felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FELIX-3610) Support runtime verification for signed bundles
Date Wed, 25 Jul 2012 19:00:47 GMT

    [ https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422508#comment-13422508

Guillaume Nodet commented on FELIX-3610:

I initially tried using a JarInputStream instead of a ZipInputStream, which would only partially
work, as it won't handle the Bundle-ClassPath correctly wrt to signatures.
I guess the only way is to do the same as Equinox, i.e. wrap the InputStream of the content
entry and perform the check against the digest stored in the manifest when the end of the
stream is reached.
> Support runtime verification for signed bundles
> -----------------------------------------------
>                 Key: FELIX-3610
>                 URL: https://issues.apache.org/jira/browse/FELIX-3610
>             Project: Felix
>          Issue Type: Improvement
>          Components: Framework, Framework Security
>            Reporter: Guillaume Nodet
>            Assignee: Karl Pauls
> Signed bundles are only checked when installed, but the goal of signed bundles is to
make sure no one has changed the jar.    This is not ensured unless bundle entries are verified
when loaded.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message