[
https://issues.apache.org/jira/browse/WOOKIE-139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13424796#comment-13424796
]
Paul Sharples edited comment on WOOKIE-139 at 7/30/12 11:23 AM:
----------------------------------------------------------------
Hi, I've uploaded a patch which should help you.
W3CWidgetFactory now has a reference to a IDigitalSignatureProcessor (which was
set in the WidgetsController class). The instantiation of this is
DigitalSignatureProcessor, which has loaded the property settings as private
variables.
This works in a similar fashion to the IStartPageProcessor also found in
W3CWidgetFactory.
Note: wookiekeystore.jks at the root of the /src folder will have to be
replaced with a real one.
Feel free to modify anything.
was (Author: psharples):
Hi, I've uploaded a patch which should help you.
W3CWidgetFactory now has a reference to a IDigitalSignatureProcessor (which was
set in the WidgetsController class). The instantiation of this is
DigitalSignatureProcessor, which has loaded the property settings as private
variables.
This works in a similar fashion to the IStartPageProcessor also found in
W3CWidgetFactory.
Note: wookiekeystore.jks at the root of the /src folder will have to be
replaced with a real one.
> Implement the W3C XML Digital Signatures for Widgets specification in Wookie
> ----------------------------------------------------------------------------
>
> Key: WOOKIE-139
> URL: https://issues.apache.org/jira/browse/WOOKIE-139
> Project: Wookie
> Issue Type: New Feature
> Reporter: Scott Wilson
> Labels: gsoc2012, mentor
> Attachments: Signer_W3C_widget_digisg.patch,
> Wookie_Widget_Signer_Guide, logo.png, wookie-digsig-v1.patch
>
>
> W3C XML Digital Signatures for Widgets specifies how both authors and
> distributors of widgets can digitally sign a Widget package:
> The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/
> This means that an organisation can choose to automatically install and
> update widgets that carry recognised signatures - for example from a
> reputable online widget store (distributor) or from an approved widget author
> rather than require admin intervention to approve them.
> For Wookie this means implementing the mechanism for locating and verifying
> W3C signature.xml files in Widgets, and providing signature management
> options.
> For example, we may want to have a configuration property set for requiring
> signatures be checked, and a file where trusted signatories are listed for
> checking against when a new widget is uploaded, or a new version is detected
> online using Widget Updates.
> We may also want to look at how Wookie can delegate upwards decisions based
> on signature verification, for example to let an Apache Rave admin choose to
> allow automatic publishing of signed widgets from trusted sources provided
> that Wookie has verified the signature and returned this information to Rave.
> This could be handled in the response to uploading a widget to Wookie using
> the REST API, e.g. adding <signature verified="true" type="author"/> to the
> metadata returned in the response body.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
