Create a new attestation github repository where 3rd party can contribute a CDXA attestation document as a PR

[andrew-m-leonard]

A new adoptium repository is required for the new CDXA process: #3949 (comment)

Repository name: github.com/adoptium/temurin-attestations

Layout:

• <major_version>/jdk_<XX_0_YY_BB>_<platform>_<3rd-party-org-name>.xml - CDXA document
• <major_version>/jdk_<XX_0_YY_BB>_<platform>_<3rd-party-org-name>.xml.sign.pub - Public signing key
• can be one of the supported and reproducible platforms and versions (jdk-21+), and the naming uses the existing https://github.com/adoptium/temurin21-binaries/releases asset platform naming
  - x64_linux
  - aarch64_linux
  - ppc64le_linux
  - s390x_linux
  - x64_windows
  - x64_mac
• The xml is signed using a standard "Enveloped XML Signature" of the <bom>, using such tools as:
  • cyclonedx-cli : https://github.com/CycloneDX/cyclonedx-cli
  • xmlxsec1 : https://linux.die.net/man/1/xmlsec1

eg:

21/jdk_21_0_5_11_x64_linux_AcmeInc.xml
21/jdk_21_0_5_11_x64_linux_AcmeInc.xml.sign.pub
21/jdk_21_0_5_11_x64_linux_OtherOrgLtd.xml
21/jdk_21_0_5_11_x64_linux_OtherOrgLtd.xml.sign.pub

Example CDXA.xml : #3950 (comment)

Pull Request github action will run that:

• Validates the CDXA.xml format using cyclonedx-cli validate
• Verifies the Signature of the .xml using the supplied organization public key .sign.pub
• Validates the CDXA bom content:
  • Contains a "claim" for "VERIFIED_REPRODUCIBLE_BUILD"
  • "claim" references a "target component" with a valid target:
    • Valid "version"
    • Valid "platform"
    • Verifies CDXA "target component" "hash" matches the adoptium checksum https://api.adoptium.net/v3/checksum/version/<version>/<platform>/jdk/hotspot/normal/eclipse
  • Contains an "assessor" with an organization name
  • Contains an "attestation" by "assessor" for "claim"
  • Contains an "affirmation" with a "statement"
• Validate xml filename and path are valid version and architecture, and match the CDXA "target component" "version" and "platform"

[andrew-m-leonard]

@jiekang @smlambert @tellison For comment please : #4054 (comment)

[jiekang]

Is there an example CXDA attestation that can be looked at in reference to this?

[jiekang]

I would lean towards a shorter repo name: github.com/adoptium/temurin-attestations

[andrew-m-leonard]

Is there an example CXDA attestation that can be looked at in reference to this?

@jiekang yes here: #3950 (comment)

[jiekang]

Thanks. Looks fine to me!

[andrew-m-leonard]

New repository otterdog request: adoptium/.eclipsefdn#74