I made some changes to eclipse.ini and got verification working. I haven't figured out which exact setting helped, so (for now) I use these:
...
-vmargs
-Dorg.osgi.framework.security=osgi
-Djava.security.policy=/test.policy
-Dosgi.signedcontent.support=all
-Dosgi.support.signature.verify=true
-Declipse.p2.unsignedPolicy=fail
-Dosgi.signedcontent.trust.engine=BundleTrustEngine
test.policy is allow all jaas policy:
grant {
permission java.security.AllPermission;
};