[ https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422508#comment-13422508 ]
Guillaume Nodet commented on FELIX-3610: ---------------------------------------- I initially tried using a JarInputStream instead of a ZipInputStream, which would only partially work, as it won't handle the Bundle-ClassPath correctly wrt to signatures. I guess the only way is to do the same as Equinox, i.e. wrap the InputStream of the content entry and perform the check against the digest stored in the manifest when the end of the stream is reached. > Support runtime verification for signed bundles > ----------------------------------------------- > > Key: FELIX-3610 > URL: https://issues.apache.org/jira/browse/FELIX-3610 > Project: Felix > Issue Type: Improvement > Components: Framework, Framework Security > Reporter: Guillaume Nodet > Assignee: Karl Pauls > > Signed bundles are only checked when installed, but the goal of signed > bundles is to make sure no one has changed the jar. This is not ensured > unless bundle entries are verified when loaded. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira