THat's my point, it only happen at install time, which means it's not really secured. I think it has to be done each time a class or resource is loaded else, anyone can change the jar file in the cache folder after it has been installed and no verification is done. I think that's not really good, as the purpose of the security bits it to be ... secured, and if people are willing to pay the cost of the security manager, it has to be 100% secured imho.
On Thu, Mar 22, 2012 at 13:50, Karl Pauls <[email protected]> wrote: > The verfication is done in the security provider (only happens if > installed). > > regards, > > Karl > > On Thu, Mar 22, 2012 at 1:24 PM, Guillaume Nodet <[email protected]> wrote: > > I'm trying to understand how Felix verify the classes signatures but I > > don't see anything around that. > > It seems to me that in a non OSGi environment, the classes will be > verified > > by the class loader when loaded from a jar mainly because the > > java.util.jar.JarFile does the signature verification when loading an > entry > > (i.e. a class) from the jar file. However, Felix does not use the > JarFile > > class and uses a custom ZipFile instead. > > So it looks like the whole signed jars mechanism does not really work. > > Am I right, or do I miss something here ? > > > > -- > > ------------------------ > > Guillaume Nodet > > ------------------------ > > Blog: http://gnodet.blogspot.com/ > > ------------------------ > > FuseSource, Integration everywhere > > http://fusesource.com > > > > -- > Karl Pauls > [email protected] > http://twitter.com/karlpauls > http://www.linkedin.com/in/karlpauls > https://profiles.google.com/karlpauls > -- ------------------------ Guillaume Nodet ------------------------ Blog: http://gnodet.blogspot.com/ ------------------------ FuseSource, Integration everywhere http://fusesource.com
