Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation - gluegen.git - GLUEGEN repository on http://jogamp.org/ ;

diff options

author	Sven Gothel <[email protected]>	2019-04-03 06:04:52 +0200
committer	Sven Gothel <[email protected]>	2019-04-03 06:04:52 +0200
commit	00ad70b3bd7f8859c710039857aa7da17a29b3d7 (patch)
tree	6f3652dff1a1db7272b4f3e83ec98eeecf86ad87 /.externalToolBuilders
parent	1157b913a068167062c853b4b525954b223a5509 (diff)

Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation

This change implements a strong SHA256 signature over: 1) source tree inclusive make recipe (SHA256-Source) 2) all class files (SHA256-Classes) 3) all native libraries (SHA256-Natives) 4) the class files as deployed in the jar (SHA256-Classes-this) 5) the native libraries as deployed in the jar (SHA256-Natives-this) and drops all of these in the deployed Jar file. This allows SHA256 validation of (4) + (5) at runtime and further complete validation (1), (2) and (3) offline. Full SCC would now required (1) - (3) to be placed on a server for further validation. Optionally we may use GPG <https://gnupg.org/> or PGP to validate the build entity to implement the chain of trust <https://en.wikipedia.org/wiki/Chain_of_trust> The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo

Diffstat (limited to '.externalToolBuilders')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: