Re: [tycho-user] Block unsigned jar in eclipse RCP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] Block unsigned jar in eclipse RCP

From: "Thomas Watson" <tjwatson@xxxxxxxxxx>
Date: Thu, 22 Oct 2020 11:12:47 +0000
Delivered-to: tycho-user@xxxxxxxxxxx
Importance: Normal
List-archive: <https://www.eclipse.org/mailman/private/tycho-user>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>
Sensitivity:

See https://help.eclipse.org/2020-09/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Freference%2Fmisc%2Fruntime-options.html&cp%3D2_1_5_0

Look for the option "osgi.signedcontent.support".

Enable the following option in the config.ini of your RCP application:

osgi.signedcontent.support=runtime

Note this will have some impact on the performance of class loading. This is not enabled by default because it is assumed the JARs are verified by the agent that is installing the bundles (i.e. p2 does this verification before allowing the bundle to be installed). I only see a reason to enable this if you have a scenario where you are allowing completely unverified content to be installed into your application. Something that should be viewed as extremely dangerous and I would never recommend allowing that.

Tom

----- Original message -----
From: Guillaume Dufour <guillaume.duff@xxxxxxxxx>
Sent by: tycho-user-bounces@xxxxxxxxxxx
To: tycho-user@xxxxxxxxxxx
Cc:
Subject: [EXTERNAL] [tycho-user] Block unsigned jar in eclipse RCP
Date: Thu, Oct 22, 2020 6:01 AM

Hello,

I want to block overwrite of some classes in an Eclipse RCP (OSGI) application. I sign all my jars but when i modify the SHA-256 in the manifest, the application start without problem.

As i see it's normal because OSGI don't check signature by default here : wiki.eclipse.org/JAR_Signing

Is it possible to force signature check on class loading in an Eclipse RCP on all jars or on some specific jars ?

If not, how could I protect on code overwrite in java eclipse RCP world ?

For information all my code is already obfuscated and jars are signed.

I already post this on stackoverflow but without any reply :

https://stackoverflow.com/questions/64459897/block-unsigned-jar-in-eclipse-rcp

Regards,

Guillaume

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user

References:
- [tycho-user] Block unsigned jar in eclipse RCP
  - From: Guillaume Dufour

Prev by Date: Re: [tycho-user] Block unsigned jar in eclipse RCP
Next by Date: Re: [tycho-user] Block unsigned jar in eclipse RCP
Previous by thread: Re: [tycho-user] Block unsigned jar in eclipse RCP
Next by thread: Re: [tycho-user] Block unsigned jar in eclipse RCP
Index(es):
- Date
- Thread

Breadcrumbs