Verify Adoptium GPG to PEM conversion is feasible and work for Public key verification #1105

andrew-m-leonard · 2024-09-05T11:56:51Z

Based on notes: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3835#note_2682896
Verify ability to convert inflight Adoptium GPG to PEM, and the usecase from a user verifying the SBOM signature, can they create a public PEM from the public Adoptium GPG key?

Related: adoptium/temurin-build#3452

andrew-m-leonard · 2024-09-06T13:47:51Z

It is only possible to generate an "equivalent" PEM to a GPG key based on exporting the private&public GPG key pair and importing into gpgsm, to then create an equivalent PEM.

This process requires the ability to export the "private" key, and also obviously would not be possible for an end user verifying based purely on a public GPG key.

We would thus need to manually publish an Adoptium "public" PEM key, which goes back to the requirement of obtaining an "official" generated Adoptium PEM key pair from Eclipse.

andrew-m-leonard self-assigned this Sep 5, 2024

andrew-m-leonard closed this as completed Sep 6, 2024

andrew-m-leonard mentioned this issue Sep 23, 2024

EPIC: Add a Post-Build job and Sign-SBOM job #610

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verify Adoptium GPG to PEM conversion is feasible and work for Public key verification #1105

Verify Adoptium GPG to PEM conversion is feasible and work for Public key verification #1105

andrew-m-leonard commented Sep 5, 2024 •

edited

Loading

andrew-m-leonard commented Sep 6, 2024

Verify Adoptium GPG to PEM conversion is feasible and work for Public key verification #1105

Verify Adoptium GPG to PEM conversion is feasible and work for Public key verification #1105

Comments

andrew-m-leonard commented Sep 5, 2024 • edited Loading

andrew-m-leonard commented Sep 6, 2024

andrew-m-leonard commented Sep 5, 2024 •

edited

Loading