[jbosstools-issues] [JBoss JIRA] (JBDS-4330) PGP Signature verification for .json and .js files
Denis Golovin (JIRA)
issues at jboss.org
Thu Jul 27 22:05:00 EDT 2017
[ https://issues.jboss.org/browse/JBDS-4330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Denis Golovin updated JBDS-4330:
--------------------------------
Summary: PGP Signature verification for .json and .js files (was: GPG Signature verification for .json and .js files)
> PGP Signature verification for .json and .js files
> --------------------------------------------------
>
> Key: JBDS-4330
> URL: https://issues.jboss.org/browse/JBDS-4330
> Project: Red Hat JBoss Developer Studio (devstudio)
> Issue Type: Bug
> Components: platform-installer
> Affects Versions: 11.0.0.AM1
> Reporter: Denis Golovin
> Assignee: Denis Golovin
> Labels: ui
> Fix For: 11.0.0.GA
>
>
> To allow loading remote configuration or even java script modules there should be a way to confirm origin of downloaded file to prevent 'man in the middle attacks'. Files loaded from remote location should bear GPG signature that installer should verify before proceeding with loaded file.
> This should be possible with https://github.com/openpgpjs/openpgpjs using https://openpgpjs.org/openpgpjs/doc/index.html using 'Create and verify detached signatures'.
> The Idea is to sign .json of .js file with GPG and then download it ad separate json/js code from the signature, verify it and then proceed with loading .json or js module form string.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jbosstools-issues
mailing list