Hi Andy, During 3.4 we had a team working on building an authorization engine into the framework to do the signature validation and content validation at install time (i.e. when calling BundleContext.install(). Unfortunately we ran out of time and found that it was rather limiting to bake policies directly into the framework (your case is a perfect example!!).
As a result the authorization engine became internal/provisional and is not
promoted as the way to do install time verification of signed content.
Instead, install time verification should be performed by the install agent
(p2 in Eclipse). In Equinox, p2 is using the SignedContentFactory service
to interrogate the bundle content to determine if a bundle is signed,
trusted, or tampered with before installing the bundle into the framework.
This allows for more customized policies to be implemented outside of the
framework and allows for UIs to do things like ask the user if they would
like to allow an untrusted signed bundle to be installed.
Tom
From: Andy Wilkinson <andy.wilkin...@springsource.com>
To: equinox-dev@eclipse.org
Date: 01/06/2009 09:42 AM
Subject: [equinox-dev] Verification of signed jars during bundle
installation
Hi,
I've been looking into Equinox's support for dealing with signed jars and
have a couple of queries with which I'd be grateful for some pointers.
I've figured out that I can enable SignedBundleHook by starting Equinox
with -Dosgi.signedcontent.support=true. With the hook enabled I've then run
the debugger through the installation of a bundle. This bundle is packaged
in a Jar that's been signed but has since been modified such that the
signatures are now wrong. I've observed SignedBundleHook.wrapBundleFile
being invoked and a GeneralSecurityException being thrown, caught, and
swallowed, when the tampering is discovered. Ideally I'd like the
installation to fail at this point as the bundle's signatures are out of
sync with its contents.
With this goal in mind I also looked at
org.eclipse.osgi.internal.signedcontent.BundleInstallListener and
experimented with enabling its policing of signed jars. I figured out that
I can enable signed jar policing by starting Equinox with
-Dosgi.signedcontent.authorization.engine.policy=signed but this appears to
make things too restrictive as it requires every bundle that's installed to
be signed, rather than just checking that those that are signed are signed
correctly.
Is there any way to configure Equinox for the middle ground that I'm
looking for? I'd like unsigned jars to be accepted, and signed jars to be
accepted *unless* the signatures are incorrect in which case I'd like the
attempt to install the bundle to fail.
Thanks,
Andy
_______________________________________________
equinox-dev mailing list
equinox-dev@eclipse.org
https://dev.eclipse.org/mailman/listinfo/equinox-dev
<<inline: graycol.gif>>
<<inline: ecblank.gif>>
_______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
