[
https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422534#comment-13422534
]
Karl Pauls commented on FELIX-3610:
-----------------------------------
I guess I'm not sure what you are saying. Basically, everytime a bundle is
installed or reloaded we verify its signatures on all its entries. Not only
when it is installed the first time.
Doing a check everytime an entry is loaded from the jar doesn't make much sense
to me. We verified the entries already - why do it again?
The only reason I can see would be that you don't trust your own cache (i.e.,
somebody could manipulate entries inside the cache while the framework is
running) and in that case, all bets are off anyways. Besides, It'd be teribble
slow too, I imagine.
> Support runtime verification for signed bundles
> -----------------------------------------------
>
> Key: FELIX-3610
> URL: https://issues.apache.org/jira/browse/FELIX-3610
> Project: Felix
> Issue Type: Improvement
> Components: Framework, Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
>
> Signed bundles are only checked when installed, but the goal of signed
> bundles is to make sure no one has changed the jar. This is not ensured
> unless bundle entries are verified when loaded.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
