[
https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422581#comment-13422581
]
Guillaume Nodet commented on FELIX-3610:
----------------------------------------
Also, if the signatures are checked when the revision is created, only, I think
there's still a hole: I could stop and refresh the bundle (signature check when
refreshing). At this point, the bundle is unresolved and I can tamper with it
easily. Then I restart the bundle, there's a good change I can change the
contents without being noticed.
> Support runtime verification for signed bundles
> -----------------------------------------------
>
> Key: FELIX-3610
> URL: https://issues.apache.org/jira/browse/FELIX-3610
> Project: Felix
> Issue Type: Improvement
> Components: Framework, Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
>
> Signed bundles are only checked when installed, but the goal of signed
> bundles is to make sure no one has changed the jar. This is not ensured
> unless bundle entries are verified when loaded.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
