Background
I am using Karaf 4.2.0 on RHEL 6 with the latest available Oracle JDK 1.8.x.
For security reasons, I am trying to find the best way to validate the integrity of the bundles served by Karaf. The current approach I am using is to calculate SHA1 hashes of all bundle.jar files found at $KARAF_HOME/data/cache/bundle*/version0.0/ and compare them with the ones I have deployed to another instance of Karaf in a different environment.
The deployment itself is fully automated and works every time. Before the deployment starts, Karaf is first stopped, then data/cache, data/tmp and data/kar folders are cleaned up, Karaf started up again and deployment performed with the following two steps:
Install fat KAR that covers all third-party bundles my app needs to run, with:
kar:installInstall my application bundles through a Karaf feature file hosted on a private Artifactory instance together with referencing bundles, with:
feature:repo-add -i
The problem
Each deployment causes the third-party bundles in data/cache/ folder to have different SHA1 hashes, even though JARs content is identical (verified by unpacking them and running recursive diff). Moreover, SHA1 does not match the one from Maven Central. It looks like Karaf is repackaging the JARs during the process of serving them from data/cache, thus making the difference in SHA1 sums.
For my own application bundles, their SHA1 hashes are consistent between application redeployments (and also deployments of the same feature file to different environments) but always differ from the ones on my private Artifactory server.
Is there any way to bypass/fix this problem of inconsistent integrity for bundles served from Karaf's data/cache?
