[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Signing of exploded jars


The challenge is ensuring that configuration files such as plugin.xml,   META-INF/MANFIEST.MF, and  OSGI-INF/PERMISSIONS.PERM have not been altered since installation.   If this file is not part of a JAR, then there is no obvious way of ensuring that it has not been tampered with or altered to change package export/access rules, and required permission assignments etc.  

Certainly, the code of pdebuild.jar can be signed via an ant script using the <signjar> tag, but we'll loose some integrity if the rest of the plug-in configuration files are not immutable.

As I recall, it is also a 3.1 best practice to leave plug-ins JAR'd rather than expanding during installation.

- Ted



Pascal Rapicault <Pascal_Rapicault@xxxxxxxxxx>
Sent by: equinox-dev-bounces@xxxxxxxxxxx

10/05/2005 14:22

Please respond to
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>

To
equinox-dev@xxxxxxxxxxx
cc
Subject
[equinox-dev] Signing of exploded jars






Hello,


Do you think it is somehow possible to sign plug-ins that are not jar'ed (for example org.eclipse.pde.build in eclipse 3.1).


Thanks,


PaScaL
_______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev