Add verification of runtime libraries

hashgraph / hedera-services

Crypto, token, consensus, file, and smart contract services for the Hedera public ledger

Apache License 2.0

280 stars 124 forks source link

Add verification of runtime libraries #3376

Open rbair23 opened 2 years ago

rbair23 commented 2 years ago

It is critically important that new jars do not become part of the runtime distribution of a mainnet node unintentionally. We should have a file in the system (maybe part of build.gradle.kts) that will verify the exact names of jars and their hashes in the built output. Whenever the jar files are modified, we should also update this file and verify the hashes and everything are exactly what we expect.

netopyr commented 2 months ago

@rbair23 Is this something @jjohannes should look into?