From 00ad70b3bd7f8859c710039857aa7da17a29b3d7 Mon Sep 17 00:00:00 2001 From: Sven Gothel Date: Wed, 3 Apr 2019 06:04:52 +0200 Subject: Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation This change implements a strong SHA256 signature over: 1) source tree inclusive make recipe (SHA256-Source) 2) all class files (SHA256-Classes) 3) all native libraries (SHA256-Natives) 4) the class files as deployed in the jar (SHA256-Classes-this) 5) the native libraries as deployed in the jar (SHA256-Natives-this) and drops all of these in the deployed Jar file. This allows SHA256 validation of (4) + (5) at runtime and further complete validation (1), (2) and (3) offline. Full SCC would now required (1) - (3) to be placed on a server for further validation. Optionally we may use GPG or PGP to validate the build entity to implement the chain of trust The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo --- make/Manifest-android-launcher | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'make/Manifest-android-launcher') diff --git a/make/Manifest-android-launcher b/make/Manifest-android-launcher index 0da49d3..4754474 100755 --- a/make/Manifest-android-launcher +++ b/make/Manifest-android-launcher @@ -8,6 +8,11 @@ Implementation-Version: @VERSION@ Implementation-Build: @BUILD_VERSION@ Implementation-Branch: @SCM_BRANCH@ Implementation-Commit: @SCM_COMMIT@ +Implementation-SHA256-Sources: @SHA256_SOURCES@ +Implementation-SHA256-Classes: @SHA256_CLASSES@ +Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@ +Implementation-SHA256-Natives: @SHA256_NATIVES@ +Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@ Implementation-Vendor: JogAmp Community Implementation-Vendor-Id: com.jogamp Implementation-URL: http://jogamp.org/ -- cgit v1.2.3