Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
Minor
Description
Now that users can add jar files to workunits via the manifest, we really should require that the manifest be "signed" in some way (and the jar files be confirmed to match that signature) if the option to allow embedded code only in signed modules is set.
I suspect that rather than signing the jar files, we should sign the manifest and have the manifest include crcs for the jar files