[
https://issues.apache.org/jira/browse/FELIX-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122379#comment-13122379
]
Karl Pauls commented on FELIX-3147:
-----------------------------------
I guess for me the main point is that you can use permissions to prevent
bundles that are not signed by a trusted certificate to be installed. The
"tampered" with use-case seems to be online a subset of that one so I don't see
why it needs to be handled differently. If somebody can change the contents of
a bundle, he might as well remove all traces that it had been signed in the
first place. So really, if you want to only have bundles installed that are
signed by a trusted certificate you need to resort to the BundleSigner
condition anyways right?
> Check whether bundle jar is signed
> ----------------------------------
>
> Key: FELIX-3147
> URL: https://issues.apache.org/jira/browse/FELIX-3147
> Project: Felix
> Issue Type: Improvement
> Components: Framework
> Affects Versions: framework-3.0.9
> Reporter: Andie Similon
> Priority: Minor
>
> I am not sure but it seems to be that when loading a bundle it will not
> verify the signature of the bundle. I can self sign a bundle and then change
> its contents and the framework will not throw a SecurityException. Is this
> intended?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
