[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[equinox-dev] Problem trying to verify signed bundles at installation time

Hi,

 

I have been looking information about how I can sign a bundle and put on Equinox framework. If I am not wrong, it just need to sign a bundle using jarsigner tool and launch Equinox using next options:

 

 

java -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager -Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore -Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true -jar org.eclipse.osgi_3.4.3.R34x_v20081215-1030.jar -console

 

 

where falseCA.keystore is a java keystore built with Java Keytool where is saved the Certification Authority certificate from another signer different to the actual Certification Authority certifícate with which bundles were signed, I do this just for checking that the signature veryfing process run fine.

 

If I do that , and I launch Equinox in this way, If I write osgi>ss command in console I just get Equinox bundle system, I guess because It is the only one who was signed. But If I tried install again bundles, I do not get any exception at all, so I can install modified bundles who were signed, unsigned bundles, signed bundles by other Certification Authority different from the Certification Authority which I fix when I launch Equinox, or whatever that I want to install. My questions is: Is the initial verification the only one? I mean, if I launch Equinox how I wrote before, the only change is that all unsigned previous installed bundles are removed? Why isn’t there any signature checking process when I try to install unsigned bundles?

 

I read that there is no verification process  in installing time in email list, because this should be done by an agent like a bundle, but I am not sure what the next command change from the normal options:

 

Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore -Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true

 

Am I missing anything?

 

I am supposing that if I launch Equinox with those options then I should not be able to install unsigned bundles or signed bundles who signer I do not trust in.

 

Thank you in advance

 

 

David