Re: [equinox-dev] Signed bundles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [equinox-dev] Signed bundles

From: "Matt Flaherty" <mwflaher@xxxxxxxxxx>
Date: Mon, 4 Feb 2008 17:30:19 -0500
Delivered-to: equinox-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>
List-help: <mailto:equinox-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/equinox-dev>, <mailto:equinox-dev-request@eclipse.org?subject=unsubscribe>

You can enable the signature verification system by setting the system property "osgi.signature.support.verify" to true. Equinox uses the system property, "osgi.framework.keystore" to look in a keystore of type JKS to find additional trusted certificates beyond those in the JRE's cacerts file. You don't need the alias or a password for the alias.

The code that actually does the legwork of verifying the signatures over jarfiles was a provisional API formerly known as the JarVerifier - we've recently refactored it and established a supported API for signed content. Take a look in security/src in org.eclipse.osgi for the API. Some of these properties will be getting new osgi.signedcontent.* enablers with the new API, and we've also added support for disabling entire bundles based on the signer and a pluggable authentiation and authorization mechanism.

Not well documented yet, but I'll take care of that shortly: https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765

HTH,

-matt

---
Matt Flaherty
Security Project Lead, Lotus Notes & Eclipse Equinox
External: http://www.eclipse.org/equinox/incubator/security/
Internal: https://cs.opensource.ibm.com/projects/eclipsesec/

equinox-dev-bounces@xxxxxxxxxxx wrote on 01/30/2008 08:54:46 AM: > After succeeding in getting Equinox to run with security on, I'm now > experimenting with signed bundles. First I made a new keystore, using > the standard java "keytool", like this: > > keytool -genkey -alias myalias -keystore keystore > > I created a bundle using Eclipse's PDE, and used the "Export" function > to create a signed bundle, pointing to my freshly created keystore, > specifying the alias and password. > > Now my question is, how do I configure equinox to use my keystore? I > want to use it in combination with PermissionAdmin and an > AdminPermission that filters on the signer (using a condition like > "(signer=\*, o=mycompany)"). All I can find is documentation on how to > use the jarverifier (http://dev.eclipse.org/viewcvs/indextech.cgi/> equinox-home/security/verifier.html > ) which states I can use a "osgi.framework.keystore" property to point > to my store. What I don't know is: > a) do I need this jarverifier at all? I am assuming that just > starting equinox with security should be enough; > b) is that property also applicable if you're not using the > jarverifier? > c) how do I specify alias and password for the store? > > Any pointers to information about this would be nice too! :) > > Greetings, Marcel > > _______________________________________________ > equinox-dev mailing list > equinox-dev@xxxxxxxxxxx >https://dev.eclipse.org/mailman/listinfo/equinox-dev

Follow-Ups:
- Re: [equinox-dev] Signed bundles
  - From: Marcel Offermans

References:
- [equinox-dev] Signed bundles
  - From: Marcel Offermans

Prev by Date: [equinox-dev] p2 projects tagged for 6pm build
Next by Date: Re: [equinox-dev] [prov] EclipseCon installers
Previous by thread: [equinox-dev] Signed bundles
Next by thread: Re: [equinox-dev] Signed bundles
Index(es):
- Date
- Thread

Breadcrumbs