From 00ad70b3bd7f8859c710039857aa7da17a29b3d7 Mon Sep 17 00:00:00 2001 From: Sven Gothel Date: Wed, 3 Apr 2019 06:04:52 +0200 Subject: Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation This change implements a strong SHA256 signature over: 1) source tree inclusive make recipe (SHA256-Source) 2) all class files (SHA256-Classes) 3) all native libraries (SHA256-Natives) 4) the class files as deployed in the jar (SHA256-Classes-this) 5) the native libraries as deployed in the jar (SHA256-Natives-this) and drops all of these in the deployed Jar file. This allows SHA256 validation of (4) + (5) at runtime and further complete validation (1), (2) and (3) offline. Full SCC would now required (1) - (3) to be placed on a server for further validation. Optionally we may use GPG or PGP to validate the build entity to implement the chain of trust The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo --- src/java/com/jogamp/common/util/cache/TempJarCache.java | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/java/com/jogamp/common/util/cache/TempJarCache.java') diff --git a/src/java/com/jogamp/common/util/cache/TempJarCache.java b/src/java/com/jogamp/common/util/cache/TempJarCache.java index c5cca3a..dbb97a9 100644 --- a/src/java/com/jogamp/common/util/cache/TempJarCache.java +++ b/src/java/com/jogamp/common/util/cache/TempJarCache.java @@ -43,6 +43,12 @@ import com.jogamp.common.os.NativeLibrary; import com.jogamp.common.util.JarUtil; import com.jogamp.common.util.SecurityUtil; +/** + * Static Jar file cache handler using an underlying instance of {@link TempFileCache}, see {@link #getTempFileCache()}. + *

+ * Lifecycle: Concurrently running JVMs and ClassLoader + *

+ */ public class TempJarCache { private static final boolean DEBUG = Debug.debug("TempJarCache"); -- cgit v1.2.3