On 8 Aug 2012, at 21:33, Pushpalanka Jayawardhana wrote: > Hi devs, > > I am trying to verify a widget signed using the Wookie digsig-client which is > as attached. > I have also attached the code used to verify the unzipped .wgt directory once > the path is given. It uses apache-santuario library which is present as a > dependency for Wookie. > > I can correctly verify the widget that I have manually extracted. > But when I try to verify the widget that is deployed in the server, giving > the unzipped path of the widget inside the server, it get failed. > With these observations, I feel there is some changes happening when the > widget is unzipped at the server. > > Can anyone give some inputs to solve this?
I think I figured it out - the widget signature is being verified AFTER the start file is modified by injecting additional JavaScript references. To test it I modified Wookie to use an IStartPageProcessor implementation that doesn't do anything; verification then succeeded. So, the verification step must take place before IStartPageProcessor.processStartFile() is called. -S > > > Thanks and Best Regards, > -- > Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering > University of Moratuwa > +94779716248 | http://pushpalankajaya.blogspot.com > Twitter: http://twitter.com/Pushpalanka | Slideshare: > http://www.slideshare.net/Pushpalanka > > > <verification.zip>
