You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2012/07/25 19:07:34 UTC

[jira] [Commented] (FELIX-3610) Support runtime verification for signed bundles

    [ https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422417#comment-13422417 ] 

Guillaume Nodet commented on FELIX-3610:
----------------------------------------

Note that the benefit of signing is that those bundles are actually secured.  In my case, only signed bundles can be accessed at runtime -- this can be checked using Bundle#getSignerCertificates().  So the verification is important to ensure that only signed code can be accessed at runtime.
                
> Support runtime verification for signed bundles
> -----------------------------------------------
>
>                 Key: FELIX-3610
>                 URL: https://issues.apache.org/jira/browse/FELIX-3610
>             Project: Felix
>          Issue Type: Improvement
>          Components: Framework, Framework Security
>            Reporter: Guillaume Nodet
>
> Signed bundles are only checked when installed, but the goal of signed bundles is to make sure no one has changed the jar.    This is not ensured unless bundle entries are verified when loaded.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira