Re: [equinox-dev] Signing of exploded jars

[Benjamin Reed <breed@xxxxxxxxxxxxxxx>]

Those two files are not a problem at all. The digest of the MANFEST.MF file is 
contained in the signature file and the digest of the PERMISSIONS.PERM is in 
the manifest.

Wether the resources and signatures are in a Jar file or a directory, the 
signature checking algorithm is the same.

ben

On Wednesday 05 October 2005 11:52 am, habeck@xxxxxxxxxx wrote:
> The challenge is ensuring that configuration files such as plugin.xml,  
> META-INF/MANFIEST.MF, and  OSGI-INF/PERMISSIONS.PERM have not been altered
> since installation.   If this file is not part of a JAR, then there is no
> obvious way of ensuring that it has not been tampered with or altered to
> change package export/access rules, and required permission assignments
> etc.  
>
> Certainly, the code of pdebuild.jar can be signed via an ant script using
> the <signjar> tag, but we'll loose some integrity if the rest of the
> plug-in configuration files are not immutable.
>
> As I recall, it is also a 3.1 best practice to leave plug-ins JAR'd rather
> than expanding during installation.
>
> - Ted
>
>
>
>
> Pascal Rapicault <Pascal_Rapicault@xxxxxxxxxx>
> Sent by: equinox-dev-bounces@xxxxxxxxxxx
> 10/05/2005 14:22
> Please respond to
>  Equinox development mailing list <equinox-dev@xxxxxxxxxxx>
>
>
>   To
>   equinox-dev@xxxxxxxxxxx
>   cc
>   Subject
>   [equinox-dev] Signing of exploded jars
>
>
>
>
>
>
>
>  Hello,
>
>  Do you think it is somehow possible to sign plug-ins that are not jar'ed
> (for example org.eclipse.pde.build in eclipse 3.1).
>
>  Thanks,
>
>  PaScaL_______________________________________________
>  equinox-dev mailing list
>  equinox-dev@xxxxxxxxxxx
>  https://dev.eclipse.org/mailman/listinfo/equinox-dev