[HIGH] Refactor vendor SDK management to external dependency #27
Description
[HIGH] Refactor vendor SDK management to external dependency
Priority
🔴 P1 (High)
Description
The Apple FairPlay SDK binaries (1.5+ MB) are currently committed to the repository, which creates several issues:
Current State:
vendor/fpssdk/prebuilt/macos/libfpscrypto.dylib(1.07 MB)vendor/fpssdk/prebuilt/x86_64-unknown-linux-gnu/libfpscrypto.so(500 KB)vendor/fpssdk/prebuilt/aarch64-unknown-linux-gnu/libfpscrypto.so(535 KB)- 64 Rust source files (2,360 lines)
Problems
- License Compliance: Apple SDK has proprietary license - redistribution rights unclear
- Security: Binary blobs without cryptographic verification
- Maintenance: SDK updates require manual intervention
- Repository Size: Bloats git history permanently
- Supply Chain Security: No verification of binary integrity
Acceptance Criteria
- Remove binary files from git repository
- Implement build-time SDK download mechanism
- Add cryptographic checksum verification
- Document SDK version management
- Update CI/CD pipeline
- Verify license compliance
- Test on all supported platforms (macOS, Linux x86_64, Linux aarch64)
Implementation Plan
Step 1: Create External Artifact Repository
# Option A: Use private S3 bucket
aws s3 mb s3://arkavo-fairplay-sdk
aws s3 cp vendor/fpssdk/prebuilt/ s3://arkavo-fairplay-sdk/v26/ --recursive
# Option B: Use GitHub Releases
gh release create fairplay-sdk-v26 \
vendor/fpssdk/prebuilt/macos/libfpscrypto.dylib \
vendor/fpssdk/prebuilt/x86_64-unknown-linux-gnu/libfpscrypto.so \
vendor/fpssdk/prebuilt/aarch64-unknown-linux-gnu/libfpscrypto.soStep 2: Update build.rs
use std::env;
use std::path::PathBuf;
use sha2::{Sha256, Digest};
const SDK_VERSION: &str = "26";
const CHECKSUMS: &[(&str, &str)] = &[
("macos/libfpscrypto.dylib", "abc123..."),
("x86_64-unknown-linux-gnu/libfpscrypto.so", "def456..."),
("aarch64-unknown-linux-gnu/libfpscrypto.so", "ghi789..."),
];
fn main() {
let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
let sdk_dir = out_dir.join("fairplay-sdk");
// Download SDK if not cached
if !sdk_dir.exists() {
download_sdk(&sdk_dir).expect("Failed to download FairPlay SDK");
}
// Verify checksums
verify_checksums(&sdk_dir).expect("SDK checksum verification failed");
// Set library path
let os = env::var("CARGO_CFG_TARGET_OS").unwrap();
let arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap();
let lib_path = if os == "macos" {
sdk_dir.join("macos")
} else {
sdk_dir.join(format!("{}-unknown-linux-gnu", arch))
};
println!("cargo:rustc-link-search={}", lib_path.display());
println!("cargo:rustc-link-lib=dylib=fpscrypto");
}
fn verify_checksums(sdk_dir: &Path) -> Result<(), Box<dyn std::error::Error>> {
for (file, expected_hash) in CHECKSUMS {
let path = sdk_dir.join(file);
let actual_hash = compute_sha256(&path)?;
if actual_hash != *expected_hash {
return Err(format!(
"Checksum mismatch for {}: expected {}, got {}",
file, expected_hash, actual_hash
).into());
}
}
Ok(())
}Step 3: Update .gitignore
# FairPlay SDK (downloaded during build)
vendor/fpssdk/prebuilt/Testing Requirements
- Test clean build on macOS
- Test clean build on Linux x86_64
- Test clean build on Linux aarch64
- Test offline build with cached SDK
- Test checksum verification failure handling
- Test CI/CD pipeline
Rollback Plan
- Keep current implementation in a branch
- Document rollback procedure
- Test rollback process
Related
- PR FairPlay SDK 26 #25 - FairPlay SDK 26 Integration
- Issue [CRITICAL] Implement OpenTDF-based Key Management for Content Protection #26 - Content key management