#2570 Pod Signature and Verification

Jeremy Criquet Sat 15 Oct 2016

So, I want to provide some way for a pod to verify that a dependency pod it is using is in fact the one it was intended for, and not just recompiled by someone to dodge intended behavior. My initial thought is to use some sort of checksum of the pod, however if the dependency is updated, it would require the top level pod to also be updated. Does anyone have any ideas?

SlimerDude Sat 15 Oct 2016

Java has the concept of signing jars which is enfoced by the JVM, but there's no similar concept I know of in Fantom.

Depending on your exact requirements, and who has access to which pods, I sure there would be a way involving signing the pod contents with a private / public key combo...?

Something like, if the dependent pod provides a signed checksum using the private key, via pod metadata or otherwise, then the top level pod could re-calculate and verify the dependant pod was signed by you.

Login or Signup to reply.