From 00ad70b3bd7f8859c710039857aa7da17a29b3d7 Mon Sep 17 00:00:00 2001
From: Sven Gothel <sgothel@jausoft.com>
Date: Wed, 3 Apr 2019 06:04:52 +0200
Subject: Bug 1369: Source Certification Contract (SCC): Initial SHA256
 fingerprint & runtime validation

This change implements a strong SHA256 signature over:
1) source tree inclusive make recipe (SHA256-Source)
2) all class files (SHA256-Classes)
3) all native libraries (SHA256-Natives)
4) the class files as deployed in the jar (SHA256-Classes-this)
5) the native libraries as deployed in the jar (SHA256-Natives-this)

and drops all of these in the deployed Jar file.

This allows SHA256 validation of (4) + (5) at runtime
and further complete validation (1), (2) and (3) offline.

Full SCC would now required (1) - (3) to be placed on a server for further validation.
Optionally we may use GPG <https://gnupg.org/> or PGP to validate the build entity to implement the chain of trust <https://en.wikipedia.org/wiki/Chain_of_trust>

The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo
---
 make/Manifest                  |   5 +
 make/Manifest-android-launcher |   5 +
 make/Manifest-rt               |   5 +
 make/Manifest-rt-alt           |   5 +
 make/Manifest-rt-android       |   5 +
 make/Manifest-rt-natives       |   5 +
 make/Manifest-rt.cdc           |   5 +
 make/build.xml                 | 268 ++++++++++++++++++++++++++++++++---------
 make/scripts/runtest.sh        |   2 +-
 9 files changed, 249 insertions(+), 56 deletions(-)

(limited to 'make')

diff --git a/make/Manifest b/make/Manifest
index cab8805..27a9acc 100755
--- a/make/Manifest
+++ b/make/Manifest
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/Manifest-android-launcher b/make/Manifest-android-launcher
index 0da49d3..4754474 100755
--- a/make/Manifest-android-launcher
+++ b/make/Manifest-android-launcher
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/Manifest-rt b/make/Manifest-rt
index 4a76c0c..98f0e3f 100755
--- a/make/Manifest-rt
+++ b/make/Manifest-rt
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/Manifest-rt-alt b/make/Manifest-rt-alt
index d95830e..f577950 100755
--- a/make/Manifest-rt-alt
+++ b/make/Manifest-rt-alt
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/Manifest-rt-android b/make/Manifest-rt-android
index bf5f123..16350df 100755
--- a/make/Manifest-rt-android
+++ b/make/Manifest-rt-android
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/Manifest-rt-natives b/make/Manifest-rt-natives
index 90c5590..480f765 100755
--- a/make/Manifest-rt-natives
+++ b/make/Manifest-rt-natives
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/Manifest-rt.cdc b/make/Manifest-rt.cdc
index 70c4f92..93a62ae 100755
--- a/make/Manifest-rt.cdc
+++ b/make/Manifest-rt.cdc
@@ -8,6 +8,11 @@ Implementation-Version: @VERSION@
 Implementation-Build: @BUILD_VERSION@
 Implementation-Branch: @SCM_BRANCH@
 Implementation-Commit: @SCM_COMMIT@
+Implementation-SHA256-Sources: @SHA256_SOURCES@
+Implementation-SHA256-Classes: @SHA256_CLASSES@
+Implementation-SHA256-Classes-this: @SHA256_CLASSES_THIS@
+Implementation-SHA256-Natives: @SHA256_NATIVES@
+Implementation-SHA256-Natives-this: @SHA256_NATIVES_THIS@
 Implementation-Vendor: JogAmp Community
 Implementation-Vendor-Id: com.jogamp
 Implementation-URL: http://jogamp.org/
diff --git a/make/build.xml b/make/build.xml
index dc6602f..61a3880 100644
--- a/make/build.xml
+++ b/make/build.xml
@@ -87,6 +87,12 @@
 
     <property name="gluegen.version" value="${jogamp.version.base}-b${gluegen.build.number}-${version.timestamp}" />
 
+    <delete includeEmptyDirs="false">
+      <fileset dir="${project.root}" includes="make/GnuCTreeParserTokenTypes.txt make/STDCTokenTypes.txt" />
+    </delete>
+    <echo message="gluegen.build.branch         ${gluegen.build.branch}"/>
+    <echo message="gluegen.build.commit         ${gluegen.build.commit}"/>
+
     <property name="stub.includes.dir" value="stub_includes" /> <!-- NOTE:  this MUST be relative for FileSet -->
 
     <!-- The generated source directories. -->
@@ -96,6 +102,9 @@
 
     <!-- The compiler output directories. -->
     <property name="classes" value="${build}/classes" />
+    <pathconvert targetos="unix" property="classes.unix">
+        <path location="${classes}"/>
+    </pathconvert>
 
     <!-- Call the external config validator script to make sure the config is ok and consistent -->
     <ant antfile="validate-properties.xml" inheritall="true"/>
@@ -500,6 +509,26 @@
       </antcall>
 
       <antcall target="c.manifest" inheritRefs="true" />
+    </target>  
+
+    <target name="gluegen.package.native" depends="init, c.configure" unless="build.javaonly" >
+      <copy file="Manifest-rt-natives"
+            tofile="${build}/Manifest-rt-natives.temp"
+            overwrite="true">
+          <filterset>
+              <filter token="VERSION" value="${jogamp.version}"/>
+              <filter token="BUILD_VERSION" value="${gluegen.version}"/>
+              <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
+              <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+              <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+              <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+              <filter token="SHA256_CLASSES_THIS" value="0"/>
+              <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+              <filter token="SHA256_NATIVES_THIS" value="${gluegen.build.sha256.natives}"/>
+              <filter token="BASEVERSION" value="${jogamp.version.base}"/>
+              <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
+          </filterset>
+      </copy>
 
       <native.tag.jar objdir="${build}/obj"
                       nativejarfile="${build}/gluegen-rt-natives-${os.and.arch}.jar"
@@ -765,7 +794,22 @@
       <src path="${src.generated.java}" />
       <classpath refid="cc_gluegen.classpath" />
     </javac>
+  </target>
+
+  <target name="gluegen.package.javase">
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.classes.gluegen">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+
+        <arg value="--include"/>
+        <arg value="${classes.unix}/.*\.class"/>
 
+        <arg value="--exclude"/>
+        <arg value="${classes.unix}/jogamp/android/launcher"/>
+
+        <arg value="${classes.unix}"/>
+    </java>
     <copy file="Manifest"
           tofile="${build}/Manifest.temp"
           overwrite="true">
@@ -774,6 +818,11 @@
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes.gluegen}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="0"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
@@ -793,6 +842,27 @@
       </fileset>
     </jar>
 
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.classes.gluegen-rt">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+
+        <arg value="--include"/>
+        <arg value="${classes.unix}/com/jogamp/gluegen/runtime/.*\.class" />
+        <arg value="--include"/>
+        <arg value="${classes.unix}/com/jogamp/common/.*" />
+        <arg value="--include"/>
+        <arg value="${classes.unix}/jogamp/common/.*" />
+
+        <arg value="--exclude"/>
+        <arg value="${classes.unix}/jogamp/android/launcher"/>
+        <arg value="--exclude"/>
+        <arg value="${classes.unix}/jogamp/common/os/android" />
+        <arg value="--exclude"/>
+        <arg value="${classes.unix}/com/jogamp/gluegen/jcpp" />
+
+        <arg value="${classes.unix}"/>
+    </java>
     <copy file="Manifest-rt"
           tofile="${build}/Manifest-rt.temp"
           overwrite="true">
@@ -801,93 +871,99 @@
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes.gluegen-rt}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="0"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
     </copy>
 
-    <copy file="jogamp-fat.mf"
-          tofile="${build}/jogamp-fat.mf"
-          overwrite="true">
-        <filterset>
-            <filter token="VERSION" value="${jogamp.version}"/>
-            <filter token="BUILD_VERSION" value="${gluegen.version}"/>
-            <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
-            <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
-            <filter token="BASEVERSION" value="${jogamp.version.base}"/>
-            <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
-        </filterset>
-    </copy>
+    <!-- Build gluegen-rt.jar. -->
+    <jar destfile="${build}/gluegen-rt.jar" manifest="${build}/Manifest-rt.temp" filesonly="true">
+      <fileset dir="${classes}">
+        <include name="com/jogamp/gluegen/runtime/*.class" />
+        <include name="com/jogamp/common/**" />
+        <include name="jogamp/common/**" />
+        <exclude name="${jogamp-android-launcher.classes}" />
+        <exclude name="${java.part.android}" />
+        <exclude name="${java.part.jcpp}" />
+      </fileset>
+      <fileset dir="resources/assets">
+        <include name="**" />
+      </fileset>
+    </jar>
 
-    <copy file="jogamp-fat-test.mf"
-          tofile="${build}/jogamp-fat-test.mf"
+    <!-- copy file="Manifest-rt-alt"
+          tofile="${build}/Manifest-rt-alt.temp"
           overwrite="true">
         <filterset>
             <filter token="VERSION" value="${jogamp.version}"/>
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes.gluegen-rt-alt}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="0"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
-    </copy>
+    </copy -->
+    <!-- Build gluegen-rt-alt.jar. -->
+    <!-- jar destfile="${build}/gluegen-rt-alt.jar" manifest="${build}/Manifest-rt-alt.temp">
+      <fileset dir="${classes}">
+        <include name="com/jogamp/gluegen/runtime/*.class" />
+        <include name="com/jogamp/common/**" />
+        <include name="jogamp/common/**" />
+        <exclude name="${jogamp-android-launcher.classes}" />
+        <exclude name="${java.part.android}" />
+        <exclude name="${java.part.jcpp}" />
+      </fileset>
+      <fileset dir="resources/assets">
+        <include name="**" />
+      </fileset>
+    </jar -->
 
-    <!-- copy file="Manifest-rt-alt"
-          tofile="${build}/Manifest-rt-alt.temp"
+    <copy file="jogamp-fat.mf"
+          tofile="${build}/jogamp-fat.mf"
           overwrite="true">
         <filterset>
             <filter token="VERSION" value="${jogamp.version}"/>
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="${gluegen.build.sha256.natives}"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
-    </copy -->
+    </copy>
 
-    <copy file="Manifest-rt-natives"
-          tofile="${build}/Manifest-rt-natives.temp"
+    <copy file="jogamp-fat-test.mf"
+          tofile="${build}/jogamp-fat-test.mf"
           overwrite="true">
         <filterset>
             <filter token="VERSION" value="${jogamp.version}"/>
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="${gluegen.build.sha256.natives}"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
     </copy>
 
-    <!-- Build gluegen-rt.jar. -->
-    <jar destfile="${build}/gluegen-rt.jar" manifest="${build}/Manifest-rt.temp" filesonly="true">
-      <fileset dir="${classes}">
-        <include name="com/jogamp/gluegen/runtime/*.class" />
-        <include name="com/jogamp/common/**" />
-        <include name="jogamp/common/**" />
-        <exclude name="${jogamp-android-launcher.classes}" />
-        <exclude name="${java.part.android}" />
-        <exclude name="${java.part.jcpp}" />
-      </fileset>
-      <fileset dir="resources/assets">
-        <include name="**" />
-      </fileset>
-    </jar>
-
-    <!-- Build gluegen-rt-alt.jar. -->
-    <!-- jar destfile="${build}/gluegen-rt-alt.jar" manifest="${build}/Manifest-rt-alt.temp">
-      <fileset dir="${classes}">
-        <include name="com/jogamp/gluegen/runtime/*.class" />
-        <include name="com/jogamp/common/**" />
-        <include name="jogamp/common/**" />
-        <exclude name="${jogamp-android-launcher.classes}" />
-        <exclude name="${java.part.android}" />
-        <exclude name="${java.part.jcpp}" />
-      </fileset>
-      <fileset dir="resources/assets">
-        <include name="**" />
-      </fileset>
-    </jar -->
-
     <!-- Copy antlr.jar into build directory for convenience so
          gluegen.jar can be run via "java -jar". antlr.jar is
          referenced via a Class-Path entry in the Manifest of
@@ -921,7 +997,28 @@
       <src path="${src.generated.java}" />
       <classpath refid="cc_gluegen_android.classpath" />
     </javac>
-
+  </target>
+  
+  <target name="gluegen.package.android" if="android-jars.available">
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.classes.gluegen-rt-android">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+
+        <arg value="--include"/>
+        <arg value="${classes.unix}/com/jogamp/gluegen/runtime/.*\.class" />
+        <arg value="--include"/>
+        <arg value="${classes.unix}/com/jogamp/common/.*" />
+        <arg value="--include"/>
+        <arg value="${classes.unix}/jogamp/common/.*" />
+
+        <arg value="--exclude"/>
+        <arg value="${classes.unix}/jogamp/android/launcher"/>
+        <arg value="--exclude"/>
+        <arg value="${classes.unix}/com/jogamp/gluegen/jcpp" />
+
+        <arg value="${classes.unix}"/>
+    </java>
     <copy file="Manifest-rt-android"
           tofile="${build}/Manifest-rt-android.temp"
           overwrite="true">
@@ -930,6 +1027,11 @@
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes.gluegen-rt-android}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="0"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
@@ -943,6 +1045,7 @@
         <include name="jogamp/common/**" />
         <include name="${java.part.android}" />
         <exclude name="${jogamp-android-launcher.classes}" />
+        <exclude name="${java.part.jcpp}" />
       </fileset>
       <fileset dir="resources/assets">
         <include name="**" />
@@ -957,6 +1060,43 @@
     <antcall target="gluegen.build.android"     inheritRefs="true"/>
   </target>
 
+  <target name="gluegen.packaging" depends="gluegen.cpptasks.detect.os">
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.sources">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+        <!-- jvmarg value="-Djogamp.debug.SHASum"/ -->
+
+        <arg value="--exclude"/>
+        <arg value=".*\.log"/>
+
+        <arg value="--exclude"/>
+        <arg value="../make/lib/toolchain"/>
+
+        <arg value="../src"/>
+        <arg value="../jcpp/src"/>
+        <arg value="../make"/>
+    </java>
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.classes">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+        <arg value="${classes.unix}"/>
+    </java>
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.natives">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+        <arg value="${gluegen.lib.dir}/${output.lib.name.os}"/>
+    </java>
+    <echo message="gluegen.build.sha256.sources ${gluegen.build.sha256.sources}"/>
+    <echo message="gluegen.build.sha256.classes ${gluegen.build.sha256.classes}"/>
+    <echo message="gluegen.build.sha256.natives ${gluegen.build.sha256.natives}"/>
+    <antcall target="gluegen.package.javase"      inheritRefs="true"/>
+    <antcall target="gluegen.package.android"     inheritRefs="true"/>
+    <antcall target="gluegen.package.native"      inheritRefs="true"/>
+  </target>
+
   <target name="gluegen.build.check.android-launcher" depends="init">
       <uptodate property="gluegen.build.skip.android-launcher">
         <srcfiles dir= "."            includes="*.xml"/>
@@ -980,7 +1120,19 @@
       <src path="${src.java}" />
       <classpath refid="android.classpath" />
     </javac>
+  </target>
 
+  <target name="android-launcher.package" depends="android-launcher.build" if="isAndroid" unless="gluegen.build.skip.android-launcher">
+    <java classname="com.jogamp.common.util.SHASum" logError="true" failonerror="true" fork="true" newenvironment="true"
+          classpath="${classes}"
+          outputproperty="gluegen.build.sha256.classes.jogamp-android-launcher">
+        <sysproperty key="java.library.path" value="${gluegen.lib.dir}"/>
+
+        <arg value="--include"/>
+        <arg value="${classes.unix}/jogamp/android/launcher/.*"/>
+
+        <arg value="${classes.unix}/jogamp/android/launcher/"/>
+    </java>
     <copy file="Manifest-android-launcher"
           tofile="${build}/Manifest-android-launcher.temp"
           overwrite="true">
@@ -989,6 +1141,11 @@
             <filter token="BUILD_VERSION" value="${gluegen.version}"/>
             <filter token="SCM_BRANCH" value="${gluegen.build.branch}"/>
             <filter token="SCM_COMMIT" value="${gluegen.build.commit}"/>
+            <filter token="SHA256_SOURCES" value="${gluegen.build.sha256.sources}"/>
+            <filter token="SHA256_CLASSES" value="${gluegen.build.sha256.classes}"/>
+            <filter token="SHA256_CLASSES_THIS" value="${gluegen.build.sha256.classes.jogamp-android-launcher}"/>
+            <filter token="SHA256_NATIVES" value="${gluegen.build.sha256.natives}"/>
+            <filter token="SHA256_NATIVES_THIS" value="0"/>
             <filter token="BASEVERSION" value="${jogamp.version.base}"/>
             <filter token="JAR_CODEBASE_TAG" value="${jogamp.jar.codebase}"/>
         </filterset>
@@ -999,9 +1156,6 @@
         <include name="${jogamp-android-launcher.classes}" />
       </fileset>
     </jar>
-  </target>
-
-  <target name="android-launcher.package" depends="android-launcher.build" if="isAndroid" unless="gluegen.build.skip.android-launcher">
     <aapt.signed 
         assetsdir="resources/assets-launcher"
         jarbuilddir="${build}"
@@ -1043,7 +1197,7 @@
   </target>
 
   <target name="base.compile" description="Base compile ensuring valid build results w/o tampering the artifacts.properties" 
-                              depends="init, android-launcher.package, gluegen.build.java, gluegen.build.c" />
+                              depends="init, android-launcher.build, gluegen.build.java, gluegen.build.c, gluegen.packaging, android-launcher.package" />
 
   <target name="all.no_junit" description="Release build" depends="init, base.compile, tag.build, android.package, developer-zip-archive" />
   <target name="all" description="Release build" depends="init, base.compile, tag.build, junit.compile, android.package, developer-zip-archive" />
@@ -1055,6 +1209,7 @@
   <target name="clean" depends="init">
     <delete includeEmptyDirs="true">
       <fileset dir="${build}" />
+      <fileset dir="${project.root}" includes="make/GnuCTreeParserTokenTypes.txt make/STDCTokenTypes.txt" />
     </delete>
   </target>    
 
@@ -1064,6 +1219,9 @@
     <echo message='gluegen.build.id=${gluegen.build.id}${line.separator}'         file="${build}/artifact.properties" append="true"/>
     <echo message='gluegen.build.branch=${gluegen.build.branch}${line.separator}' file="${build}/artifact.properties" append="true"/>
     <echo message='gluegen.build.commit=${gluegen.build.commit}${line.separator}' file="${build}/artifact.properties" append="true"/>
+    <echo message='gluegen.build.sha256.sources=${gluegen.build.sha256.sources}${line.separator}' file="${build}/artifact.properties" append="true"/>
+    <echo message='gluegen.build.sha256.classes=${gluegen.build.sha256.classes}${line.separator}' file="${build}/artifact.properties" append="true"/>
+    <echo message='gluegen.build.sha256.natives=${gluegen.build.sha256.natives}${line.separator}' file="${build}/artifact.properties" append="true"/>
   </target>
 
   <target name="junit.compile" depends="init">
diff --git a/make/scripts/runtest.sh b/make/scripts/runtest.sh
index 5ba9b73..0ce33bd 100755
--- a/make/scripts/runtest.sh
+++ b/make/scripts/runtest.sh
@@ -63,7 +63,7 @@ X_ARGS="-Drootrel.build=$ROOTREL_BUILD -Dgluegen.root=$GLUEGEN_ROOT"
 #D_ARGS="-Djogamp.debug.IOUtil -Djogamp.debug.IOUtil.Exe -Djogamp.debug.IOUtil.Exe.NoStream"
 #D_ARGS="-Djogamp.debug.IOUtil -Djogamp.debug.TempFileCache -Djogamp.debug.TempJarCache -Djogamp.debug.IOUtil.Exe"
 #D_ARGS="-Djogamp.debug.IOUtil -Djogamp.debug.TempFileCache -Djogamp.debug.TempJarCache -Djava.io.tmpdir=/run/501"
-D_ARGS="-Djogamp.debug.IOUtil -Djogamp.debug.TempFileCache -Djogamp.debug.TempJarCache"
+#D_ARGS="-Djogamp.debug.IOUtil -Djogamp.debug.TempFileCache -Djogamp.debug.TempJarCache"
 #D_ARGS="-Djogamp.debug.ByteBufferInputStream"
 #D_ARGS="-Djogamp.debug.Buffers"
 #D_ARGS="-Djogamp.debug.Bitstream"
-- 
cgit v1.2.3