Denis Mekhanikov created IGNITE-11575: -----------------------------------------
Summary: Make UriDeploymentSpi ignore archives with untrusted signature Key: IGNITE-11575 URL: https://issues.apache.org/jira/browse/IGNITE-11575 Project: Ignite Issue Type: Improvement Reporter: Denis Mekhanikov {{UriDeploymentSpi}} checks whether a loaded JAR/GAR file has a correct signature. But there is no way to specify the expected public key. So, it's possible to perform a "man-in-the-middle" attack by amending an archive being transferred from a remote storage to an Ignite node. It's even possible just to remove the signature, and a completely unsigned file will be processed without errors. There should be a way to specify an expected public key, that should be used while signing archives. -- This message was sent by Atlassian JIRA (v7.6.3#76005)