felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Pauls <karlpa...@gmail.com>
Subject Re: Felix security and signed jars
Date Thu, 22 Mar 2012 12:50:13 GMT
The verfication is done in the security provider (only happens if installed).



On Thu, Mar 22, 2012 at 1:24 PM, Guillaume Nodet <gnodet@gmail.com> wrote:
> I'm trying to understand how Felix verify the classes signatures but I
> don't see anything around that.
> It seems to me that in a non OSGi environment, the classes will be verified
> by the class loader when loaded from a jar mainly because the
> java.util.jar.JarFile does the signature verification when loading an entry
> (i.e. a class) from the jar file.  However, Felix does not use the JarFile
> class and uses a custom ZipFile instead.
> So it looks like the whole signed jars mechanism does not really work.
> Am I right, or do I miss something here ?
> --
> ------------------------
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
> ------------------------
> FuseSource, Integration everywhere
> http://fusesource.com

Karl Pauls

View raw message