[bisq-network/bisq-core] Add verification of hash of jar file (#114)

[Manfred Karrer]

We can create a deterministic jar file, create a Sha256 hash from it and upload that with the binaries to Github. Users who download the app with the in-app installer will download the hash of the jar to their local data directory keyed with the version nr. After download and restart of the app we verify if the hash of the running jar is the same as the downloaded hash. That happens at startup before any relevant operations have been started.
This will add additional security to ensure the jar file in the binary is not manipulated and matches the code version of the release. The deterministic jar can be reproduced by anyone from the release commit. Users who don't use the in-app downloader can do the verification manually by either downloading the hash of the jar and adding it to the data directory or by running the hash verification by themselves.

Deterministic builds for the binary itself is unfortunately more complex. Any dev experienced with that is highly welcome to help us to get last mile also solved.  

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq-core/issues/114
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/github/attachments/20180525/b1399907/attachment-0001.html>