Thanks Tom! I got it working fine now. I did the following simple tests for corrupted signed content: Signed a jar with my keystore then I added a new .class to its jar file. My test was to install it with both installBundle()(via the shell) and in another test via p2 repository where I published the corrupt jar without errors. Both ways installed the bundle just fine and I can consume its added class from other bundles. Also that bundle starts/activates just fine.
I noticed that adding -Dosgi.signedcontent.support="runtime" as a startup parameter helps and when I try to consume my new class in the corrupt jar I get " java.lang.SecurityException: Corrupted file: the digest does not exist for the file test/UnsignedFile.class" If I try to change an already signed class I got a ClassNotFoundException (I tried with the Activator). I assumed these are all expected. Finally, the questions :-) 1. Just for information, can I prevent installing corrupted jars via installBundle() or p2 and how? 2. Can you clarify the expected behavior(and use cases) of the "osgi.signedcontent.support" property and its values (certificate, runtime, trust, authority, all)? Also how do TrustEngines, TrustAnchors and KeyStoreTrustEngines fit in the picture? I read the "eclipse runtime options" page but it just suggest how to use the properties, not what they do or the use case they cover. Thank you, Borislav -----Original Message----- From: equinox-dev-boun...@eclipse.org [mailto:equinox-dev-boun...@eclipse.org] On Behalf Of Thomas Watson Sent: Friday, December 09, 2011 9:53 PM To: Equinox development mailing list Subject: Re: [equinox-dev] keystores and signature recognition I don't think you should have to provide the option osgi.signedcontent.support="runtime" to enable the BundleSignerCondition to work. My guess is there is something wrong with the condition you set and matching it to the signer you used to sign your bundles. If you are able to you should try stepping through org.osgi.service.condpermadmin.BundleSignerCondition.getCondition(Bundle, ConditionInfo) to see if your condition is matching the bundles you have signed. For your scenario I think you want two rows in the condition table: Allow { [org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" ] ( java.security.AllPermission “*” “*” ) } "SignedByTest" Allow { [org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" !] .... // set of permissions for all other bundles } "AllOthers" Make sure you are using org.osgi.service.condpermadmin.ConditionalPermissionUpdate so you can add the two rows as an atomic operation so that both rows take effect at the same time. Tom |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |"Kapukaranov, Borislav" <borislav.kapukara...@sap.com> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Equinox development mailing list <equinox-dev@eclipse.org>, | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |12/09/2011 10:00 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[equinox-dev] keystores and signature recognition | >--------------------------------------------------------------------------------------------------------------------------------------------------| Hi, I’ve been trying Equinox’s Conditional Permission Admin and can’t get it to run with signed bundles. I’ve seen past threads in this ML but it seems a lot has changed, as most of the properties now have different names or accepted values. Looking at the Eclipse Runtime Options page was helpful but not enough. I start the framework with Equinox launcher and pass these security properties: -Declipse.security="osgi" -Dosgi.signedcontent.support="runtime" -Dosgi.framework.keystore=file:/C:/DEV/SEC/myKeystore – note the keystore is password protected. I have a bunch of bundles in my p2 managed /plugins folder that are signed. I also have a simple bundle that registers a conditional ALL permission to every bundle that is signed with my keystore. Here is the string I used: Allow { [org.osgi.service.condpermadmin.BundleSignerCondition "o=TEST" ] ( java.security.AllPermission “*” “*” ) } The problem is that after my permissions bundle commits the changes everyone loses any permission. That’s probably because my bundle populates the conditional policy table so now it doesn’t default to <<all permission>> but obviously my signature isn’t recognized so all bundles lose their current permissions. Can you help me? I must be missing something or doing it wrong… Thank you, Borislav _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev