Hi,
I have been looking information about how I can sign a
bundle and put on Equinox framework. If I am not wrong, it just need to sign a
bundle using jarsigner tool and launch Equinox using next options:
java
-Djava.security.manager=org.eclipse.osgi.framework.internal.core.FrameworkSecurityManager
-Djava.security.policy=policy.policy -Dosgi.framework.keystore=falseCA.keystore
-Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true
-jar org.eclipse.osgi_3.4.3.R34x_v20081215-1030.jar -console
where falseCA.keystore is a java keystore built with Java
Keytool where is saved the Certification Authority certificate from another
signer different to the actual Certification Authority certifícate with which
bundles were signed, I do this just for checking that the signature veryfing
process run fine.
If I do that , and I launch Equinox in this way, If I write
osgi>ss command in console I just get Equinox bundle system, I guess because
It is the only one who was signed. But If I tried install again bundles, I do
not get any exception at all, so I can install modified bundles who were
signed, unsigned bundles, signed bundles by other Certification Authority
different from the Certification Authority which I fix when I launch Equinox,
or whatever that I want to install. My questions is: Is the initial
verification the only one? I mean, if I launch Equinox how I wrote before, the
only change is that all unsigned previous installed bundles are removed? Why
isn’t there any signature checking process when I try to install unsigned
bundles?
I read that there is no verification process in installing
time in email list, because this should be done by an agent like a bundle, but
I am not sure what the next command change from the normal options:
Djava.security.policy=policy.policy
-Dosgi.framework.keystore=falseCA.keystore
-Dosgi.signedcontent.support=authority -Dosgi.signature.support.verify=true
Am I missing anything?
I am supposing that if I launch Equinox with those options
then I should not be able to install unsigned bundles or signed bundles who
signer I do not trust in.
Thank you in advance
David