Reputation: 1793
We wish to exchange signed CDS packages with a partner organisation on our shared Hyperledger Fabric network. We are working according to the Operator Guide at https://hyperledger-fabric.readthedocs.io/en/latest/chaincode4noah.html#packaging.
We are able to receive and install signed packages with no problem, but how do we know what we are installing? Our installation procedures call for an inspection of what we receive, and potentially also creating tests against the object we intend to install.
My question is: How are we able to inspect the source code of what we are asked by our partner organisation to install? If we are not able to inspect it, we have no real transparency on the consensus that we are expected to give.
We have tried extracing the gzipped object from the .pak file, and unzpping it, but the .gz format does not seem to be in a standard format. I suspect we are missing something fundamental here, either in procedure or tooling.
For reference, we are extracting the code segment like this:
protoc --decode_raw < test_cc_signed_package.pak > test_cc_signed_package.decoded
then we extract the gzipped "code" portion like this (in our example signed package it is at at "1.2.1.3" of the file, but might be different for you)
cat test_cc_signed_package.decoded | grep "^ 3:" | sed -r 's/^ 3:\ \"(.*)\"$/\1/'
The output is in a format that we can perform a diff on, and which we were hoping to save to a binary file and simply gunzip it.Gzip however is refusing to decode the file, and inspecting it in xxd, we can see that the format is not correct for gzip.
Upvotes: 1
Views: 171
Reputation: 5140
Perhaps you can ask your partner organization to send you the files that were packaged so you can just package it yourself, and then compare the package to the package you are supposed to install?
Upvotes: 1