diff options
author | Sven Gothel <[email protected]> | 2019-04-03 06:04:52 +0200 |
---|---|---|
committer | Sven Gothel <[email protected]> | 2019-04-03 06:04:52 +0200 |
commit | 00ad70b3bd7f8859c710039857aa7da17a29b3d7 (patch) | |
tree | 6f3652dff1a1db7272b4f3e83ec98eeecf86ad87 /make/jogamp-fat.mf | |
parent | 1157b913a068167062c853b4b525954b223a5509 (diff) |
Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation
This change implements a strong SHA256 signature over:
1) source tree inclusive make recipe (SHA256-Source)
2) all class files (SHA256-Classes)
3) all native libraries (SHA256-Natives)
4) the class files as deployed in the jar (SHA256-Classes-this)
5) the native libraries as deployed in the jar (SHA256-Natives-this)
and drops all of these in the deployed Jar file.
This allows SHA256 validation of (4) + (5) at runtime
and further complete validation (1), (2) and (3) offline.
Full SCC would now required (1) - (3) to be placed on a server for further validation.
Optionally we may use GPG <https://gnupg.org/> or PGP to validate the build entity to implement the chain of trust <https://en.wikipedia.org/wiki/Chain_of_trust>
The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo
Diffstat (limited to 'make/jogamp-fat.mf')
0 files changed, 0 insertions, 0 deletions