[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Verification of signed jars during bundle installation

Hi Andy,

During 3.4 we had a team working on building an authorization engine into the framework to do the signature validation and content validation at install time (i.e. when calling BundleContext.install(). Unfortunately we ran out of time and found that it was rather limiting to bake policies directly into the framework (your case is a perfect example!!).

As a result the authorization engine became internal/provisional and is not promoted as the way to do install time verification of signed content. Instead, install time verification should be performed by the install agent (p2 in Eclipse). In Equinox, p2 is using the SignedContentFactory service to interrogate the bundle content to determine if a bundle is signed, trusted, or tampered with before installing the bundle into the framework. This allows for more customized policies to be implemented outside of the framework and allows for UIs to do things like ask the user if they would like to allow an untrusted signed bundle to be installed.


Inactive hide details for Andy Wilkinson ---01/06/2009 09:42:10 AM---Hi,Andy Wilkinson ---01/06/2009 09:42:10 AM---Hi,


Andy Wilkinson <andy.wilkinson@xxxxxxxxxxxxxxxx>




01/06/2009 09:42 AM


[equinox-dev] Verification of signed jars during bundle installation


I've been looking into Equinox's support for dealing with signed jars and have a couple of queries with which I'd be grateful for some pointers.

I've figured out that I can enable SignedBundleHook by starting Equinox with -Dosgi.signedcontent.support=true. With the hook enabled I've then run the debugger through the installation of a bundle. This bundle is packaged in a Jar that's been signed but has since been modified such that the signatures are now wrong. I've observed SignedBundleHook.wrapBundleFile being invoked and a GeneralSecurityException being thrown, caught, and swallowed, when the tampering is discovered. Ideally I'd like the installation to fail at this point as the bundle's signatures are out of sync with its contents.

With this goal in mind I also looked at org.eclipse.osgi.internal.signedcontent.BundleInstallListener and experimented with enabling its policing of signed jars. I figured out that I can enable signed jar policing by starting Equinox with -Dosgi.signedcontent.authorization.engine.policy=signed but this appears to make things too restrictive as it requires every bundle that's installed to be signed, rather than just checking that those that are signed are signed correctly.

Is there any way to configure Equinox for the middle ground that I'm looking for? I'd like unsigned jars to be accepted, and signed jars to be accepted *unless* the signatures are incorrect in which case I'd like the attempt to install the bundle to fail.

equinox-dev mailing list

GIF image

GIF image