So, I want to provide some way for a pod to verify that a dependency pod it is using is in fact the one it was intended for, and not just recompiled by someone to dodge intended behavior. My initial thought is to use some sort of checksum of the pod, however if the dependency is updated, it would require the top level pod to also be updated. Does anyone have any ideas?
SlimerDudeSat 15 Oct 2016
Java has the concept of signing jars which is enfoced by the JVM, but there's no similar concept I know of in Fantom.
Depending on your exact requirements, and who has access to which pods, I sure there would be a way involving signing the pod contents with a private / public key combo...?
Something like, if the dependent pod provides a signed checksum using the private key, via pod metadata or otherwise, then the top level pod could re-calculate and verify the dependant pod was signed by you.
Jeremy Criquet Sat 15 Oct 2016
So, I want to provide some way for a pod to verify that a dependency pod it is using is in fact the one it was intended for, and not just recompiled by someone to dodge intended behavior. My initial thought is to use some sort of checksum of the pod, however if the dependency is updated, it would require the top level pod to also be updated. Does anyone have any ideas?
SlimerDude Sat 15 Oct 2016
Java has the concept of signing jars which is enfoced by the JVM, but there's no similar concept I know of in Fantom.
Depending on your exact requirements, and who has access to which pods, I sure there would be a way involving signing the pod contents with a private / public key combo...?
Something like, if the dependent pod provides a signed checksum using the private key, via pod metadata or otherwise, then the top level pod could re-calculate and verify the dependant pod was signed by you.