Confirm we can verify dependencies during trusted build process. #756
Comments
|
I was able to follow the gradle instructions to bootstrap a That file goes in the That bootstrap just runs the requested hash against the artifacts we get from Maven. First thing I did was head over to Maven to verify that what they have listed for hashes matches what gradle built for us. I confirmed a couple like the apache bcel hash. I can only find md5 and sha1 hashes online. The docs also suggest verifying the gradle derived hashes with the projects themselves in case the maven repo artifacts are already compromised. If someone can point me in the right direction for correct hashes to verify against I can run through each of the artifacts and verify them. |
|
I was told that last certification round a tarball with the dependencies already downloaded would be enough. This does seem like it could be helpful in the future. I'll remove the 1.3.2 milestone. |
|
Ultimately, we would like to do the gradle build step that creates the jlink image on an airgapped machine. As currently configured, that step is bundled with downloading the dependencies. We would prefer to de-couple those two steps. |
Part of getting certified in CA is having a trusted build process. CASOS makes a fresh build from source and then distributes that artifact to jurisdictions.
Part of that process has been verifying the third party dependencies we use. During the 1.3.1 trusted build process each of the dependencies were verified manually. Can we brainstorm a way to make this dependency verification programmatic?
One option is verifying dependencies with gradle. It looks like you can 'bootstrap' a set of hash checks for each dependency. After the initial bootstrapping, hash checking happens automatically when building with gradle.
The text was updated successfully, but these errors were encountered: