You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Andie Similon (Created) (JIRA)" <ji...@apache.org> on 2011/10/04 13:44:33 UTC
[jira] [Created] (FELIX-3147) Check whether bundle jar is signed
Check whether bundle jar is signed
----------------------------------
Key: FELIX-3147
URL: https://issues.apache.org/jira/browse/FELIX-3147
Project: Felix
Issue Type: Improvement
Components: Framework
Affects Versions: framework-3.0.9
Reporter: Andie Similon
Priority: Minor
I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (FELIX-3147) Check whether bundle jar
is signed
Posted by "Andie Similon (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13121767#comment-13121767 ]
Andie Similon edited comment on FELIX-3147 at 10/6/11 6:46 AM:
---------------------------------------------------------------
You are right that nothing in the OSGi spec indicates that it should be done. I noticed knopflerfish still does it at this point of time. The reason I asked this is because it is a requirement of the home gateway initiative and I was wondering if it was left out for a reason.
was (Author: slimmy):
Nothing in the spec indicates that it should be done. I noticed knopflerfish still does it at this point of time. The reason I asked this is because it is a requirement of the home gateway initiative and I was wondering if it was left out for a reason.
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3147) Check whether bundle jar is signed
Posted by "Andie Similon (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122596#comment-13122596 ]
Andie Similon commented on FELIX-3147:
--------------------------------------
I guess you're right :) Thanks for the help!
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3147) Check whether bundle jar is signed
Posted by "Karl Pauls (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122379#comment-13122379 ]
Karl Pauls commented on FELIX-3147:
-----------------------------------
I guess for me the main point is that you can use permissions to prevent bundles that are not signed by a trusted certificate to be installed. The "tampered" with use-case seems to be online a subset of that one so I don't see why it needs to be handled differently. If somebody can change the contents of a bundle, he might as well remove all traces that it had been signed in the first place. So really, if you want to only have bundles installed that are signed by a trusted certificate you need to resort to the BundleSigner condition anyways right?
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3147) Check whether bundle jar is signed
Posted by "Karl Pauls (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13121718#comment-13121718 ]
Karl Pauls commented on FELIX-3147:
-----------------------------------
After thinking about it for a while, I'm not convinced that we should throw a securityexception in that case. I know that we did use to do that at one point but we have since changed it to not do that anymore. Is this a problem for you and if so, why?
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3147) Check whether bundle jar is signed
Posted by "Andie Similon (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13121767#comment-13121767 ]
Andie Similon commented on FELIX-3147:
--------------------------------------
Nothing in the spec indicates that it should be done. I noticed knopflerfish still does it at this point of time. The reason I asked this is because it is a requirement of the home gateway initiative and I was wondering if it was left out for a reason.
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3147) Check whether bundle jar is signed
Posted by "Richard S. Hall (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13120591#comment-13120591 ]
Richard S. Hall commented on FELIX-3147:
----------------------------------------
Do you have the security provider bundle installed and security enabled?
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3147) Check whether bundle jar is signed
Posted by "Andie Similon (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13120713#comment-13120713 ]
Andie Similon commented on FELIX-3147:
--------------------------------------
Yes. But as far as I can see, the code that handles the zipfiles (well the jar files) doesn't do any verification of the signature.
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not verify the signature of the bundle. I can self sign a bundle and then change its contents and the framework will not throw a SecurityException. Is this intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira