Return-Path: 
 <dev-return-32082-apmail-felix-dev-archive=felix.apache.org@felix.apache.org>
X-Original-To: apmail-felix-dev-archive@www.apache.org
Delivered-To: apmail-felix-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 98397C6C5
	for <apmail-felix-dev-archive@www.apache.org>;
 Wed, 25 Jul 2012 17:07:35 +0000 (UTC)
Received: (qmail 9344 invoked by uid 500); 25 Jul 2012 17:07:35 -0000
Delivered-To: apmail-felix-dev-archive@felix.apache.org
Received: (qmail 9286 invoked by uid 500); 25 Jul 2012 17:07:35 -0000
Mailing-List: contact dev-help@felix.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@felix.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@felix.apache.org>
List-Post: <mailto:dev@felix.apache.org>
List-Id: <dev.felix.apache.org>
Reply-To: dev@felix.apache.org
Delivered-To: mailing list dev@felix.apache.org
Received: (qmail 9128 invoked by uid 99); 25 Jul 2012 17:07:35 -0000
Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jul 2012 17:07:35 +0000
Received: from isssues-vm.apache.org (localhost [127.0.0.1])
	by issues-vm (Postfix) with ESMTP id D63BA14285B
	for <dev@felix.apache.org>; Wed, 25 Jul 2012 17:07:34 +0000 (UTC)
Date: Wed, 25 Jul 2012 17:07:34 +0000 (UTC)
From: "Guillaume Nodet (JIRA)" <jira@apache.org>
To: dev@felix.apache.org
Message-ID: <1405695319.101903.1343236054879.JavaMail.jiratomcat@issues-vm>
In-Reply-To: <1617987772.101836.1343234734945.JavaMail.jiratomcat@issues-vm>
Subject: [jira] [Commented] (FELIX-3610) Support runtime verification for
 signed bundles
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422417#comment-13422417 ] 

Guillaume Nodet commented on FELIX-3610:
----------------------------------------

Note that the benefit of signing is that those bundles are actually secured.  In my case, only signed bundles can be accessed at runtime -- this can be checked using Bundle#getSignerCertificates().  So the verification is important to ensure that only signed code can be accessed at runtime.
                
> Support runtime verification for signed bundles
> -----------------------------------------------
>
>                 Key: FELIX-3610
>                 URL: https://issues.apache.org/jira/browse/FELIX-3610
>             Project: Felix
>          Issue Type: Improvement
>          Components: Framework, Framework Security
>            Reporter: Guillaume Nodet
>
> Signed bundles are only checked when installed, but the goal of signed bundles is to make sure no one has changed the jar.    This is not ensured unless bundle entries are verified when loaded.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira