[equinox-dev] Problem trying to verify signed bundles at installation ti

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[equinox-dev] Problem trying to verify signed bundles at installation time

From: "David Conde" <dconde@xxxxxxxx>
Date: Wed, 6 May 2009 12:01:40 +0200
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AcnOMabO7et32B5aQ6qYmws0JC8SuQ==

Hi,

I have been looking information about how I can sign a bundle and put on Equinox framework. If I am not wrong, it just need to sign a bundle using jarsigner tool and launch Equinox using next options:

java -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager -Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore -Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true -jar org.eclipse.osgi_3.4.3.R34x_v20081215-1030.jar -console

where falseCA.keystore is a java keystore built with Java Keytool where is saved the Certification Authority certificate from another signer different to the actual Certification Authority certifícate with which bundles were signed, I do this just for checking that the signature veryfing process run fine.

If I do that , and I launch Equinox in this way, If I write osgi>ss command in console I just get Equinox bundle system, I guess because It is the only one who was signed. But If I tried install again bundles, I do not get any exception at all, so I can install modified bundles who were signed, unsigned bundles, signed bundles by other Certification Authority different from the Certification Authority which I fix when I launch Equinox, or whatever that I want to install. My questions is: Is the initial verification the only one? I mean, if I launch Equinox how I wrote before, the only change is that all unsigned previous installed bundles are removed? Why isn’t there any signature checking process when I try to install unsigned bundles?

I read that there is no verification process in installing time in email list, because this should be done by an agent like a bundle, but I am not sure what the next command change from the normal options:

Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore -Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true

Am I missing anything?

I am supposing that if I launch Equinox with those options then I should not be able to install unsigned bundles or signed bundles who signer I do not trust in.

Thank you in advance

David

Prev by Date: [equinox-dev] p2 "repo2runnable" application docs?
Next by Date: [equinox-dev] ClassLoader leak caused by EventManager's EventThread creation
Previous by thread: [equinox-dev] p2 "repo2runnable" application docs?
Next by thread: [equinox-dev] ClassLoader leak caused by EventManager's EventThread creation
Index(es):
- Date
- Thread

Breadcrumbs