Implement a new Sign-JSON type job for secure signing of SBOM json using an EF PEM/signService #3946
Comments
andrew-m-leonard
added
the
enhancement
github-actions
bot
added
the
jenkins
|
Work that needs to be done: https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_jsf/ has been created to replicate https://ci.adoptium.net/job/build-scripts/job/release/job/sign_temurin_gpg/ but to use the PEM format. The sign_temurin_jsf job needs to be updated to use https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java to sign the SBOM file Because we dont want the jenkins worker node to build any of the cyclone dx jars, this needs to run in the build scripts during the jdk build, temurin-build/cyclonedx-lib/build.xml Line 68 in 62ecfba |
|
#4017 ensures the SBOM signing jars get built. adoptium/ci-jenkins-pipelines#1131 kicks off the sign_temurin_jsf job. Work in progress |
|
@sxa It looks like the SBOM signing jars can only be built with JDK17+ This would make it difficult to build the jars on a build node for platforms like Solaris for example. It should be discussed the feasibility of building the jars on the eclipse signing node |
|
Andrew's idea of cacheing the cyclone dx dependency jars can be done on the eclipse signing node. Instead of them being downloaded during the ant build step |
From chatting with Stewart and Thomas, ideally we don't want to build on the signing node if we can help it. We could add in a "build-sbom-jars-and-sign" job, which builds on any suitable node, and is then used as upstream to the "sign_temurin_jsf" job. |
EPIC adoptium/ci-jenkins-pipelines#610 documents the parts required to implement SBOM json signing.
This issue is to implement the necessary temurin-build/ci-jenkins-pipelines parts to interface with an EF provided signing PEM or "json signing service".
The text was updated successfully, but these errors were encountered: