Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement a new Sign-JSON type job for secure signing of SBOM json using an EF PEM/signService #3946

Closed
Tracked by #610
andrew-m-leonard opened this issue Sep 23, 2024 · 11 comments
Closed
Tracked by #610

Implement a new Sign-JSON type job for secure signing of SBOM json using an EF PEM/signService #3946

andrew-m-leonard opened this issue Sep 23, 2024 · 11 comments
Assignees
@Haroon-Khel
Labels
enhancement Issues that enhance the code or documentation of the repo in any way jenkins Issues that enhance or fix our jenkins server

Comments

@andrew-m-leonard
Copy link
Contributor

EPIC adoptium/ci-jenkins-pipelines#610 documents the parts required to implement SBOM json signing.
This issue is to implement the necessary temurin-build/ci-jenkins-pipelines parts to interface with an EF provided signing PEM or "json signing service".
@andrew-m-leonard andrew-m-leonard added the enhancement Issues that enhance the code or documentation of the repo in any way label Sep 23, 2024
@andrew-m-leonard andrew-m-leonard self-assigned this Sep 23, 2024
@github-actions github-actions bot added the jenkins Issues that enhance or fix our jenkins server label Sep 23, 2024
@andrew-m-leonard andrew-m-leonard mentioned this issue Sep 23, 2024
Open
4 tasks
@Haroon-Khel
Copy link
Contributor

Work that needs to be done:

https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ has been created to replicate https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_gpg/ but to use the PEM format. The sign_temurin_jsf job needs to be updated to use https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java to sign the SBOM file

Because we dont want the jenkins worker node to build any of the cyclone dx jars, this needs to run in the build scripts during the jdk build,

temurin-build/cyclonedx-lib/build.xml

Line 68 in 62ecfba

<target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
, and then archived, and then pulled onto the jenkins worker node during the sign_temurin_jsf job

@Haroon-Khel Haroon-Khel self-assigned this Oct 29, 2024
This was referenced Oct 30, 2024
Closed
Merged
@Haroon-Khel
Copy link
Contributor

#4017 ensures the SBOM signing jars get built. adoptium/ci-jenkins-pipelines#1131 kicks off the sign_temurin_jsf job. Work in progress

@andrew-m-leonard andrew-m-leonard removed their assignment Oct 31, 2024
@Haroon-Khel
Copy link
Contributor

@sxa It looks like the SBOM signing jars can only be built with JDK17+
https://github.com/adoptium/temurin-build/actions/runs/11597199261/job/32290097938?pr=4017

This would make it difficult to build the jars on a build node for platforms like Solaris for example. It should be discussed the feasibility of building the jars on the eclipse signing node

@Haroon-Khel
Copy link
Contributor

Haroon-Khel commented Nov 11, 2024
edited
Loading

Andrew's idea of cacheing the cyclone dx dependency jars can be done on the eclipse signing node. Instead of them being downloaded during the ant build step

@andrew-m-leonard
Copy link
Contributor Author

Andrew's idea of cacheing the cyclone dx dependency jars can be done on the eclipse signing node. Instead of them being downloaded during the ant build step

From chatting with Stewart and Thomas, ideally we don't want to build on the signing node if we can help it. We could add in a "build-sbom-jars-and-sign" job, which builds on any suitable node, and is then used as upstream to the "sign_temurin_jsf" job.

@Haroon-Khel
Copy link
Contributor

https://ci.adoptium.net/job/build_sign_sbom_libraries/ is a new jenkins job which will build the signing libraries on a x64 linux node and then archives the jar files. This job will need to be integrated with https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/

@Haroon-Khel
Copy link
Contributor

https://github.com/adoptium/ci-jenkins-pipelines/pull/1131/files is at a state where it kicks off the sign_temurin_jsf job together with the build job. But the signing mechanism is hitting an error

+ echo Signing ./workspace/target/OpenJDK21U-sbom_x64_linux_hotspot_2024-12-09-14-54.json
Signing ./workspace/target/OpenJDK21U-sbom_x64_linux_hotspot_2024-12-09-14-54.json
+ java -cp cyclonedx-lib/build/jar/* temurin.sbom.TemurinSignSBOM --verbose --signSBOM --jsonFile ./workspace/target/OpenJDK21U-sbom_x64_linux_hotspot_2024-12-09-14-54.json --privateKeyFile ****
Dec 09, 2024 3:53:31 PM temurin.sbom.TemurinSignSBOM signSBOM
SEVERE: Error signing SBOM
java.io.IOException: Didn't find any: -----BEGIN PRIVATE KEY-----
	at org.webpki.util.PEMDecoder.decodePemObjects(PEMDecoder.java:219)
	at org.webpki.util.PEMDecoder.decodePemObject(PEMDecoder.java:232)
	at org.webpki.util.PEMDecoder.getPrivateKeyBlob(PEMDecoder.java:118)

See https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/19/console

@andrew-m-leonard andrew-m-leonard moved this from Todo to In Progress in 2024 4Q Adoptium Plan Dec 12, 2024
@Haroon-Khel Haroon-Khel mentioned this issue Dec 16, 2024
Closed
@Haroon-Khel
Copy link
Contributor

Update, @sxa has fixed the above error. The key was being stored in an encrypted state, making it difficult for TemurinSignSBOM to read

@sxa
Copy link
Member

sxa commented Dec 17, 2024

While I have prototyped with an unencrypted key in jenkins, the solution we want is to have it encrypted but to decrypt on the fly. For this to work we need:

  • A parameter on the job to pass the passphrase into the job along with the private key (This is similar to how the GPG one works
  • Ideally the ability to pass in the private key via stdin instead of as a file so it can be decrpyted and piped without writing the unencrypted key to the file system
  • Move to running the job on the eclipse-codesign machine

@Haroon-Khel Haroon-Khel mentioned this issue Dec 18, 2024
Merged
@Haroon-Khel
Copy link
Contributor

adoptium/ci-jenkins-pipelines#1131 and #4094 are ready to be merged

@Haroon-Khel
Copy link
Contributor

The above prs were merged

@github-project-automation github-project-automation bot moved this from In Progress to Done in 2024 4Q Adoptium Plan Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Haroon-Khel Haroon-Khel

Labels
enhancement Issues that enhance the code or documentation of the repo in any way jenkins Issues that enhance or fix our jenkins server
Projects
2024 4Q Adoptium Plan
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sxa @andrew-m-leonard @Haroon-Khel