Bug 1369: Source Certification Contract (SCC): Initial SHA256 fingerprint & runtime validation

This change implements a strong SHA256 signature over: 1) source tree inclusive make recipe (SHA256-Source) 2) all class files (SHA256-Classes) 3) all native libraries (SHA256-Natives) 4) the class files as deployed in the jar (SHA256-Classes-this) 5) the native libraries as deployed in the jar (SHA256-Natives-this) and drops all of these in the deployed Jar file. This allows SHA256 validation of (4) + (5) at runtime and further complete validation (1), (2) and (3) offline. Full SCC would now required (1) - (3) to be placed on a server for further validation. Optionally we may use GPG <https://gnupg.org/> or PGP to validate the build entity to implement the chain of trust <https://en.wikipedia.org/wiki/Chain_of_trust> The SHA256 runtime validation is tested via: com.jogamp.common.util.TestVersionInfo
author: Sven Gothel <[email protected]> 2019-04-03 06:04:52 +0200
committer: Sven Gothel <[email protected]> 2019-04-03 06:04:52 +0200
commit: 00ad70b3bd7f8859c710039857aa7da17a29b3d7 (patch)
tree: 6f3652dff1a1db7272b4f3e83ec98eeecf86ad87 /src/java/com/jogamp/common/util/JogampVersion.java
parent: 1157b913a068167062c853b4b525954b223a5509 (diff)
1 files changed, 50 insertions, 0 deletions
diff --git a/src/java/com/jogamp/common/util/JogampVersion.java b/src/java/com/jogamp/common/util/JogampVersion.java
index e06ce1f..c2f3c3e 100644
--- a/src/java/com/jogamp/common/util/JogampVersion.java
+++ b/src/java/com/jogamp/common/util/JogampVersion.java
@@ -45,6 +45,16 @@ public class JogampVersion {
     public static final Attributes.Name IMPLEMENTATION_BRANCH = new Attributes.Name("Implementation-Branch");
     /** See {@link #getImplementationCommit()} */
     public static final Attributes.Name IMPLEMENTATION_COMMIT = new Attributes.Name("Implementation-Commit");
+    /** See {@link #getImplementationSHA256Sources()} */
+    public static final Attributes.Name IMPLEMENTATION_SHA256_SOURCES = new Attributes.Name("Implementation-SHA256-Sources");
+    /** See {@link #getImplementationSHA256Classes()} */
+    public static final Attributes.Name IMPLEMENTATION_SHA256_CLASSES = new Attributes.Name("Implementation-SHA256-Classes");
+    /** See {@link #getImplementationSHA256ClassesThis()} */
+    public static final Attributes.Name IMPLEMENTATION_SHA256_CLASSES_THIS = new Attributes.Name("Implementation-SHA256-Classes-this");
+    /** See {@link #getImplementationSHA256Natives()} */
+    public static final Attributes.Name IMPLEMENTATION_SHA256_NATIVES = new Attributes.Name("Implementation-SHA256-Natives");
+    /** See {@link #getImplementationSHA256NativesThis()} */
+    public static final Attributes.Name IMPLEMENTATION_SHA256_NATIVES_THIS = new Attributes.Name("Implementation-SHA256-Natives-this");
 
     /** For FAT JogAmp jar files */
     private static final String packageNameFAT = "com.jogamp";
@@ -155,6 +165,41 @@ public class JogampVersion {
         return this.getAttribute(JogampVersion.IMPLEMENTATION_COMMIT);
     }
 
+    /**
+     * Returns the SHA256 of all concatenated source files of the whole project
+     */
+    public final String getImplementationSHA256Sources() {
+        return this.getAttribute(JogampVersion.IMPLEMENTATION_SHA256_SOURCES);
+    }
+
+    /**
+     * Returns the SHA256 of all concatenated class files of all build classes
+     */
+    public final String getImplementationSHA256Classes() {
+        return this.getAttribute(JogampVersion.IMPLEMENTATION_SHA256_CLASSES);
+    }
+
+    /**
+     * Returns the SHA256 of all concatenated class files of the local (jar) package subset
+     */
+    public final String getImplementationSHA256ClassesThis() {
+        return this.getAttribute(JogampVersion.IMPLEMENTATION_SHA256_CLASSES_THIS);
+    }
+
+    /**
+     * Returns the SHA256 of all concatenated native library files of all build libs
+     */
+    public final String getImplementationSHA256Natives() {
+        return this.getAttribute(JogampVersion.IMPLEMENTATION_SHA256_NATIVES);
+    }
+
+    /**
+     * Returns the SHA256 of all concatenated native library files of the local (jar) package subset
+     */
+    public final String getImplementationSHA256NativesThis() {
+        return this.getAttribute(JogampVersion.IMPLEMENTATION_SHA256_NATIVES_THIS);
+    }
+
     public final String getImplementationTitle() {
         return this.getAttribute(Attributes.Name.IMPLEMENTATION_TITLE);
     }
@@ -220,6 +265,11 @@ public class JogampVersion {
         sb.append("Implementation Build: ").append(getImplementationBuild()).append(nl);
         sb.append("Implementation Branch: ").append(getImplementationBranch()).append(nl);
         sb.append("Implementation Commit: ").append(getImplementationCommit()).append(nl);
+        sb.append("Implementation SHA256 Sources: ").append(getImplementationSHA256Sources()).append(nl);
+        sb.append("Implementation SHA256 Classes: ").append(getImplementationSHA256Classes()).append(nl);
+        sb.append("Implementation SHA256 Classes-this: ").append(getImplementationSHA256ClassesThis()).append(nl);
+        sb.append("Implementation SHA256 Natives: ").append(getImplementationSHA256Natives()).append(nl);
+        sb.append("Implementation SHA256 Natives-this: ").append(getImplementationSHA256NativesThis()).append(nl);
         if(null != getAndroidPackageVersionName()) {
             sb.append("Android Package Version: ").append(getAndroidPackageVersionName()).append(nl);
         }
author	Sven Gothel <[email protected]>	2019-04-03 06:04:52 +0200
committer	Sven Gothel <[email protected]>	2019-04-03 06:04:52 +0200
commit	00ad70b3bd7f8859c710039857aa7da17a29b3d7 (patch)
tree	6f3652dff1a1db7272b4f3e83ec98eeecf86ad87 /src/java/com/jogamp/common/util/JogampVersion.java
parent	1157b913a068167062c853b4b525954b223a5509 (diff)