The Lesser Known Feature: Signed OSP Bundles

Open Service Platform release 2009.1 introduced cryptographically signed bundles. Bundles can be digitally signed with an X.509 certificate, using an RSA-SHA1 signature.

Digitally signed bundles offer the following features:

  • A signed bundle allows verification of the bundle’s author, through the author’s digital (public key) certificate.
  • A signed bundle guarantees that its contents have not been modified since the bundle was signed.

The two main uses for signed bundles in an OSP-based applications are:

  • allowing only bundles from certain well-known and trusted sources being loaded into the application, and
  • preventing end users from tampering with the contents of bundles.

It must be stated that a signed bundle is not an encrypted bundle. All files stored in a signed bundle are unencrypted (unless they have been encrypted by application-specific means), and thus readable for everyone.

Signed bundles in OSP are in concept very similar to signed JAR files used by Java. Some implementation details are different, though, and the formats are not compatible.

Support for signed bundles in OSP is implemented in the OSPBundleSign library (namespace Poco::OSP::BundleSign). The signbundle tool is used to sign a bundle, or verify the signature of a bundle.

For more information about this feature, please see the documentation.