From 50e0dc11c1e029b5b4f02e02425162d587edc4b6 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Tue, 19 Dec 2023 17:28:58 +0000 Subject: [PATCH 01/23] blog: SLSA Build L3 for Eclipse Temurin Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 100 +++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 content/blog/slsabuild3-temurin/index.md diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md new file mode 100644 index 000000000..0122e5c3d --- /dev/null +++ b/content/blog/slsabuild3-temurin/index.md @@ -0,0 +1,100 @@ +--- +title: SLSA build level 3 compliance on Linux and macos for Eclipse Temurin +date: "2023-12-19T17:00:00+00:00" +author: sxa +description: Eclipse Temurin by Adoptium is compliant with build level 3 of the SLSA 1.0 secure development framework on Linux. +tags: + - temurin + - security +--- + +## Introduction + +[SLSA](https://slsa.dev) is a framework with individual levels that software +producers can work towards to make their software more secure, and consumers +can make decisions based on the software package’s security posture. The +Adoptium project has worked closely with the Eclipse Foundation security +team to work towards making the Eclipse Temurin compliant with the SLSA +specification's build requirements. + + + +[At the end](https://adoptium.net/blog/2022/11/slsa2-temurin/) +[of 2022](https://newsroom.eclipse.org/eclipse-newsletter/2022/december/eclipse-temurin-slsa-level-two-compliant) +we claimed compliance with level 2 of the SLSA v0.1 specification. Earlier +this year version 1.0 was released and it was split into multiple "tracks", +of which the build track is the only one currently published. If you're not +familiar with the changes, check out [this lightning +talk](https://youtu.be/uLXzyutZEmQ?si=XjD9H6uO_GEjJVBG) from one of my +colleagues. We have been able to build on our work done previously to meet +build level 3 for Linux and MacOS for Eclipse Temurin's build and +distribution. + +## What have you done since declaring SLSA level 2 + +We have built on top of the work covered in the earlier blog to meet the +requirements of SLSA build level 3. The additional requirements were as +follows: + +### Prevent runs from influencing one another, even within the same project + +In order to achieve independence between build runs, we perform all of our +Linux builds in Docker containers. These containers are instantiated, the +build is run and the results saved, and then we shut down the container. +This way there can be no influencing from caching or from one run impacting +a subsequent one. + +We have implemented a comparable system on macos by using Orka from +Macstadium which allows us to dynamically spin up virtual machines for each +build run to give us a comparable level of isolation. + +For other Operating Systems that we build on - Windows, AIX and Solaris - we +are not currently set up to do something equivalent which is why we are not +claiming SLSA build level 3 for those builds. + +### Verifying provenance artifacts + +We have introduced a build verification step which can take the SBoM +produced as part of the build output and verify its contents as far as is +practical. This will do some checks to ensure that the fields are valid and +match expectations about how the product has been built. This job is stored +in https://github.com/adoptium/temurin-build/blob/master/tooling as +release_download_test.sh which performs SHA and GPG checks as well as +running some basic checks on the downloads. It also calls +validateSBOMcontent.sh to check the SBoM contents to make sure the +dependencies, including compilers, listed in there match expectations. The +SBoM contents now also includes the SHA256 checksums of all of the build +artifacts. + +In addition to all these checks we also verify after each build that the +build code has the features enabled that it should have. This is done using +a custom AQA test job called "smoke tests" which use the tests in the build +repository in the +[buildAndPackage](https://github.com/adoptium/temurin-build/tree/master/test/functional/buildAndPackage) +directory and test various aspects of the built JDK If these checks fail +then these will be trapped early on. + +We expect that all of these checks will be enhanced over time, particularly +as we add more details into the SBoM. Note that even now. + +### Prevent secret material used to sign the provenance from being accessible to user-defined build steps + +The signing jobs that we use are all contained within the jenkins CI system +which we use. These are independent of the build jobs and run as a +subsequent step to avoid the credentials ever being available to the build +jobs. + +## What's in the future? + +At the moment SLSA build level 3 is the highest level available. We will +look to keep up to date as updates to the specification are made available. +We expect a "level 4" on the build track, and also other tracks to cover +source code. + +We are also continuing to work on our reproducible builds which gives an +extra layer of confidence that any customers of Temurin are able to rebuild +from source code in order to independently verify that nothing in our build +systems have been tampered with or introduced any unexpected code. Anyone +(yes, even you!) can use our fully open-source setup and build scripts to +rebuild the Temurin JDK, and we encourage you to give it a try! + From 5a939a4ec799446ac5fec4f4cfdd7a56544a0a7d Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:42:49 +0000 Subject: [PATCH 02/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 0122e5c3d..6f62f5e5e 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -2,7 +2,7 @@ title: SLSA build level 3 compliance on Linux and macos for Eclipse Temurin date: "2023-12-19T17:00:00+00:00" author: sxa -description: Eclipse Temurin by Adoptium is compliant with build level 3 of the SLSA 1.0 secure development framework on Linux. +description: Eclipse Temurin by Adoptium is compliant with build level 3 of the SLSA 1.0 secure development framework on Linux and macOS. tags: - temurin - security From bc31c7b276e5a4f582107fa24bf9789f4bd6fd5d Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:43:30 +0000 Subject: [PATCH 03/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 6f62f5e5e..51f12d031 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -1,5 +1,5 @@ --- -title: SLSA build level 3 compliance on Linux and macos for Eclipse Temurin +title: SLSA build level 3 compliance on Linux and macOS for Eclipse Temurin date: "2023-12-19T17:00:00+00:00" author: sxa description: Eclipse Temurin by Adoptium is compliant with build level 3 of the SLSA 1.0 secure development framework on Linux and macOS. From d6baa52fc65fd62bc3319e10efee3474ef8bcda6 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:43:40 +0000 Subject: [PATCH 04/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 51f12d031..1cfe4ed84 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -10,7 +10,7 @@ tags: ## Introduction -[SLSA](https://slsa.dev) is a framework with individual levels that software +Supply-chain Levels for Software Artifacts, or [SLSA](https://slsa.dev), is a framework with individual levels that software producers can work towards to make their software more secure, and consumers can make decisions based on the software package’s security posture. The Adoptium project has worked closely with the Eclipse Foundation security From f73580bb99de3b27aaa1b334fcd5fb8e4b7ba3eb Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:44:02 +0000 Subject: [PATCH 05/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 1cfe4ed84..e90a3a89c 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -12,7 +12,7 @@ tags: Supply-chain Levels for Software Artifacts, or [SLSA](https://slsa.dev), is a framework with individual levels that software producers can work towards to make their software more secure, and consumers -can make decisions based on the software package’s security posture. The +can use to make decisions based on the software package’s security posture. The Adoptium project has worked closely with the Eclipse Foundation security team to work towards making the Eclipse Temurin compliant with the SLSA specification's build requirements. From d2e244fe8e8dedb6bfbca0bcf36599dd72a9a2d1 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:44:10 +0000 Subject: [PATCH 06/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index e90a3a89c..0a2e2b0e4 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -21,7 +21,7 @@ specification's build requirements. [At the end](https://adoptium.net/blog/2022/11/slsa2-temurin/) [of 2022](https://newsroom.eclipse.org/eclipse-newsletter/2022/december/eclipse-temurin-slsa-level-two-compliant) -we claimed compliance with level 2 of the SLSA v0.1 specification. Earlier +we achieved compliance with level 2 of the SLSA v0.1 specification. Earlier this year version 1.0 was released and it was split into multiple "tracks", of which the build track is the only one currently published. If you're not familiar with the changes, check out [this lightning From 174237a8e791fb1434acce5fcb97ad57a6a2a4be Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:44:24 +0000 Subject: [PATCH 07/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 0a2e2b0e4..f3f5427b2 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -22,7 +22,7 @@ specification's build requirements. [At the end](https://adoptium.net/blog/2022/11/slsa2-temurin/) [of 2022](https://newsroom.eclipse.org/eclipse-newsletter/2022/december/eclipse-temurin-slsa-level-two-compliant) we achieved compliance with level 2 of the SLSA v0.1 specification. Earlier -this year version 1.0 was released and it was split into multiple "tracks", +this year SLSA version 1.0 was released and it was split into multiple "tracks", of which the build track is the only one currently published. If you're not familiar with the changes, check out [this lightning talk](https://youtu.be/uLXzyutZEmQ?si=XjD9H6uO_GEjJVBG) from one of my From e606a96665f7ed2a17c1c9cc4e977a55e2885c83 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:44:38 +0000 Subject: [PATCH 08/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index f3f5427b2..f3e17c1a7 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -27,7 +27,7 @@ of which the build track is the only one currently published. If you're not familiar with the changes, check out [this lightning talk](https://youtu.be/uLXzyutZEmQ?si=XjD9H6uO_GEjJVBG) from one of my colleagues. We have been able to build on our work done previously to meet -build level 3 for Linux and MacOS for Eclipse Temurin's build and +build level 3 for Linux and macOS for Eclipse Temurin's build and distribution. ## What have you done since declaring SLSA level 2 From a09949dd105aba0198f404bd6606fbd255fad63d Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:45:21 +0000 Subject: [PATCH 09/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index f3e17c1a7..39fe43307 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -44,8 +44,8 @@ build is run and the results saved, and then we shut down the container. This way there can be no influencing from caching or from one run impacting a subsequent one. -We have implemented a comparable system on macos by using Orka from -Macstadium which allows us to dynamically spin up virtual machines for each +We have implemented a comparable system on macOS by using +[MacStadium's Orka](https://www.macstadium.com/orka) which allows us to dynamically spin up virtual machines for each build run to give us a comparable level of isolation. For other Operating Systems that we build on - Windows, AIX and Solaris - we From f618413277142153e28b3355b7d0353854680bb8 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:48:10 +0000 Subject: [PATCH 10/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 39fe43307..52c15bb66 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -79,8 +79,8 @@ as we add more details into the SBoM. Note that even now. ### Prevent secret material used to sign the provenance from being accessible to user-defined build steps -The signing jobs that we use are all contained within the jenkins CI system -which we use. These are independent of the build jobs and run as a +The signing jobs that we use are all contained within our Jenkins CI system. +These are independent of the build jobs and run as a subsequent step to avoid the credentials ever being available to the build jobs. From 3cdae4960e66e275363c3ad038d7e245a4173d81 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:48:21 +0000 Subject: [PATCH 11/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 52c15bb66..3359a47e5 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -91,7 +91,7 @@ look to keep up to date as updates to the specification are made available. We expect a "level 4" on the build track, and also other tracks to cover source code. -We are also continuing to work on our reproducible builds which gives an +We are also continuing to work on our [reproducible builds](https://adoptium.net/blog/2023/09/Reproducible-Comparison-Builds/) which gives an extra layer of confidence that any customers of Temurin are able to rebuild from source code in order to independently verify that nothing in our build systems have been tampered with or introduced any unexpected code. Anyone From e667b176a3a6ae9de1d353cb312d0a6835578281 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:49:06 +0000 Subject: [PATCH 12/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 3359a47e5..b66a729d5 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -48,7 +48,7 @@ We have implemented a comparable system on macOS by using [MacStadium's Orka](https://www.macstadium.com/orka) which allows us to dynamically spin up virtual machines for each build run to give us a comparable level of isolation. -For other Operating Systems that we build on - Windows, AIX and Solaris - we +For other operating systems that we build on - Windows, AIX and Solaris - we are not currently set up to do something equivalent which is why we are not claiming SLSA build level 3 for those builds. From 59c82e7bd07ef6f01613a2cfd0d8fa440d81acb4 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Fri, 22 Dec 2023 18:15:16 +0000 Subject: [PATCH 13/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index b66a729d5..e87197189 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -30,7 +30,7 @@ colleagues. We have been able to build on our work done previously to meet build level 3 for Linux and macOS for Eclipse Temurin's build and distribution. -## What have you done since declaring SLSA level 2 +## What have you done since declaring SLSA level 2? We have built on top of the work covered in the earlier blog to meet the requirements of SLSA build level 3. The additional requirements were as From a59569a9627bfd98a52601d38b1894c075ce2524 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Thu, 28 Dec 2023 16:03:39 +0000 Subject: [PATCH 14/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index e87197189..e92c8078f 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -75,7 +75,7 @@ directory and test various aspects of the built JDK If these checks fail then these will be trapped early on. We expect that all of these checks will be enhanced over time, particularly -as we add more details into the SBoM. Note that even now. +as we add more details into the SBOM. ### Prevent secret material used to sign the provenance from being accessible to user-defined build steps From b8f8a8791b2d9b7b873209c7bbe18022a4e862de Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Thu, 28 Dec 2023 16:22:06 +0000 Subject: [PATCH 15/23] Update with references to GPG blog Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index e92c8078f..e09c743ef 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -64,7 +64,9 @@ running some basic checks on the downloads. It also calls validateSBOMcontent.sh to check the SBoM contents to make sure the dependencies, including compilers, listed in there match expectations. The SBoM contents now also includes the SHA256 checksums of all of the build -artifacts. +artifacts. There is information on programatically verifying the GPG +signatures in +[an earlier blog](https://adoptium.net/blog/2022/07/gpg-signed-releases/) In addition to all these checks we also verify after each build that the build code has the features enabled that it should have. This is done using From 438feb78e9f7fa7c4b4db0f3716e65f5280b01b0 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Thu, 28 Dec 2023 16:30:17 +0000 Subject: [PATCH 16/23] Update with SBoM download information Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index e09c743ef..7e544b408 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -77,7 +77,19 @@ directory and test various aspects of the built JDK If these checks fail then these will be trapped early on. We expect that all of these checks will be enhanced over time, particularly -as we add more details into the SBOM. +as we add more details into the SBoM. + +The current SBoM can be downloaded via the adoptium API. If you are already +familiar with the API for downloading JDKs, then replacing `jdk` with `sbom` +in the URL will let you download the SBoM. For example, this will download +the latest GA SBoM for Temurin 21 on Linux/x64: + +- https://api.adoptopenjdk.net/v3/binary/latest/21/ga/linux/x64/sbom/hotspot/normal/adoptopenjdk?project=jdk + +Note that there is an enhanced version of the SBoM which includes more +details on the artifacts that is already in the nightly builds and will be +included for the January 2024 GA releases. We will not (and should not) +regenerate the SBoM for older releases. ### Prevent secret material used to sign the provenance from being accessible to user-defined build steps From 8cea66fa84b102603fc318b00131a4b44f7b40b6 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Thu, 28 Dec 2023 16:36:05 +0000 Subject: [PATCH 17/23] Placate linter Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 7e544b408..4d8518765 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -17,8 +17,6 @@ Adoptium project has worked closely with the Eclipse Foundation security team to work towards making the Eclipse Temurin compliant with the SLSA specification's build requirements. - - [At the end](https://adoptium.net/blog/2022/11/slsa2-temurin/) [of 2022](https://newsroom.eclipse.org/eclipse-newsletter/2022/december/eclipse-temurin-slsa-level-two-compliant) we achieved compliance with level 2 of the SLSA v0.1 specification. Earlier @@ -111,4 +109,3 @@ from source code in order to independently verify that nothing in our build systems have been tampered with or introduced any unexpected code. Anyone (yes, even you!) can use our fully open-source setup and build scripts to rebuild the Temurin JDK, and we encourage you to give it a try! - From 0afc18b87198971541a37a1a1c04c5126c7ea387 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 8 Jan 2024 09:53:07 +0000 Subject: [PATCH 18/23] Update content/blog/slsabuild3-temurin/index.md Co-authored-by: Tim Ellison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 4d8518765..2976b6a8e 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -30,7 +30,7 @@ distribution. ## What have you done since declaring SLSA level 2? -We have built on top of the work covered in the earlier blog to meet the +We have built on top of the work covered in [the earlier blog](https://adoptium.net/blog/2022/11/slsa2-temurin/) to meet the requirements of SLSA build level 3. The additional requirements were as follows: From f853aeb9b7af09b4d48d9b0388feb05f8eec576d Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 8 Jan 2024 09:57:29 +0000 Subject: [PATCH 19/23] Define SBoM Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 2976b6a8e..d6f2d59b1 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -30,7 +30,7 @@ distribution. ## What have you done since declaring SLSA level 2? -We have built on top of the work covered in [the earlier blog](https://adoptium.net/blog/2022/11/slsa2-temurin/) to meet the +We have built on top of the work covered in the earlier blog to meet the requirements of SLSA build level 3. The additional requirements were as follows: @@ -52,19 +52,19 @@ claiming SLSA build level 3 for those builds. ### Verifying provenance artifacts -We have introduced a build verification step which can take the SBoM -produced as part of the build output and verify its contents as far as is -practical. This will do some checks to ensure that the fields are valid and -match expectations about how the product has been built. This job is stored -in https://github.com/adoptium/temurin-build/blob/master/tooling as +We have introduced a build verification step which can take the Software +Bill of Materials (SBoM) produced as part of the build output and verify its +contents as far as is practical. This will do some checks to ensure that +the fields are valid and match expectations about how the product has been +built. This job is stored in +https://github.com/adoptium/temurin-build/blob/master/tooling as release_download_test.sh which performs SHA and GPG checks as well as running some basic checks on the downloads. It also calls validateSBOMcontent.sh to check the SBoM contents to make sure the -dependencies, including compilers, listed in there match expectations. The +dependencies, including compilers, listed in there match expectations. The SBoM contents now also includes the SHA256 checksums of all of the build -artifacts. There is information on programatically verifying the GPG -signatures in -[an earlier blog](https://adoptium.net/blog/2022/07/gpg-signed-releases/) +artifacts. There is information on programatically verifying the GPG +signatures in [an earlier blog](https://adoptium.net/blog/2022/07/gpg-signed-releases/) In addition to all these checks we also verify after each build that the build code has the features enabled that it should have. This is done using From c673d1a849d218aab9f34ae53561df7a9afc72b0 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 8 Jan 2024 09:58:46 +0000 Subject: [PATCH 20/23] Update publish date on blog to Tuesday 9th Jan Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index d6f2d59b1..f0646c343 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -1,6 +1,6 @@ --- title: SLSA build level 3 compliance on Linux and macOS for Eclipse Temurin -date: "2023-12-19T17:00:00+00:00" +date: "2024-01-09T17:00:00+00:00" author: sxa description: Eclipse Temurin by Adoptium is compliant with build level 3 of the SLSA 1.0 secure development framework on Linux and macOS. tags: From 762f3e6e9c515d31f243b851bcbbfa55ff990f12 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 8 Jan 2024 10:36:57 +0000 Subject: [PATCH 21/23] Adjustments since we are posting in 2024 Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index f0646c343..07a11aea8 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -19,13 +19,13 @@ specification's build requirements. [At the end](https://adoptium.net/blog/2022/11/slsa2-temurin/) [of 2022](https://newsroom.eclipse.org/eclipse-newsletter/2022/december/eclipse-temurin-slsa-level-two-compliant) -we achieved compliance with level 2 of the SLSA v0.1 specification. Earlier -this year SLSA version 1.0 was released and it was split into multiple "tracks", -of which the build track is the only one currently published. If you're not -familiar with the changes, check out [this lightning -talk](https://youtu.be/uLXzyutZEmQ?si=XjD9H6uO_GEjJVBG) from one of my -colleagues. We have been able to build on our work done previously to meet -build level 3 for Linux and macOS for Eclipse Temurin's build and +we achieved compliance with level 2 of the SLSA v0.1 specification. In +April 2023 SLSA version 1.0 was released and split the specification into +multiple "tracks", of which the build track is the only one currently +published. If you're not familiar with the changes, check out +[this lightning talk](https://youtu.be/uLXzyutZEmQ?si=XjD9H6uO_GEjJVBG) from one +of my colleagues. We have been able to build on our work done previously to +meet build level 3 for Linux and macOS for Eclipse Temurin's build and distribution. ## What have you done since declaring SLSA level 2? From 74a71c49cd98757e1226863aa650e49c82c9163b Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 8 Jan 2024 11:07:22 +0000 Subject: [PATCH 22/23] Add detail on the SHA being in the components section of the SBoM Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 07a11aea8..574c2757c 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -63,8 +63,9 @@ running some basic checks on the downloads. It also calls validateSBOMcontent.sh to check the SBoM contents to make sure the dependencies, including compilers, listed in there match expectations. The SBoM contents now also includes the SHA256 checksums of all of the build -artifacts. There is information on programatically verifying the GPG -signatures in [an earlier blog](https://adoptium.net/blog/2022/07/gpg-signed-releases/) +artifacts in the `components` section. There is information on +programatically verifying the GPG signatures in +[an earlier blog](https://adoptium.net/blog/2022/07/gpg-signed-releases/) In addition to all these checks we also verify after each build that the build code has the features enabled that it should have. This is done using From 42fd085536ca316d29f1d8dcc9ad20151fe6ab59 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 8 Jan 2024 11:08:25 +0000 Subject: [PATCH 23/23] January 2024 GA - and beyond Signed-off-by: Stewart X Addison --- content/blog/slsabuild3-temurin/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/blog/slsabuild3-temurin/index.md b/content/blog/slsabuild3-temurin/index.md index 574c2757c..ab10bcd3e 100644 --- a/content/blog/slsabuild3-temurin/index.md +++ b/content/blog/slsabuild3-temurin/index.md @@ -87,8 +87,8 @@ the latest GA SBoM for Temurin 21 on Linux/x64: Note that there is an enhanced version of the SBoM which includes more details on the artifacts that is already in the nightly builds and will be -included for the January 2024 GA releases. We will not (and should not) -regenerate the SBoM for older releases. +included for the January 2024 GA releases and beyond. We will not (and +should not) regenerate the SBoM for older releases. ### Prevent secret material used to sign the provenance from being accessible to user-defined build steps