The challenge is ensuring that configuration
files such as plugin.xml, META-INF/MANFIEST.MF, and OSGI-INF/PERMISSIONS.PERM
have not been altered since installation. If this file is not part
of a JAR, then there is no obvious way of ensuring that it has not been
tampered with or altered to change package export/access rules, and required
permission assignments etc.
Certainly, the code of pdebuild.jar
can be signed via an ant script using the <signjar> tag, but we'll
loose some integrity if the rest of the plug-in configuration files are
As I recall, it is also a 3.1 best practice
to leave plug-ins JAR'd rather than expanding during installation.
Pascal Rapicault <Pascal_Rapicault@xxxxxxxxxx> Sent by: equinox-dev-bounces@xxxxxxxxxxx
Please respond to
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>
[equinox-dev] Signing of exploded jars
Do you think it is somehow possible to sign plug-ins that are not jar'ed
(for example org.eclipse.pde.build in eclipse 3.1).
equinox-dev mailing list