Improve security of the solution via e.g. MD5 checksums

bloxbean / aiken-java-binding

A Java binding for Aiken

MIT License

5 stars 1 forks source link

Improve security of the solution via e.g. MD5 checksums #9

Open matiwinnetou opened 1 year ago

matiwinnetou commented 1 year ago

Allowing native code to run on anybody's machine is dangerous.

Currently download_libs.sh doesn't contain md5 checksums. IMHO this is necessary.
Ideally a developer should never add those to native folder but actually only it should be done via CI upon verification of md5 checksums

There could be other measures / ideas taken for this but the things above should be minimum, especially that project is from cryptocurrency / where trojan horses stealing things like wallet passwords are common.

matiwinnetou commented 1 year ago

Alternatives to discuss / think about:

Find a way to import cargo crates into gradle project
Merge those two projects together: aiken-jna-wrapper and aiken-java-binding and invoke cargo via gradle tasks.