Bug 1369 - SCC: Implement basic Secure Hash (SHA256) build time signatures & runtime validation
Summary: SCC: Implement basic Secure Hash (SHA256) build time signatures & runtime val...
Status: RESOLVED FIXED
Alias: None
Product: Gluegen
Classification: JogAmp
Component: core (show other bugs)
Version: 2.4.0
Hardware: All all
: P4 normal
Assignee: Sven Gothel
URL:
Depends on: 1367
Blocks: 1368
  Show dependency treegraph
 
Reported: 2019-04-03 05:54 CEST by Sven Gothel
Modified: 2019-04-03 22:11 CEST (History)
0 users

See Also:
Type: FEATURE
SCM Refs:
gluegen 00ad70b3bd7f8859c710039857aa7da17a29b3d7 gluegen 234bd58643e83aa7d34d752de3e98d6ae84cba3d gluegen 302599570c04bae0d96e3b20981fab1ffcaf61ae
Workaround: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Gothel 2019-04-03 05:54:06 CEST
Part of: Source Certification Contract (SCC), see bug 1368.

Previously we have added the git-commit-sha in the deployed Jar Manifest,
allowing to identify the originating source of the build via our git repository.

For full fledged SCC, we shall utilize a strong SHA256 signature over:
1) source tree inclusive make recipe (SHA256-Source)
2) all class files (SHA256-Classes)
3) all native libraries (SHA256-Natives)
4) the class files as deployed in the jar (SHA256-Classes-this)
5) the native libraries as deployed in the jar (SHA256-Natives-this)

and drop all these SHA256 values in the deployed Jar file.

This will allow SHA256 validation of (4) + (5) at runtime
and further complete validation (1), (2) and (3) offline.

Full SCC would now required (1) - (3) to be placed on a server for further validation.
Optionally we may use GPG <https://gnupg.org/> or PGP to validate the build entity to implement the chain of trust <https://en.wikipedia.org/wiki/Chain_of_trust>

The SHA256 runtime validation shall be proven via (a) unit test(s).
Comment 1 Sven Gothel 2019-04-03 06:09:29 CEST
Implemented in GlueGen as described.
Tested on Linux, MacOSX and Windows.
Computed SHA256 is cross platform universal.

TODO: Adopt build-time and runtime test for JOAL, JOGL and JOCL
Comment 2 Sven Gothel 2019-04-03 22:11:57 CEST
Further fixes and cleaning up.
Having the first module implementation as clean as possible 
shall reduce adaption work in our other modules.

Hide SHA Algorithm bit size in literals of Specification
- 234bd58643e83aa7d34d752de3e98d6ae84cba3d

Clarify & fix build dependencies in build.xml
- 302599570c04bae0d96e3b20981fab1ffcaf61ae