You can enable the signature verification system by setting the system property "osgi.signature.support.verify" to true. Equinox uses the system property, "osgi.framework.keystore" to look in a keystore of type JKS to find additional trusted certificates beyond those in the JRE's cacerts file. You don't need the alias or a password for the alias.
The code that actually does the legwork of verifying the signatures over jarfiles was a provisional API formerly known as the JarVerifier - we've recently refactored it and established a supported API for signed content. Take a look in security/src in org.eclipse.osgi for the API. Some of these properties will be getting new osgi.signedcontent.* enablers with the new API, and we've also added support for disabling entire bundles based on the signer and a pluggable authentiation and authorization mechanism. Not well documented yet, but I'll take care of that shortly: https://bugs.eclipse.org/bugs/show_bug.cgi?id=217765 HTH, -matt --- Matt Flaherty Security Project Lead, Lotus Notes & Eclipse Equinox External: http://www.eclipse.org/equinox/incubator/security/ Internal: https://cs.opensource.ibm.com/projects/eclipsesec/ [EMAIL PROTECTED] wrote on 01/30/2008 08:54:46 AM: > After succeeding in getting Equinox to run with security on, I'm now > experimenting with signed bundles. First I made a new keystore, using > the standard java "keytool", like this: > > keytool -genkey -alias myalias -keystore keystore > > I created a bundle using Eclipse's PDE, and used the "Export" function > to create a signed bundle, pointing to my freshly created keystore, > specifying the alias and password. > > Now my question is, how do I configure equinox to use my keystore? I > want to use it in combination with PermissionAdmin and an > AdminPermission that filters on the signer (using a condition like > "(signer=\*, o=mycompany)"). All I can find is documentation on how to > use the jarverifier (http://dev.eclipse.org/viewcvs/indextech.cgi/ > equinox-home/security/verifier.html > ) which states I can use a "osgi.framework.keystore" property to point > to my store. What I don't know is: > a) do I need this jarverifier at all? I am assuming that just > starting equinox with security should be enough; > b) is that property also applicable if you're not using the > jarverifier? > c) how do I specify alias and password for the store? > > Any pointers to information about this would be nice too! :) > > Greetings, Marcel > > _______________________________________________ > equinox-dev mailing list > equinox-dev@eclipse.org > https://dev.eclipse.org/mailman/listinfo/equinox-dev
_______________________________________________ equinox-dev mailing list equinox-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/equinox-dev
