[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Signed bundles

You can enable the signature verification system by setting the system property "osgi.signature.support.verify" to true. Equinox uses the system property, "osgi.framework.keystore" to look in a keystore of type JKS to find additional trusted certificates beyond those in the JRE's cacerts file. You don't need the alias or a password for the alias.

The code that actually does the legwork of verifying the signatures over jarfiles was a provisional API formerly known as the JarVerifier - we've recently refactored it and established a supported API for signed content. Take a look in security/src in org.eclipse.osgi for the API. Some of these properties will be getting new osgi.signedcontent.* enablers with the new API, and we've also added support for disabling entire bundles based on the signer and a pluggable authentiation and authorization mechanism.

Not well documented yet, but I'll take care of that shortly: https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765



Matt Flaherty
Security Project Lead, Lotus Notes & Eclipse Equinox

equinox-dev-bounces@xxxxxxxxxxx wrote on 01/30/2008 08:54:46 AM:

> After succeeding in getting Equinox to run with security on, I'm now  
> experimenting with signed bundles. First I made a new keystore, using  
> the standard java "keytool", like this:
> keytool -genkey -alias myalias -keystore keystore
> I created a bundle using Eclipse's PDE, and used the "Export" function  
> to create a signed bundle, pointing to my freshly created keystore,  
> specifying the alias and password.
> Now my question is, how do I configure equinox to use my keystore? I  
> want to use it in combination with PermissionAdmin and an  
> AdminPermission that filters on the signer (using a condition like  
> "(signer=\*, o=mycompany)"). All I can find is documentation on how to  
> use the jarverifier (
> equinox-home/security/verifier.html
> ) which states I can use a "osgi.framework.keystore" property to point  
> to my store. What I don't know is:
>   a) do I need this jarverifier at all? I am assuming that just  
> starting equinox with security should be enough;
>   b) is that property also applicable if you're not using the  
> jarverifier?
>   c) how do I specify alias and password for the store?
> Any pointers to information about this would be nice too! :)
> Greetings, Marcel
> _______________________________________________
> equinox-dev mailing list
> equinox-dev@xxxxxxxxxxx