blog: SLSA Build L3 for Eclipse Temurin

[sxa]

Now that we have achieved SLSA build level 3 on some platforms this is an article to talk about it. Things to flesh out (could be added later:

• Using the API to get the SHA and GPG checksums
• How to perform reporoducible build verification (Currently broken due to cycloneDX updates)
• Possibly add more details on some additional things the have been done in the last year

Description of change

Checklist

• npm test passes
• documentation is changed or added (if applicable)
• permission has been obtained to add new logo (if applicable)
• contribution guidelines followed here

[netlify]

✅ Deploy Preview for eclipsefdn-adoptium ready!

Name	Link
🔨 Latest commit	42fd085
🔍 Latest deploy log	https://app.netlify.com/sites/eclipsefdn-adoptium/deploys/659bd7af00404d000805e3f1
😎 Deploy Preview	https://deploy-preview-2524--eclipsefdn-adoptium.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[tellison]

I'd drop the paths and file names in a blog description. These should be in a code readme.

Suggested change

	match expectations about how the product has been built. This job is stored
	in https://github.com/adoptium/temurin-build/blob/master/tooling as
	release_download_test.sh which performs SHA and GPG checks as well as
	running some basic checks on the downloads. It also calls
	validateSBOMcontent.sh to check the SBoM contents to make sure the
	dependencies, including compilers, listed in there match expectations. The
	SBoM contents now also includes the SHA256 checksums of all of the build
	artifacts.
	match expectations about how the product has been built. This verification test
	performs secure hash value and code signature checks as well as
	running some basic checks on the downloads. It also checks the SBOM contents
	to make sure the list of build dependencies, including compilers, match expectations. The
	SBOM contents now also includes the SHA256 secure hash checksums of all of the build
	artifacts.

[sxa]

My thinking for including it here was to point people at it in case they wanted to run it themselves (and it may also encourage interest and contributions from the community if we point directly at it)

[tellison]

Suggested change

	In addition to all these checks we also verify after each build that the
	build code has the features enabled that it should have. This is done using
	a custom AQA test job called "smoke tests" which use the tests in the build
	repository in the
	[buildAndPackage](https://github.com/adoptium/temurin-build/tree/master/test/functional/buildAndPackage)
	directory and test various aspects of the built JDK If these checks fail
	then these will be trapped early on.
	In addition to all these checks we also verify after each build that the
	built code has the features enabled that it should have. This is done using
	a custom AQAvit test job called "smoke tests" to ensure various aspects of
	the built JDK are correct. If these checks fail then the build will be trapped early on.

[sxa]

Similar to the point about the release download tests I wanted to have some more details with that link in place to help encourage people to understand exactly what we're doing and hopefully encourage people to get involved/contribute into the project (And also so I have the reference to make it easy to find in the future!)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (2e8ed18) 99.20% compared to head (42fd085) 99.27%.
Report is 54 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2524      +/-   ##
==========================================
+ Coverage   99.20%   99.27%   +0.07%     
==========================================
  Files          87       87              
  Lines        6541     6622      +81     
  Branches      552      574      +22     
==========================================
+ Hits         6489     6574      +85     
+ Misses         52       48       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sxa]

First two items in the checklist aren't ready to be added just now. i've added a reference to the GPG blog and created adoptium/api.adoptium.net#853 to cover making it easier to download the SHA and GPG files from the API (although using the described method in the blog reduces the chance of inconsistent downloads).

We'll need a solution for the CycloneDX download issue before we can add more reproducible build information ...

[xavierfacq]

Do you need help to finish this task ?

[sxa]

Do you need help to finish this task ?

The blog post? Happy for anyone to make review suggestions/comments on this post.
The work to get us to SLSA3 on the platforms mentioned in the blog is complete :-)