Skip to content
This repository has been archived by the owner on Oct 14, 2021. It is now read-only.

Please sign archives #372

Closed
bmarwell opened this issue Mar 15, 2021 · 1 comment
Closed

Please sign archives #372

bmarwell opened this issue Mar 15, 2021 · 1 comment
Labels
duplicate This issue or pull request already exists enhancement New feature or request
Milestone
March 2021

Comments

@bmarwell
Copy link
Contributor

Is your feature request related to a problem? Please describe.

No, this is independent of any problems or other issues.

Describe the solution you'd like

Consider the assets like this: https://api.adoptopenjdk.net/v3/assets/version/jdk8u282-b08?architecture=x64&heap_size=normal&image_type=jdk&jvm_impl=openj9&lts=true&os=linux&page=0&page_size=10&project=jdk&release_type=ga&sort_method=DEFAULT&sort_order=DESC&vendor=adoptopenjdk

You will receive some package and version data in the binary section, e.g.:

"package": {
                    "checksum": "ef10c776dccdff02da6222002a3c023c1cc47d50dd1f6f81314da3d1fe28d13e",
                    "checksum_link": "https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u282-b08_openj9-0.24.0/OpenJDK8U-jdk_x64_linux_openj9_8u282b08_openj9-0.24.0.tar.gz.sha256.txt",
                    "download_count": 32687,
                    "link": "https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u282-b08_openj9-0.24.0/OpenJDK8U-jdk_x64_linux_openj9_8u282b08_openj9-0.24.0.tar.gz",
                    "metadata_link": "https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u282-b08_openj9-0.24.0/OpenJDK8U-jdk_x64_linux_openj9_8u282b08_openj9-0.24.0.tar.gz.json",
                    "name": "OpenJDK8U-jdk_x64_linux_openj9_8u282b08_openj9-0.24.0.tar.gz",
                    "size": 114086789
                }

I would like to see a signature_link field containing a GnuPG detached armored signature. E.g.

"package": {
  "signature_link": "https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u282-b08_openj9-0.24.0/OpenJDK8U-jdk_x64_linux_openj9_8u282b08_openj9-0.24.0.tar.gz.asc"
}

Describe alternatives you've considered

sha256sums are nice for checking for download errors, but they do not proof the authenticity once downloaded.

Additional context

An automated sig is sufficient (for me) as long as the key does not change frequently.
@bmarwell bmarwell added the enhancement New feature or request label Mar 15, 2021
@M-Davies
Copy link
Contributor

Probably a duplicate of adoptium/temurin-build#1275

@M-Davies M-Davies added the duplicate This issue or pull request already exists label Mar 15, 2021
@karianna karianna added this to the March 2021 milestone Mar 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists enhancement New feature or request
Projects
None yet
Milestone
March 2021
Development

No branches or pull requests
3 participants
@karianna @bmarwell @M-Davies