[RPM] obscure signature in jdk temurin subpkg

[andrlos]

Hi, so for all three versions of jdk rpm packages there is an extra signature on jdk packages.
Look for yourself with: rpm -K --verbose rpmFileName
example outputs:
rpms/temurin-11-jdk-11.0.18.0.0.10-2.x86_64.rpm:
Header V4 RSA/SHA256 Signature, key ID 65f8f04b: NOKEY
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK

rpms/temurin-11-jre-11.0.18.0.0.10-2.x86_64.rpm:
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK

My issues are all connected to the first line in the jdk package output:

1. I keep getting me warnings about missing key when analyzing the rpm.
2. why is the signature even there? is that a legacy obsolete forgotten piece of code or an attempt of something new? There is no such thing with ojdk rpms

[andrlos]

I would like to note that this is still very much relevant..

rpm -q -l rpms/temurin-17-jdk-17.0.17.0.0.10-0.x86_64.rpm
warning: rpms/temurin-17-jdk-17.0.17.0.0.10-0.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 65f8f04b: NOKEY
/usr/lib/jvm/java-17-temurin-jdk
.....
.....
/usr/lib/jvm/java-17-temurin-jdk/release
/usr/lib/jvm/temurin-17-jdk
/usr/lib/tmpfiles.d/temurin-17-jdk.conf

[karianna]

Over to @jerboaa for comment

[jerboaa]

Eclipse Temurin RPMs are signed with this public key which needs to be retrieved/installed first:

https://packages.adoptium.net/artifactory/api/gpg/key/public

Otherwise you'll get the above issues. Note, however, I get the same nokey issue for jre packages:

Before the import:

[root@e82f4d7ddb59 /]# rpm -K --verbose temurin-17-jdk-17.0.17.0.0.10-0.x86_64.rpm
temurin-17-jdk-17.0.17.0.0.10-0.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 65f8f04b: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

Example work-flow to install the signing key and then perform verification on the package:

[root@e82f4d7ddb59 /]# wget -O adoptium_signing_key.pub https://packages.adoptium.net/artifactory/api/gpg/key/public
[root@e82f4d7ddb59 /]# rpm --import adoptium_signing_key.pub
[root@e82f4d7ddb59 /]# rpm -K --verbose temurin-17-jdk-17.0.17.0.0.10-0.x86_64.rpm
temurin-17-jdk-17.0.17.0.0.10-0.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 65f8f04b: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK
[root@e82f4d7ddb59 /]# rpm -K --verbose temurin-17-jre-17.0.17.0.0.10-0.x86_64.rpm 
temurin-17-jre-17.0.17.0.0.10-0.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 65f8f04b: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

If you follow installation instructions then importing of the key should be fairly automatic if you accept it on installation with a y:

https://adoptium.net/en-GB/installation/linux#centosrhelfedora-instructions

[jerboaa]

I don't think this is a bug.