Much like a Java JAR can be signed, can a SWC be cryptographically signed, and that signature find its way into in the finished SWF?
I asked because I need to supply a SWC file along with its Flex sources to a 3rd party.
To guard against changes to the sources, I also need to assert that the supplied SWC is the one linked into a finished SWF, rather than the (possibly amended) sources.
Is there a means of doing this using the Flex toolchain?
The typical way of doing what you're asking is to create an md5 checksum on the swc that you build and send the third party the md5 checksum. The third party can then verify the swc against the md5 to ensure it's a bit for bit perfect copy.
There's no support for signing SWC files in Adobe's toolchain.
However, you can easily package your unsigned SWC into a signed jar:
jar -cf mySWCLibrary.jar myLibrary.swc
jarsigner mySWCLibrary.jar myLibraryCertificateAlias
Then the third party can verify the jar; the SWC is covered just like any resource inside a signed jar.
Note that you could also include the finished SWF in the jar file. Any changes to the SWC-supplied classes would result in a different SWF, making it detectable by verifying the jar signature.
Related
Qt makes use of a lot of 3rd party libraries for image encoding, compression, encryption, audio and video codec support and whatnot.
Historically, I've always had to include those as additional dependencies when I want to utilize them. And I've always wondered if there is a way to simply reuse the binaries Qt already incorporates?
It really depends on the libraries, but generally speaking, it sadly is not possible.
Qt builds and links most 3rd party libraries statically and without exporting any symbols (See libpng as an example). Some are even only linked into the plugins and not the Qt libraries (like sqlite, which is only a pri-file that is imported by the plugin). The only way to find out for the concrete case is to check the src/3rdparty subfolders in the different Qt repositories.
There is also one other point to consider: Qt often tries to fulfill dependencies by using what the operating system provides. I.e. if Qt finds libpng on the host system, it typlically links against that library, so the code isn't even part of the Qt binaries anymore, making compiletime linking dependend on the Qt configuration, even if symbols are exported for a concrete library.
The only real exception to all this is if you link Qt statically. In that case, the linker will only pull in all those 3rdparty dependencies once you link the final application, making it possible for you to link against the libraries Qt uses.
So I've been trying to do some AWS lambda with scala and sbt. And one of the recommendations is
Minimize your deployment package size to its runtime necessities. This
will reduce the amount of time that it takes for your deployment
package to be downloaded and unpacked ahead of invocation. For
functions authored in Java or .NET Core, avoid uploading the entire
AWS SDK library as part of your deployment package.
I've been using sbt-assembly to create fat jars for my code and dependencies, but it seems like sbt-assembly will package all library dependencies when I only use like 10% of the aws-core library which adds a lot of content. Was wondering if there is something I can do to cut down on the number of dependencies to what is actually imported in my code (and their dependencies).
As far as I know, there is no direct and safe way to selectively contains the dependent classes in a fat jar generated by the sbt-compile plugin.
First of all, you should understand that sbt plugins just provide a settings and jar files required to invoke methods in your project. It means that the dependent plugin is brought to your project with the pre-compiled jar file, which is determined by the version that you specified on your build setting (e.g., plugins.sbt in your project dir).
For example, the jars of sbt-assembly are brought to your project from this link when you specify that you want to use the sbt-assembly (although it is brought to your project when you use recent sbt version by default).
Therefore, at least you may have two choices to shrink your jar files.
Compile the jar file from the scratch
For the sbt-aws, its source code is provided on this link, so you may selectively compile the source codes to get the classes that your program is going to use.
Use the tool for shrinking jar file
There are several tools to shrink your jar file based on the dependencies. The most popular tool is proguard; it seems that there is a proguard support for sbt.
Warning
As mentioned in another stack overflow answer, selectively choosing some classes from the jar may cause your program crash depending on the input value and several other conditions. You've said that only 10 percent of the jar file is used, but you cannot ensure whether other classes are required from your code and library that your project depends on. When you use the tool for helping you to shrink the jar file, be careful when the program is security critical one.
I'm a little bit confused about the qtquickcompiler, the JIT qml caching and what is available (and what is not) in the open source version of qt 5.8 (respectively 5.9).
Basically, I want to protect my .qml and .js files from being readable in my release build. I started a new example QtQuick project without editing any code. I followed these instructions and added the CONFIG += qtquickcompiler in the .pro file, but it has no effect.
My .qml files are built into the .exe (on Windows), but if look in the executable, e.g. with notepad++, I can still see the source code of the .qml files.
On the other hand, if I don't use the QRC for my .qml files, .qmlc files are created for every of my .qml at runtime. These files are not (easily?) readable. But I don't find a way to use only the .qmlc files without shipping the .qml files in my build (and I don't think it was meant to be like that).
Coming to my question: Is there a way to protect my .qml and .js files with the open source version of qt? And what is the difference between the qtquickcompiler and the new JIT .qmlc?
Updated answer:
Since Qt 5.11, the qt quick compiler is also available in the open source version:
CONFIG += qtquickcompiler
See https://wiki.qt.io/New_Features_in_Qt_5.11
No, it was going to be, but then they gave up on those plans for the time being and replaced it with the caching thing.
I don't think you will be able to reuse .qmlc files on another computer, as IIRC they are not architecture portable.
In the future, it should be possible to pre-compile .qml to .qmlc ahead of time and bundle those into the application binary.
If your files are on the file system, then there is no way to protect them, from being read, reverse engineered, or tampered with.
With the compiler, the QML code is translated to C++ code, which is then compiled to a native binary. Also, last time I checked, if you go for the compiler, it is an "either / or" situation, if you use compiled qml you can only use compiled qml, so no mixing with regular qml files. It is also ahead of time, and requires a commercial license.
The qml caching in contrast is just-in-time (possibly ahead of time in the future), doesn't require a commercial license and doesn't come with the limitation that prevents you from using regular qml files. I am not aware of the implementation details, but it certainly is not qml code translated to C++ and then compiled, as it happens on the client side and doesn't require having Qt or even a C++ compiler installed. It doesn't really sound like bytecode either, as IIRC it is not binary compatible between platforms, it is more like caching the qml file processing result to avoid on doing it every time.
As outlined in this answer, with some extra work it might be possible to implement a decent amount of protection, for example encrypted QML files or binary resources, but I still haven't dug into it.
Lastly, if you set compression for the qrc file with a low threshold, it will somewhat obfuscate the QML code in the executable binary, but even so, it is regular zip compression, so if your code is really worth stealing, it will not really prevent that, just make it a tad less trivial.
Is there a way to protect my .qml and .js files with the open source version of qt?
Not yet. Up to (and including) 5.8 you'll need to buy a license in order to use the QML compiler.
And what is the difference between the qtquickcompiler and the new JIT .qmlc?
That the compiler will turn QML into C++, which gets then compiled into your application. The .qmlc files are a cache generated by the engine to avoid parsing / optimizing / etc. the same files all over again. Yet, they're a cache -- you'll need to original source around in case they don't get used. At the Qt Contributors' Summit 2016 there have been some discussions about how to streamline and integrate the compiler with the cache, but so far nothing exists.
Coming to my question: Is there a way to protect my .qml and .js files
with the open source version of qt?
Yes, of course,
look at my answer:
https://stackoverflow.com/a/40861056
You can use an encripted resource file, an decrypt it in execution time...
I do that in all my projects ...
Is not a trivial job, but works fine.
I am working at a library needing some dependencies.
For ease of deployment, I want to create a JAR file containing everything, including the dependencies.
I have tried sbt-assembly - this works, but it may be inadvisable due to legal reasons, so I'm looking for a solution where the resulting JAR file has the original JAR files inside, and where the classpath entry in MANIFEST.MF is set up such that client classes may just add this "nested JAR file" into their classpaths.
Is something like this even possible? sbt-one-jar nearly does, what I want, but only for executables - my product will result in a library, so this is not a perfect fit.
As I've used SBT so far, an SBT plugin would be easiest to use, as it is rather too much work to convert everyting to maven or gradle or ... now.
After thinking a bit more about how class lookup works, we dediced to abandon this experiment.
Basically classes are loaded by ClassLoader instances, and the standard class loaders for applications use a fixed strategy of how to find classes in JAR files or directories.
It seems that to allow a library to be located in a hierarchical JAR file, we must also provide the user of this library (i.e. the library client) with a special classloader so that our client may load all needed classes from the hierarchical JAR.
This is too much work to be worth it - the whole idea of a hierarchical JAR was enteratained only to simplify deployment, and having to juggle own classloaders would nullify this simplification.
In short - possible, but probably not worth the effort.
Scenario: there is an Adobe Flex 3 project which uses several third-party libraries and components in the form of SWC files.
How can we know "what is inside" those SWC files? Specifically, how can I make sure that the project uses the latest versions of all those components?
According to official Adobe Flex 3 help, "you can define" (sic) a version property for a component that you intend to package and distribute. Something along the lines of:
private static const version:String = '1.0.0.42';
But that property is not treated in any special way by Adobe's authoring tools, and I suspect that it is not commonly used by the community, anyway.
The file catalog.xml that is inside all SWC components doesn't seem to contain anything useful in that sense.
Are developers distributing SWC usually embedding metadata in those files in any way? Is there a standardised way to retrieve data such as version, license, author and copyright from a SWC file?
I would consider it good practice to include the version name in the .swc file itself. For example, if you use the Mate framework, the swc filename is something like Mate_08_5.swc. At a quick glance, you can see that you're using version 0.8.5.
As far as license goes, usually you distribute a LICENSE text file within the .zip that contains your .swc file.
You could look into RSL digests. These attach a different hash value to each version of a particular library (swc/library/libraries/digests in the catalog.xml file) . Then all you have to do is only load the library with the known digest value.
If you don't have any control over the SWC files being used and they're not using digests, you are kind of stuck with whatever proprietary versioning system the vendor is using though.
You are making an interesting point.
Adobe has provided a way to include basic metadatas in SWFs (and thus in SWCs) but this is stored in the binary and there's no way to extract it without decompilation.
Interestingly, if one knows how to read a SWF, extracting metadatas is fairly easy. But most of the time it doesn't contain any useful information because obviously authoring tools don't let you simply view it...
So I guess first we need some integration in our authoring tools, then we may begin finding useful information in the metadatas :)
SWCs are generally distributed in a package with other supporting files, such as documentation and examples. Version, license, and author information is usually available as part of that package in a separate readme or license file. I've never seen component developers in the Flex world compile that sort of information into the SWC itself.