium/security/policy' }, - { name: t('docs.temurin.security.case.study', 'Temurin Security Case Study'), link: 'https://outreach.eclipse.foundation/adoptium-temurin-supply-chain-security?utm_campaign=Temurin%20Case%20Study&utm_source=website&utm_medium=adoptium%20docs' } + { name: t('docs.temurin.security.case.study', 'Temurin Security Case Study'), link: 'https://outreach.eclipse.foundation/adoptium-temurin-supply-chain-security?utm_campaign=Temurin%20Case%20Study&utm_source=website&utm_medium=adoptium%20docs' }, + { name: t('docs.reproducible.verification.builds', 'Reproducible Verification Builds'), link: '/docs/reproducible-verification-builds' } ]} />