Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation

This change implements a strong SHA256 signature over:
1) source tree inclusive make recipe (SHA256-Source)
2) all class files (SHA256-Classes)
3) all native libraries (SHA256-Natives)
4) the class files as deployed in the jar (SHA256-Classes-this)
5) the native libraries as deployed in the jar (SHA256-Natives-this)

and drops all of these in the deployed Jar file.

This allows SHA256 validation of (4) + (5) at runtime
and further complete validation (1), (2) and (3) offline.

Full SCC would now required (1) - (3) to be placed on a server for further validation.
Optionally we may use GPG <https://gnupg.org/> or PGP to validate the build entity to implement the chain of trust <https://en.wikipedia.org/wiki/Chain_of_trust>

The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo

1 files changed, 43 insertions, 0 deletions

diff --git a/src/java/com/jogamp/common/GlueGenVersion.java b/src/java/com/jogamp/common/GlueGenVersion.java
index f97aba6..6ed7783 100644
--- a/src/java/com/jogamp/common/GlueGenVersion.java
+++ b/src/java/com/jogamp/common/GlueGenVersion.java
@@ -29,8 +29,17 @@
 package com.jogamp.common;
 
 import com.jogamp.common.util.JogampVersion;
+import com.jogamp.common.util.SHASum;
 import com.jogamp.common.util.VersionUtil;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.jar.Manifest;
+import java.util.regex.Pattern;
 
 public class GlueGenVersion extends JogampVersion {
 
@@ -59,6 +68,40 @@ public class GlueGenVersion extends JogampVersion {
         return jogampCommonVersionInfo;
     }
 
+    /**
+     * {@code gluegen-rt.jar} definition of {@link SHASum.TempJarSHASum}'s specialization of {@link SHASum}.
+     * <p>
+     * Implementation uses {@link com.jogamp.common.util.cache.TempJarCache}.
+     * </p>
+     * <p>
+     * Constructor defines the includes and excludes as used for {@code gluegen-rt.jar} {@link SHASum} computation.
+     * </p>
+     */
+    public static class GluGenRTJarSHASum extends SHASum.TempJarSHASum {
+        /**
+         * See {@link GluGenRTJarSHASum}
+         * @throws SecurityException
+         * @throws IllegalArgumentException
+         * @throws NoSuchAlgorithmException
+         * @throws IOException
+         * @throws URISyntaxException
+         */
+        public GluGenRTJarSHASum()
+                throws SecurityException, IllegalArgumentException, NoSuchAlgorithmException, IOException, URISyntaxException
+        {
+            super(MessageDigest.getInstance("SHA-256"), GlueGenVersion.class, new ArrayList<Pattern>(), new ArrayList<Pattern>());
+            final List<Pattern> excludes = getExcludes();
+            final List<Pattern> includes = getIncludes();
+            final String origin = getOrigin();
+            excludes.add(Pattern.compile(origin+"/jogamp/android/launcher"));
+            excludes.add(Pattern.compile(origin+"/jogamp/common/os/android"));
+            excludes.add(Pattern.compile(origin+"/com/jogamp/gluegen/jcpp"));
+            includes.add(Pattern.compile(origin+"/com/jogamp/gluegen/runtime/.*\\.class"));
+            includes.add(Pattern.compile(origin+"/com/jogamp/common/.*"));
+            includes.add(Pattern.compile(origin+"/jogamp/common/.*"));
+        }
+    }
+
     public static void main(final String args[]) {
         System.err.println(VersionUtil.getPlatformInfo());
         System.err.println(GlueGenVersion.getInstance());