felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-3610) Support runtime verification for signed bundles
Date Wed, 25 Jul 2012 20:27:33 GMT

    [ https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422581#comment-13422581
] 

Guillaume Nodet commented on FELIX-3610:
----------------------------------------

Also, if the signatures are checked when the revision is created, only, I think there's still
a hole: I could stop and refresh the bundle (signature check when refreshing).  At this point,
the bundle is unresolved and I can tamper with it easily.  Then I restart the bundle, there's
a good change I can change the contents without being noticed.
                
> Support runtime verification for signed bundles
> -----------------------------------------------
>
>                 Key: FELIX-3610
>                 URL: https://issues.apache.org/jira/browse/FELIX-3610
>             Project: Felix
>          Issue Type: Improvement
>          Components: Framework, Framework Security
>            Reporter: Guillaume Nodet
>            Assignee: Karl Pauls
>
> Signed bundles are only checked when installed, but the goal of signed bundles is to
make sure no one has changed the jar.    This is not ensured unless bundle entries are verified
when loaded.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message