Re: [equinox-dev] Signed bundles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] Signed bundles

From: Thomas Watson <tjwatson@xxxxxxxxxx>
Date: Wed, 6 Feb 2008 08:43:53 -0600
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>

The option to enable signed bundles in 3.3 is osgi.support.signature.verify (notice "support" and "signature" are reversed). In 3.4 we are introducing a more general option called osgi.signedcontent.support which does not have simple true|false options, but we will continue to recognize the old 3.3. option. Matt is documenting the security options in https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765

The internal security manager class is needed to fully support postponed conditions in ConditionalPermissionAdmin. If postponed conditions are not needed then simply enabling the security manager with -Djava.security.policy="" will enable the built-in security manager which will satisfy most needs.

There is an option called eclipse.security. This option is used by the launcher jar to setup a policy to grant the framework and the launcher AllPermissions and specify the security manager to use. Unfortunately this still requires a reference to an internal class if you want to load a security manager to support postponed conditions. I've opened a bug to investigate making this easier. Perhaps eclipse.security manager can have a value that indicates the framework should load its internal security manager. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=218001.

Tom

Jeff McAffer ---02/06/2008 07:47:10 AM---Marcel Offermans wrote:

From:	Jeff McAffer <jeff@xxxxxxxxx>
To:	Equinox development mailing list <equinox-dev@xxxxxxxxxxx>
Date:	02/06/2008 07:47 AM
Subject:	Re: [equinox-dev] Signed bundles

Marcel Offermans wrote: > So, reiterating, if I want to run Equinox with OSGi security enabled > and have it use my own keystore, I have to start it like this > (formatted a bit for clarity, but typed as one big line): > > java > -Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager > -Djava.security.policy=policy > -Dosgi.framework.keystore=keystore > -Dosgi.signature.support.verify=true > -jar org.eclipse.osgi_3.4.0.v20071207.jar > -console > -consoleLog > > Basically, I'm asking how Equinox is being run to be compliant with > OSGi security. Is the above line accurate? Seems complicated and requires people to reference internal classes etc. Could be wrong but I remember it being simipler Jeff _______________________________________________ equinox-dev mailing list equinox-dev@xxxxxxxxxxxhttps://dev.eclipse.org/mailman/listinfo/equinox-dev

Follow-Ups:
- Re: [equinox-dev] Signed bundles
  - From: Marcel Offermans

References:
- [equinox-dev] Signed bundles
  - From: Marcel Offermans
- Re: [equinox-dev] Signed bundles
  - From: Matt Flaherty
- Re: [equinox-dev] Signed bundles
  - From: Marcel Offermans
- Re: [equinox-dev] Signed bundles
  - From: Jeff McAffer

Prev by Date: Re: [equinox-dev] [prov] EclipseCon installers
Next by Date: [equinox-dev] [launcher]
Previous by thread: Re: [equinox-dev] Signed bundles
Next by thread: Re: [equinox-dev] Signed bundles
Index(es):
- Date
- Thread

Breadcrumbs