Temurin Reproducible Verification Build on Linux aarch64

The following instructions detail the process of rebuilding identically from "source" in a secure build environment, a reproducible build for a given Eclipse Temurin release on the Linux aarch64 platform. The process is performed in a secure manner, using only the upstream sources and securely verified build tooling, so as to provide a mechanism to securely verify the given Eclipse Temurin release binary. This verification then helps determine the security of the supply chains used to build the Eclipse Temurin official release binaries.

The procedure consists of the following steps:

  • Build environment setup

  • Build the gcc DevKit from "source" identical to the one used by Eclipse Adoptium

  • Determine the OpenJDK make configuration arguments matching the Eclipse Temurin options

  • Build the local Eclipse Temurin JDK

  • Compare the secure local Eclipse Temurin re-build to the official Eclipse Temurin binary

Linux aarch64 reproducible verification build procedure

  1. Build Environment

    To re-build identically Eclipse Temurin on Linux aarch64, a suitable Centos or RHEL, of version 7 or 8, is required.

  2. Install EPEL Tools

    Centos7/8:

    yum install epel-release

    RHEL7:

    yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

    RHEL8:

    yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

  3. Install Build Tools

    yum install -y tar git patch gcc gcc-c++ wget bison texinfo lbzip2 zip unzip glibc glibc-devel libgcc
yum install -y autoconf systemtap systemtap-sdt-devel

  4. GNU make version >= 4 ?

    GNU make must be at least version 4, in order to build the gcc DevKit.

    Check the GNU make version

    make --version

    If not at least version 4, then download and build GNU make 4.3 as follows:

    curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz
curl -O -L https://ftp.gnu.org/gnu/make/make-4.3.tar.gz.sig
# Verify download:
gpg --keyserver keyserver.ubuntu.com --recv-keys 6D4EEB02AD834703510B117680CB727A20C79BB2
# Reference: https://lists.gnu.org/archive/html/bug-make/2016-12/msg00002.html
gpg --verify make-4.3.tar.gz.sig make-4.3.tar.gz
# Check for “Good signature”
# Build
tar -xf make-4.3.tar.gz
(cd make-4.3 && ./configure --prefix=/usr/local && make clean && make && make install)
ln -s /usr/local/bin/make /usr/local/bin/gmake

  5. Set Timezone to UTC

    For identical builds, the build timezone must be UTC to ensure exact binary build output

    timedatectl set-timezone UTC

  6. Download Adoptium DevKit Toolchain make script files

    In order to securely and identically build a gcc DevKit Toolchain, securely download the following scripts from the Eclipse Adoptium repository. These scripts and patches enable the DevKit make process to build with a Centos sysroot and also enables GPG verified downloading of the Centos RPMs for additional integrity checking.

    curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/make_devkit.sh
curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/Tools.gmk.patch
curl -L -O https://raw.githubusercontent.com/adoptium/ci-jenkins-pipelines/master/pipelines/build/devkit/binutils-2.39.patch

  7. Build the gcc DevKit Toolchain from source

    bash ./make_devkit.sh jdk21u aarch64 Centos 7.6.1810

    The built "DevKit path" will be in folder jdk21u/build/devkit/result/aarch64-linux-gnu-to-aarch64-linux-gnu

    Set LD_LIBRARY_PATH to locate the newly built DevKit libraries

            export LD_LIBRARY_PATH=<DevKit path>/lib64:<DevKit path>/lib

  8. Download SBOM of Eclipse Temurin build to be verified

    For example, to download the SBOM and SBOM-metadata for release jdk-21.0.4+7

    curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_aarch64_linux_hotspot_21.0.4_7.json
curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_aarch64_linux_hotspot_21.0.4_7-metadata.json

  9. Determine upstream OpenJDK source tag to be built

    Open the SBOM json file and determine the "SCM Ref" the release was built from

            {
          "name" : "SCM Ref",
          "value" : "jdk-21.0.4+7_adopt"
        },

    The upstream OpenJDK tag is this value without the "_adopt", eg. "jdk-21.0.4+7"

  10. Download a suitable Boot JDK

    To build Temurin you need a suitable Boot JDK, open the SBOM json file and determine the version used to build the release

          {
        "name" : "BOOTJDK",
        "version" : "20.0.2+9"
      },

    Securely download and verify the required version from the https://github.com/adoptium/temurin<NN>-binaries/releases

    # Download JDK tar.gz
curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz
# Download GPG sig file to verify
curl -L -O https://github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.2%2B9/OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz.sig
# Verify JDK using Adoptium GPG key
gpg --keyserver keyserver.ubuntu.com --recv-keys 3B04D753C9050D9A5D343F39843C48A565F8F04B
echo -e "5\ny\n" |  gpg --batch --command-fd 0 --expert --edit-key 3B04D753C9050D9A5D343F39843C48A565F8F04B trust;
gpg --verify OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz.sig OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz

    Ensure "Good signature from Adoptium GPG Key (DEB/RPM Signing Key)"

    Unpack into a suitable folder

    tar -xf OpenJDK20U-jdk_aarch64_linux_hotspot_20.0.2_9.tar.gz

    Add to PATH environment

    export PATH=<bootjdk>/bin:$PATH

  11. Clone required upstream OpenJDK source

    Replace jdk21u with the upstream release being built

    git clone https://github.com/openjdk/jdk21u.git jdk21u_bld
# Checkout required tag to build
(cd jdk21u_bld && git checkout <OpenJDK tag to build>)

  12. Create a local build directory

    mkdir openjdk_build

  13. Configure build

    Determine and edit the "configure args" to match your local environment

    1. Determine the configure arguments for this build

      Use the following grep to find the required configure arguments from the SBOM-metadata.json

      grep "using configure arguments" <SBOM-metadata.json> | sed -n -e "s/^.*using configure arguments '\(.*\)'\..*/\1/p"

    2. Replace -–with-devkit=<path>, with path to the local built gcc DevKit "<path>/jdk21u/build/devkit/result/aarch64-linux-gnu-to-aarch64-linux-gnu".

    3. Remove -–with-cacerts-src=<path>, as Temurin is built with Mozilla CA certs, whereas the local build will use the standard OpenJDK CA certs.

    4. Replace -–with-boot-jdk=<path>, with the path to your local un-tared boot jdk from above.

      Configure from the "openjdk_build" directory

      cd openjdk_build
bash ../jdk21u_bld/configure <edited configure args>

  14. Build Temurin

    make images

  15. Remove built image output that is not relevant to the reproducible build comparison

    1. “cacerts” : Temurin builds with it’s own list of Mozilla CA certificates (needs removing from lib/security and java.base/lib/security)

    2. “release” : “release” text description file differs due to different build OS environment and Temurin additional metadata

    3. “demo” : Temurin does not ship the “demo” example files

    4. “debuginfo” : Temurin JDK tarball does not contain debuginfo

      rm -f images/jdk/lib/security/cacerts
rm -f images/jdk/release
rm -rf images/jdk/demo
find "images/jdk" -type f -name "*.debuginfo" -delete
(mkdir images/jdk/jmods/java.base_expanded && jmod extract --dir images/jdk/jmods/java.base_expanded images/jdk/jmods/java.base.jmod && rm -f images/jdk/jmods/java.base.jmod)
rm -f images/jdk/jmods/java.base_expanded/lib/security/cacerts
# Change back to root directory
cd ..

  16. Download offical Eclipse Temurin release for "Verification"

    Download and unpack the Temurin JDK to be verified:

    curl -L -o temurin-linux-aarch64-jdk-21.0.4+7.tar.gz https://api.adoptium.net/v3/binary/version/jdk-21.0.4+7/linux/aarch64/jdk/hotspot/normal/adoptium
tar -xf temurin-linux-aarch64-jdk-21.0.4+7.tar.gz

  17. Remove the same non-relevant files

    rm -f jdk-21.0.4+7/lib/security/cacerts
rm -f jdk-21.0.4+7/release
rm -f jdk-21.0.4+7/NOTICE
(mkdir jdk-21.0.4+7/jmods/java.base_expanded && jmod extract --dir jdk-21.0.4+7/jmods/java.base_expanded jdk-21.0.4+7/jmods/java.base.jmod && rm -f jdk-21.0.4+7/jmods/java.base.jmod)
rm -f jdk-21.0.4+7/jmods/java.base_expanded/lib/security/cacerts

  18. Verify the local secure re-build is identical to the official Eclipse Temurin binary

    Compare the two images

    diff -r openjdk_build/images/jdk jdk-21.0.4+7

    For a successful verification there should be no differences.

DOCUMENTATION AUTHORS
  • andrew-m-leonard
Help us make these docs great!
All Adoptium docs are open source. See something that's wrong or unclear?
Edit this page