Re: [cross-project-issues-dev] (Mirror) security

Thu, 24 Sep 2020 09:07:51 -0700 

Wim,
This is one of the reasons why jars must be signed.  If they are tampered, the signature is broken.   So this is certification of origin.  Also, as you assume, the artifact metadata includes various check sums to verify download integrity: 


    <artifact classifier='osgi.bundle' 
id='org.eclipse.justj.openjdk.hotspot.jre.minimal.stripped.win32.x86_64' 
version='11.0.2.v20200815-0835'>

      <properties size='8'>
        <property name='artifact.size' value='29915455'/>
        <property name='download.size' value='29915455'/>
        <property name='maven-groupId' value='org.eclipse.justj'/>

        <property name='maven-artifactId' 
value='org.eclipse.justj.openjdk.hotspot.jre.minimal.stripped.win32.x86_64'/>

        <property name='maven-version' value='11.0.2-SNAPSHOT'/>

        <property name='download.md5' 
value='9a630304c4bcfb5c13f8f62beb62426e'/>
        <property name='download.checksum.md5' 
value='9a630304c4bcfb5c13f8f62beb62426e'/>
        <property name='download.checksum.sha-256' 
value='8741ab9d23a8152b42647cea844bf67689bf3781ae46fcb670d0e4279d6b4bc6'/>

      </properties>
    </artifact>

Regards,
Ed

On 24.09.2020 17:17, Wim Jongman wrote:

Hi,


This is probably a silly question but I was wondering how we protect 
the content of jar files as they are being pulled from mirrors all 
over the world.



Due to a recent break in the Platform class, I compiled my own version 
of the Platform class where I re-added the removed method. Then I 
replaced it in the plugins/o.e.c.runtime jar using 7-zip.



This solved my issue but it also made me wonder how this was protected 
if some mirror-server user used the same hack to dope our jars.



I assume this is being done by p2 when downloading the jar files by 
comparing some MDA hash?


Please enlighten me.

Cheers,

Wim

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev






















					Reply via email to