Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Reproducible OpenJDK builds

Enhancing trust by providing an independently verifiable path from source to binary code.

July 5, 2024
James Falkner
Related topics:
CI/CDDevOpsDevSecOpsJavaProgramming languages & frameworksRuntimes
Related products:
Red Hat build of OpenJDK

Share:

    The popularity and widespread use of open source software across the world has formed the basis for many important innovations in computing, but has also raised important questions: Who writes the software I am using, how is it built, and should I trust that it will do what it claims? Answering these questions becomes increasingly complex as the number of permutations of use rises. There are ongoing efforts to put more rigor around supply chain security, to begin as an industry to answer the average 742% increase in software supply chain attacks over the last 3 years. 

    One important aspect of software supply chain security is achieving reproducible builds of dependent software. Reproducible builds are achieved by a set of software development practices that create an independently verifiable path from source to binary code. This entails knowing the source and provenance of all dependencies, and requires a build process that can be repeated at will to produce the exact same output each time. When multiple independent organizations are able to produce the same output, consumer confidence in the result is much higher. A malicious actor seeking to alter this result would have to subvert every independent organization's processes in the same way such that each organization produces the same bad output, which can be very costly and unlikely to succeed. This makes reproducible builds a key capability in building trust in software, and Java and the JDK are no different.

    Adoptium’s journey

    Adoptium has been on this journey for the last few years, and has recently achieved reproducible builds for Java version 21 and version 22 across Linux, Windows and Mac. In addition to achieving reproducibility, AQAvit (the test suite used for quality assurance) has added regular and full automated verification tests that are run against every build, enabling regular reporting of regressions or other unexpected changes. Added to this set of regularly run tests is a new reproducibility test which will ensure that the ability to reproduce the Temurin OpenJDK binaries produced by Adoptium is maintained.

    Reproducibility also enables comparability, where intentional variations (e.g., vendor identification strings) or updates to build systems can be accounted for when comparing two builds. This ensures a vendor build is functionally identical to a given upstream release, and no unexpected changes have been introduced. This is very important for vendors like Red Hat that wish to provide commercial support of OpenJDK.

    Software supply chain security entails more than just reproducible builds, however. Source code threats, dependency threats, and distribution threats can occur at different stages of software production outside of a reproducible build system for a single component. A cross-organization, vendor-neutral steering group has developed a set of guidelines (called Supply-chain Levels for Software Artifacts, or SLSA) for supply chain security to attempt to address these kinds of threats. Adoptium has worked toward compliance with these SLSA guidelines, using much of the work done to achieve reproducibility to satisfy SLSA Level 3 compliance. In addition to SLSA, Adoptium also follows guidance from the Secure Software Development Framework (SSDF) as a basis for its secure development activities. With SSDF, Adoptium improves the software development lifecycle security of its deliverables, and with SLSA provides a concrete measure of compliance.  

    The future

    Achieving reproducible builds provides an important benefit to open source projects looking to increase consumer confidence. Over 30 projects are currently working on providing reproducible builds, and reproducibility is being considered as a requirement for a future SLSA Level 4 compliance. 

    With Adoptium, the plan is to continue to ensure reproducibility for Temurin builds on the platforms that have achieved reproducibility: JDK 21 and later on Linux (x64, aarch64, ppc64le, s390x), Mac (x64 & aarch64), and Windows (x64). Depending on demand, additional platforms (e.g., AIX) may be considered in the future. Older versions of Java require significantly more work to achieve, so for now the project will focus on JDK 21 and beyond.

    Understanding how consumers can benefit from reproducibility is equally as important as providing the capability itself, so the project is looking at ways to provide an informed opinion on how to consume the artifacts (binary distributions and SBOMs with a recipe for reproducibility) and best practices for further securing the supply chain, above and beyond simply consuming and verifying reproducible builds. 

    Summary

    Red Hat believes strongly that open source innovation is critical to the success not only of Red Hat but also the communities it serves, including Adoptium. Java is a large community with many moving parts, with contributions every day from Red Hat, IBM, and many other Java community members.

    With the ability to reproduce builds consistently and accurately, both Red Hat customers and the OpenJDK community benefit from truly open development, with the assurance that what runs in production is exactly what is supposed to run, no more, no less. This is critical to reducing risk in supply chain attacks and continuing the innovation that keeps Java one of the most vibrant and active communities across the world.

    Last updated: July 9, 2024

    Related Posts

    • The future of Java and OpenJDK updates without Oracle support

    • OpenJDK and Containers

    • Using Red Hat Application Migration Toolkit to see the impact of migrating to OpenJDK

    • Supersonic, Subatomic gRPC services with Java and Quarkus

    • Build Your "Hello World" Container Using Java

    Recent Posts

    • Run Qwen3-Next on vLLM with Red Hat AI: A step-by-step guide

    • How to implement observability with Python and Llama Stack

    • Deploy a lightweight AI model with AI Inference Server containerization

    • vLLM Semantic Router: Improving efficiency in AI reasoning

    • Declaratively assigning DNS records to virtual machines

    What’s up next?

    Download Java in a Nutshell, the reference guide every Java developer needs at their fingertips. This book helps you get the most out of versions through Java 17, with examples that show how to take advantage of modern Java APIs and development best practices.

    Get the e-book
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue