Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Using the org.eclipse.osgi.jar.verifier


Hi Tom,

>>  An interface could be developed to add PermissionInfo data into the OSGI-INF/permissions.perm file.  But we need to be careful here because this file specifies the maximum set of permissions a bundle will ever need.  If the developer gets it wrong then there is no way an administrator can override the permissions.perm file to give a bundle more permissions at runtime.  Hopefully tooling can help to identify what permissions a particular bundle needs

Good point.   There is an  Eclipse plug-in which provides this functionality available from the IBM alphaWorks website at url:  http://www.alphaworks.ibm.com/tech/sword4j

It is a collection of Eclipse plug-ins which aid developers in performing security related tasks such has:
  • Determine permission requirements for Eclipse plug-ins, OSGi bundles, and Java applications
  • Determine what portions of Eclipse plug-ins, OSGi bundles, and Java software should be made privileged
  • Improve cycle time in performing security analysis of Eclipse plug-ins, OSGi bundles, and Java applications
  • Enable Java, OSGi, and Eclipse update site administrators to inspect JAR files
  • Provide an Eclipse-based, graphical user interface for JAR signing
  • Manage digital certificates with a KeyStore editor, which supports viewing and editing of keystore entries (such as changing certificate aliases, removing certificates, copying certificates between certificate stores, and importing certificates from the file system).




Thomas Watson/Austin/IBM@IBMUS
Sent by: equinox-dev-bounces@xxxxxxxxxxx

09/23/2005 09:28

Please respond to
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>

To
Equinox development mailing list <equinox-dev@xxxxxxxxxxx>
cc
Subject
Re: [equinox-dev] Using the org.eclipse.osgi.jar.verifier






I was browsing the new content for the equinox-home web site (looks like Jeff has been busy) and came accross a page for Signing Plug-ins at:


http://dev.eclipse.org/viewcvs/indextech.cgi/~checkout~/equinox-home/security/Signing.html


It asks, how PDE should be extended to sign plugins?  I thought PDE already had this capability when you export a plug-in from your workspace.  There is an option to provide a private key to sign the plug-in on export from a workspace.  Is there more work to be done here?  Is this capability not included in PDE build yet?


We should probably separate out requirments for an interface to specify the permissions required by a plug-in in PDE.  This should be orthogonal to signing a bundle.  An interface could be developed to add PermissionInfo data into the OSGI-INF/permissions.perm file.  But we need to be careful here because this file specifies the maximum set of permissions a bundle will ever need.  If the developer gets it wrong then there is no way an administrator can override the permissions.perm file to give a bundle more permissions at runtime.  Hopefully tooling can help to identify what permissions a particular bundle needs.


It seems like we need to develop a separate location to store permission requirements for bundles (maybe in a feature).  And then update could assign the permissions using ConditionalPermissionAdmin when it installs features.


Tom


equinox-dev-bounces@xxxxxxxxxxx wrote on 09/22/2005 09:39:13 PM:

>
> For fun I put this on the Equinox web site at
>         http://dev.eclipse.org/viewcvs/indextech.
> cgi/~checkout~/equinox-home/security/verifier.html
>
> After the transition we should have a Wiki on the site and that will
> make things much easier.
>
> Jeff
> _______________________________________________
equinox-dev mailing list
equinox-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/equinox-dev


Back to the top