[jbosstools-issues] [JBoss JIRA] (JBDS-4330) GPG Signature verification for .json and .js files
Denis Golovin (JIRA)
issues at jboss.org
Wed Mar 29 01:49:00 EDT 2017
Denis Golovin created JBDS-4330:
-----------------------------------
Summary: GPG Signature verification for .json and .js files
Key: JBDS-4330
URL: https://issues.jboss.org/browse/JBDS-4330
Project: Red Hat JBoss Developer Studio (devstudio)
Issue Type: Bug
Components: platform-installer
Affects Versions: 11.0.0.AM1
Reporter: Denis Golovin
Assignee: Denis Golovin
Fix For: 11.0.0.AM1
To allow loading remote configuration or even java script modules there should be a way to confirm origin of downloaded file to prevent 'man in the middle attacks'. Files loaded from remote location should bear GPG signature that installer should verify before proceeding with loaded file.
This should be possible with https://github.com/openpgpjs/openpgpjs using https://openpgpjs.org/openpgpjs/doc/index.html using 'Create and verify detached signatures'.
The Idea is to sign .json of .js file with GPG and then download it ad separate json/js code from the signature, verify it and then proceed with loading .json or js module form string.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jbosstools-issues
mailing list