Re: [equinox-dev] Signed content support in Equinox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] Signed content support in Equinox

From: Thomas Watson <tjwatson@xxxxxxxxxx>
Date: Tue, 30 Jun 2015 10:12:32 -0600
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>

The authorization support in Equinox was provisional and got removed as part of the Luna (Equinox 4.3) release. It seems the documentation did not make it clear that this was provisional and also did not remove the authorization option from the docs.

With that said, you should be able to implement your own support for this by implementing a system bundle fragment that checks for authorization of the bundle signers and then forces the bundles to be unresolved if they are not authorized by using a ResolverHook.

Another option is to open a bug against Equinox and we can look to contributing back support for the authorization engine into Equinox. At the time it was removed was when the framework was being rewritten to no longer use our internal resolve and instead use a standard OSGi Resolver service. Our internal resolver implementation had a straight forward way to disable bundles and provide useful resolution error messages for why it was disabled. The authorization support used this resolver API to disabled unauthorized bundles. The same can be accomplished with the OSGi resolver through the use of resolver hooks, but there is not a good way to provide a nice error message. We would have to look at how to make that work nicely.

Tom

From: Achim Finke <achim.finke@xxxxxxxxxxxxxx>
To: equinox-dev@xxxxxxxxxxx
Date: 06/30/2015 09:05 AM
Subject: [equinox-dev] Signed content support in Equinox
Sent by: equinox-dev-bounces@xxxxxxxxxxx

Hi all,

In Equinox 3.9 (Eclipse 4.3) it was possible to configure the following properties in eclipse.ini to enable Authorization.
osgi.signedcontent.support=all osgi.signedcontent.authorization.engine.policy=trusted osgi.framework.keystore=file:truststore.jks

Setting up the same properties in Equinox 3.10 (Eclipse 4.4) seems to have no effect. I can start the application regardless wether my bundles are signed with the right key or not.

I already asked this question on Stackoverflow but the use case seems not to be that common as I thought so I didn't get an answer. Hope you can help :-).

Thanks,
Achim_______________________________________________ equinox-dev mailing list equinox-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visithttps://dev.eclipse.org/mailman/listinfo/equinox-dev

References:
- [equinox-dev] Signed content support in Equinox
  - From: Achim Finke

Prev by Date: [equinox-dev] Signed content support in Equinox
Next by Date: [equinox-dev] tycho surefire method tests
Previous by thread: [equinox-dev] Signed content support in Equinox
Next by thread: [equinox-dev] tycho surefire method tests
Index(es):
- Date
- Thread

Breadcrumbs