[
https://issues.apache.org/jira/browse/FELIX-3610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13422559#comment-13422559
]
Guillaume Nodet commented on FELIX-3610:
----------------------------------------
Here's the problem I have.
#1 I install a signed bundle. Signatures are verified, all good.
#2 Stop Felix
#3 Tamper with the jar (change a class in the jar without changing the
signatures)
#4 Restart
The restart happen with no exceptions. It may be a timing issue because the
activator of the security stuff isn't started yet or something else, but that
happens.
I thought it was because the check was only done at installation time, which is
not the case according to what you say (as it should be done when restarting
too).
Still, there's a problem.
> Support runtime verification for signed bundles
> -----------------------------------------------
>
> Key: FELIX-3610
> URL: https://issues.apache.org/jira/browse/FELIX-3610
> Project: Felix
> Issue Type: Improvement
> Components: Framework, Framework Security
> Reporter: Guillaume Nodet
> Assignee: Karl Pauls
>
> Signed bundles are only checked when installed, but the goal of signed
> bundles is to make sure no one has changed the jar. This is not ensured
> unless bundle entries are verified when loaded.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
