Hi,
I have been looking information about how I can sign a bundle and put on Equinox framework. If I am not wrong, it just need to sign a bundle using jarsigner tool and launch Equinox using next options: java -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSe curityManager -Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore -Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true -jar org.eclipse.osgi_3.4.3.R34x_v20081215-1030.jar -console where falseCA.keystore is a java keystore built with Java Keytool where is saved the Certification Authority certificate from another signer different to the actual Certification Authority certifícate with which bundles were signed, I do this just for checking that the signature veryfing process run fine. If I do that , and I launch Equinox in this way, If I write osgi>ss command in console I just get Equinox bundle system, I guess because It is the only one who was signed. But If I tried install again bundles, I do not get any exception at all, so I can install modified bundles who were signed, unsigned bundles, signed bundles by other Certification Authority different from the Certification Authority which I fix when I launch Equinox, or whatever that I want to install. My questions is: Is the initial verification the only one? I mean, if I launch Equinox how I wrote before, the only change is that all unsigned previous installed bundles are removed? Why isnt there any signature checking process when I try to install unsigned bundles? I read that there is no verification process in installing time in email list, because this should be done by an agent like a bundle, but I am not sure what the next command change from the normal options: Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore -Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true Am I missing anything? I am supposing that if I launch Equinox with those options then I should not be able to install unsigned bundles or signed bundles who signer I do not trust in. Thank you in advance David
_______________________________________________ equinox-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/equinox-dev
