0

I want to generate a reproducible checksum for my output files (e.g. *.jar) such that other developers or testers could notice when there are any changes. From reproducible builds website https://reproducible-builds.org/docs/jvm/, I could now generate a checksum in .buildinfo file with mvn artifact:buildinfo.

However from online, I found there are very few resources or examples related to that. I doubt if it is a good way to do so or if there are any best practices related to that. Grateful if anyone could provide me some suggestions or references. Thanks!

jerry118118
  • 31
  • 4
  • It's easy to generate a checksum for any arbitrary file (e.g. a .jar file). There are many standard tools, like [md5](https://linux.die.net/man/1/md5) on *nix, or [Get-FileHash -Algorithm MD5](https://infosecscout.com/md5-checksum-on-windows/) on Windows/PowerShell. Q: What exactly is your question? – paulsm4 Oct 25 '22 at 03:38
  • Thanks for your feedback. I would love to generate a checksum such that by reading the checksum, other developers could notice if the jar file is different from the pervious version. – jerry118118 Oct 25 '22 at 04:05
  • Is it a common or reliable way to verify there are changes with pervious version checksum in .buildinfo file? As not a lot of people mention .buildinfo file from online. Or is it more common for people to generate their own checksum using the command you have mentioned? – jerry118118 Oct 25 '22 at 04:07

1 Answers1

2

Your use case sounds like you need a signed jar. The signed jar consists of a normal jar file, but for each contained file a digest (checksum) is generated and placed in the manifest.

This alone would not help to figure out the jar has not been tampered with, since an attacker could not only change the files but also deliver the matching digests. Therefore the manifest also contains a digital signature that identifies the file came from you only. This way users of the file can easily verify that the jar is in the way you intended it to be

See https://docs.oracle.com/javase/tutorial/deployment/jar/signindex.html

Queeg
  • 7,748
  • 1
  • 16
  • 42
  • The [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/) can be useful for this. Also see [How to Generate PGP Signatures with Maven](https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/). – Tim Moore Oct 25 '22 at 06:00
  • Thanks for your suggestion, I will have a look on it – jerry118118 Oct 26 '22 at 01:06