Blog and documentation for performing "3rd Party Reproducible Verific…

…ation Builds" (#2949) * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Add reproducible build process doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Update repro blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Update repro blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Repro x86_64 doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Repro x86_64 doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Repro x86_64 doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Repro x86_64 doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Repro x86_64 doc Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> * Reproducible verification build blog Signed-off-by: Andrew Leonard <anleonar@redhat.com> --------- Signed-off-by: Andrew Leonard <anleonar@redhat.com>
adoptium · Aug 9, 2024 · 0440c07 · 0440c07
1 parent 1a54e98
commit 0440c07
Show file tree

Hide file tree

Showing 7 changed files with 924 additions and 1 deletion.
diff --git a/content/asciidoc-pages/docs/reproducible-verification-builds/index.adoc b/content/asciidoc-pages/docs/reproducible-verification-builds/index.adoc
@@ -0,0 +1,17 @@
+= Third Party Reproducible Verification Build Instructions
+:description: Instructions for independently reproducing an Eclipse Temurin release as part of a reproducible verification build
+:keywords: Reproducible Builds SLSA Security Supply Chain
+:orgname: Eclipse Adoptium
+:lang: en
+:page-authors: andrew-m-leonard
+
+To perform your own reproducible verification build of an Eclipse Temurin JDK 21+ official release, we have prepared a set of instructions for each platform that will guide you through the process of re-building the selected JDK 21+ Eclipse Temurin builds from upstream OpenJDK community source and with your own securely built toolchains and dependencies.
+
+Select your required platform instructions for the Eclipse Temurin release you wish to reproduce:
+
+- link:/docs/reproducible-verification-builds/reproduce-linux-x64[JDK 21+ Linux x64]
+- link:/docs/reproducible-verification-builds/reproduce-linux-aarch64[JDK 21+ Linux aarch64]
+- link:/docs/reproducible-verification-builds/reproduce-windows-x64[JDK 21+ Windows x64]
+
+link:/blog/2024/08/adoptium-reproducible-verification-builds[Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation]
+
diff --git a/...-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc b/...-pages/docs/reproducible-verification-builds/reproduce-linux-aarch64/index.adoc
@@ -0,0 +1,286 @@
+= Temurin Reproducible Verification Build on Linux aarch64
+:description: Temurin Reproducible Verification Build on Linux aarch64
+:keywords: Reproducible Builds Secure Supply Chain
+:orgname: Eclipse Adoptium
+:lang: en
+:page-authors: andrew-m-leonard
+
+The following instructions detail the process of rebuilding identically from "source" in a secure build environment, a reproducible build for a given Eclipse Temurin release on the Linux aarch64 platform. The process is performed in a secure manner, using only the upstream sources and securely verified build tooling, so as to provide a mechanism to securely verify the given Eclipse Temurin release binary. This verification then helps determine the security of the supply chains used to build the Eclipse Temurin official release binaries.
+
+The procedure consists of the following steps:
+
+- Build environment setup
+- Build the gcc DevKit from "source" identical to the one used by Eclipse Adoptium
+- Determine the OpenJDK make configuration arguments matching the Eclipse Temurin options
+- Build the local Eclipse Temurin JDK
+- Compare the secure local Eclipse Temurin re-build to the official Eclipse Temurin binary
+
+== Linux aarch64 reproducible verification build procedure
+
+. Build Environment
++
+To re-build identically Eclipse Temurin on Linux aarch64, a suitable Centos or RHEL, of version 7 or 8, is required.
+
+. Install EPEL Tools
++
+Centos7/8:
++
+[source,]
+----
+yum install epel-release
+----
++
+RHEL7:
++
+[source,]
+----
+yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+----
++
+RHEL8:
++
+[source,]
+----
+yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+----
+
+. Install Build Tools
++
+[source,]
+----
+yum install -y tar git patch gcc gcc-c++ wget bison texinfo lbzip2 zip unzip glibc glibc-devel libgcc
+yum install -y autoconf systemtap systemtap-sdt-devel
+----
+
+. GNU make version >= 4 ?
++
+GNU make must be at least version 4, in order to build the gcc DevKit.
++
+Check the GNU make version
++
+[source,]
+----
+make --version
+----
++
+If not at least version 4, then download and build GNU make 4.3 as follows:
++
+[source,]
+----
+curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz
+curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz.sig
+# Verify download:
+gpg --keyserver keyserver.ubuntu.com --recv-keys 6D4EEB02AD834703510B117680CB727A20C79BB2
+# Reference: https://lists.gnu.org/archive/html/bug-make/2016-12/msg00002.html
+gpg --verify make-4.3.tar.gz.sig make-4.3.tar.gz
+# Check for “Good signature”
+# Build
+tar -xf make-4.3.tar.gz
+(cd make-4.3 && ./configure --prefix=/usr/local && make clean && make && make install)
+ln -s /usr/local/bin/make /usr/local/bin/gmake
+----
+
+. Set Timezone to UTC
++
+For identical builds, the build timezone must be UTC to ensure exact binary build output
++
+[source,]
+----
+timedatectl set-timezone UTC
+----
+
+. Download Adoptium DevKit Toolchain make script files
++
+In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository. These scripts
+and patches enable the DevKit make process to build with a Centos sysroot and also enables GPG verified downloading of the Centos RPMs for additional integrity checking.
++
+[source,]
+----
+curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/make_devkit.sh
+curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/Tools.gmk.patch
+curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/binutils-2.39.patch
+----
+
+. Build the gcc DevKit Toolchain from source
++
+[source,]
+----
+bash ./make_devkit.sh jdk21u aarch64 Centos 7.6.1810
+----
++
+The built "DevKit path" will be in folder jdk21u/build/devkit/result/aarch64-linux-gnu-to-aarch64-linux-gnu
++
+Set LD_LIBRARY_PATH to locate the newly built DevKit libraries
++
+[source,]
+----
+        export LD_LIBRARY_PATH=<DevKit path>/lib64:<DevKit path>/lib
+----
+
+. Download SBOM of Eclipse Temurin build to be verified
++
+For example, to download the SBOM and SBOM-metadata for release jdk-21.0.4+7
++
+[source,]
+----
+curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_aarch64_linux_hotspot_21.0.4_7.json
+curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_aarch64_linux_hotspot_21.0.4_7-metadata.json
+----
+
+. Determine upstream OpenJDK source tag to be built
++
+Open the SBOM json file and determine the "SCM Ref" the release was built from
++
+[source,]
+----
+        {
+          "name" : "SCM Ref",
+          "value" : "jdk-21.0.4+7_adopt"
+        },
+----
++
+The upstream OpenJDK tag is this value without the "_adopt", eg. "jdk-21.0.4+7"
+
+. Download a suitable Boot JDK
++
+To build Temurin you need a suitable Boot JDK, open the SBOM json file and determine the version used to build the release
++
+[source,]
+----
+      {
+        "name" : "BOOTJDK",
+        "version" : "20.0.2+9"
+      },
+----
++
+Securely download and verify the required version from the https://github.com/adoptium/temurin<NN>-binaries/releases
++
+[source,]
+----
+# Download JDK tar.gz
+curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz
+# Download GPG sig file to verify
+curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz.sig
+# Verify JDK using Adoptium GPG key
+gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B
+echo -e "5\ny\n" |  gpg --batch --command-fd 0 --expert --edit-key 3B04D753C9050D9A5D343F39843C48A565F8F04B trust;
+gpg --verify OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz.sig OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz
+----
++
+Ensure "Good signature from Adoptium GPG Key (DEB/RPM Signing Key)"
++
+Unpack into a suitable folder
++
+[source,]
+----
+tar -xf OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz
+----
++
+Add to PATH environment
++
+[source,]
+----
+export PATH=<bootjdk>/bin:$PATH
+----
+
+. Clone required upstream OpenJDK source
++
+Replace jdk21u with the upstream release being built
++
+[source,]
+----
+git clone https://github.com/openjdk/jdk21u.git jdk21u_bld
+# Checkout required tag to build
+(cd jdk21u_bld && git checkout <OpenJDK tag to build>)
+----
+
+. Create a local build directory
++
+[source,]
+----
+mkdir openjdk_build
+----
+
+. Configure build
++
+Determine and edit the "configure args" to match your local environment
++
+.. Determine the configure arguments for this build
++
+Use the following grep to find the required configure arguments from the SBOM-metadata.json
++
+[source,]
+----
+grep "using configure arguments" <SBOM-metadata.json> | sed -n -e "s/^.*using configure arguments '\(.*\)'\..*/\1/p"
+----
+.. Replace -–with-devkit=<path>, with path to the local built gcc DevKit "<path>/jdk21u/build/devkit/result/aarch64-linux-gnu-to-aarch64-linux-gnu".
+.. Remove -–with-cacerts-src=<path>, as Temurin is built with Mozilla CA certs, whereas the local build will use the standard OpenJDK CA certs.
+.. Replace -–with-boot-jdk=<path>, with the path to your local un-tared boot jdk from above.
++
+Configure from the "openjdk_build" directory
++
+[source,]
+----
+cd openjdk_build
+bash ../jdk21u_bld/configure <edited configure args>
+----
+
+. Build Temurin
++
+[source,]
+----
+make images
+----
+
+. Remove built image output that is not relevant to the reproducible build comparison
++
+.. “cacerts” : Temurin builds with it’s own list of Mozilla CA certificates (needs removing from lib/security and java.base/lib/security)
+.. “release” : “release” text description file differs due to different build OS environment and Temurin additional metadata
+.. “demo” : Temurin does not ship the “demo” example files
+.. “debuginfo” : Temurin JDK tarball does not contain debuginfo
++
+[source,]
+----
+rm -f images/jdk/lib/security/cacerts
+rm -f images/jdk/release
+rm -rf images/jdk/demo
+find "images/jdk" -type f -name "*.debuginfo" -delete
+(mkdir images/jdk/jmods/java.base_expanded && jmod extract --dir images/jdk/jmods/java.base_expanded images/jdk/jmods/java.base.jmod && rm -f images/jdk/jmods/java.base.jmod)
+rm -f images/jdk/jmods/java.base_expanded/lib/security/cacerts
+# Change back to root directory
+cd ..
+----
+
+. Download offical Eclipse Temurin release for "Verification"
++
+Download and unpack the Temurin JDK to be verified:
++
+[source,]
+----
+curl -L -o temurin-linux-aarch64-jdk-21.0.4+7.tar.gz https://api.adoptium.net/v3/binary/version/jdk-21.0.4+7/linux/aarch64/jdk/hotspot/normal/adoptium
+tar -xf temurin-linux-aarch64-jdk-21.0.4+7.tar.gz
+----
+
+. Remove the same non-relevant files
++
+[source,]
+----
+rm -f jdk-21.0.4+7/lib/security/cacerts
+rm -f jdk-21.0.4+7/release
+rm -f jdk-21.0.4+7/NOTICE
+(mkdir jdk-21.0.4+7/jmods/java.base_expanded && jmod extract --dir jdk-21.0.4+7/jmods/java.base_expanded jdk-21.0.4+7/jmods/java.base.jmod && rm -f jdk-21.0.4+7/jmods/java.base.jmod)
+rm -f jdk-21.0.4+7/jmods/java.base_expanded/lib/security/cacerts
+----
+
+. Verify the local secure re-build is identical to the official Eclipse Temurin binary
++
+Compare the two images
++
+[source,]
+----
+diff -r openjdk_build/images/jdk jdk-21.0.4+7
+----
++
+For a successful verification there should be no differences.
+
+