Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Oomph » Installing 2022-12 products warns about unsigned content
Installing 2022-12 products warns about unsigned content [message #1856627] Mon, 19 December 2022 05:27 Go to next message
Eclipse UserFriend
Hello,

I tried installing 2022-12 versions of Eclipse Modeling Tools and Eclipse IDE for Eclipse Committers and they both yielded warnings about unsigned content.

index.php/fa/42794/0/

Is there a known problem with the release or is it an issue in my setup?

I'm on macOS Ventura 13.1 (Intel) and I used the latest Eclipse Installer from eclipse.org.

Thanks,
Re: Installing 2022-12 products warns about unsigned content [message #1856635 is a reply to message #1856627] Tue, 20 December 2022 06:41 Go to previous messageGo to next message
Eclipse UserFriend
You can look in this report for these IUs. I believe they are all PGP signed:

https://download.eclipse.org/releases/2022-12/202212071000/buildInfo/archive/download.eclipse.org/releases/2022-12/202212071000/

I wouldn't expect the installer to behave differently on MacOs.
Re: Installing 2022-12 products warns about unsigned content [message #1856636 is a reply to message #1856635] Tue, 20 December 2022 08:11 Go to previous messageGo to next message
Eclipse UserFriend
What about this list of unsigned JARs in 2022-12?

https://download.eclipse.org/releases/2022-12/202212071000/buildInfo/reporeports/reports/unsigned8.txt

With a few trials with the installer I was able to determine that the problem doesn't happen with 2022-03 (I didn't try older) and starts to happen with 2022-06+

This matches observations of the unsigned8.txt file. In 2022-03 the file is empty, and in 2022-06 the list of JARs matches (more or less - it depends on the product selected for installation) what is reported by the installer.

https://download.eclipse.org/releases/2022-06/202206151000/buildInfo/reporeports/reports/unsigned8.txt

The following reports have a count of invalid or missing signatures. 0 for 2022-03, then it grows to 40, 116 then 135:

https://download.eclipse.org/releases/2022-03/202203161000/buildInfo/reporeports/reports/verified8.txt
https://download.eclipse.org/releases/2022-06/202206151000/buildInfo/reporeports/reports/verified8.txt
https://download.eclipse.org/releases/2022-09/202209141001/buildInfo/reporeports/reports/verified8.txt
https://download.eclipse.org/releases/2022-12/202212071000/buildInfo/reporeports/reports/verified8.txt

I'm not an expert in software signing, but AFAIU from this link, GPG signing is different than JAR signing, and while GPG signing is there according to the report you linked, it seems that JAR signing is not there.

https://wiki.eclipse.org/IT_Infrastructure_Doc#What_about_GPG_signing.3F

Also I'm seeing 2 acronyms, GPG and PGP. Do they mean the same roughly?
Re: Installing 2022-12 products warns about unsigned content [message #1856637 is a reply to message #1856636] Tue, 20 December 2022 09:39 Go to previous messageGo to next message
Eclipse UserFriend
GPG is a tool that uses PGP:

https://gnupg.org/

Another problem that cropped up is that many things that were considered signed are not longer considered signed by the latest Java 11 and Java 17 release. Hence the long list of things in this report:

https://download.eclipse.org/releases/2022-12/202212071000/buildInfo/reporeports/reports/unsigned8.txt

But the reporting tool has been updated to look for PGP signatures so it no longer reports that problem if there is a jar-signature (internal to the jar) or a PGP signature (external to the jar, recorded in the artifacts.xml); it looks like this now:

https://download.eclipse.org/staging/2023-03/buildInfo/reporeports/reports/unsigned8.txt

All the things in the unsigned8.txt list are PGP signed, e.g., this is the first one in that list:

https://download.eclipse.org/staging/2023-03/buildInfo/archive/download.eclipse.org/staging/2023-03/index/bcpg_1.72.0.html

So there are many things that are only PGP signed, many things that are only jar-signed, and quite a few things (83) that are jar signed (although not recognized as such by a recent Java runtime) as well as PGP signed...

[Updated on: Tue, 20 December 2022 09:42] by Moderator

Re: Installing 2022-12 products warns about unsigned content [message #1856638 is a reply to message #1856637] Tue, 20 December 2022 09:52 Go to previous messageGo to next message
Eclipse UserFriend
Thanks for the explanation Ed.

So now the issue is that the macOS installer is not happy with just the PGP signature?

What is the course of action then?
Re: Installing 2022-12 products warns about unsigned content [message #1856640 is a reply to message #1856638] Tue, 20 December 2022 11:14 Go to previous messageGo to next message
Eclipse UserFriend
I'm not sure how to interpret that. PGP signatures are not new and have been present in previous releases, without any complaints from Mac users. My guess is that these things are already in your bundle pool from the past and are present in the pool without their PGP signatures.

If you run the installer with "-vmargs -Duser.home=<fake-user-home-location> -Doomph.setup.user.home.redirect=true" you can run the installer like a user who has never used the installer before. The <fake-user-home-location> folder will be treated like your home folder so you can test if the problem can be replicated in that way.
Re: Installing 2022-12 products warns about unsigned content [message #1856641 is a reply to message #1856640] Tue, 20 December 2022 11:25 Go to previous messageGo to next message
Eclipse UserFriend
Ok I'll give that a try.

But meanwhile I can already say that I manually downloaded the following two JARs from 2022-03 and 2022-06

https://download.eclipse.org/releases/2022-03/202203161000/plugins/org.eclipse.jetty.http_10.0.6.jar
https://download.eclipse.org/releases/2022-06/202206151000/plugins/org.eclipse.jetty.http_10.0.9.jar

And I ran jarsigner on each and got this:

❯ jarsigner -verify org.eclipse.jetty.http_10.0.6.jar

jar verified.

Warning:
This jar contains entries whose TSA certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Re-run with the -verbose and -certs options for more details.
❯ jarsigner -verify org.eclipse.jetty.http_10.0.9.jar

jar is unsigned.


So I don't think the issue is with stale JARs in my bundle pool. The signature status of different versions of the same bundle has changed in the official P2 repository.

I used jarsigner from the following Java version:

❯ java -version
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode)
Re: Installing 2022-12 products warns about unsigned content [message #1856642 is a reply to message #1856641] Tue, 20 December 2022 11:37 Go to previous messageGo to next message
Eclipse UserFriend
Ok the experiment helped. When operating with a fresh home dir, the installer does not complain about unsigned software.

I'm now trying with the regular home dir but a different bundle pool to see if that's the culprit.

I'll then try to compare matching preference files to see if there's an obvious culprit.
Re: Installing 2022-12 products warns about unsigned content [message #1856644 is a reply to message #1856642] Tue, 20 December 2022 12:35 Go to previous messageGo to next message
Eclipse UserFriend
I can't find anything responsible for the different behavior...

I tried changing to a fresh bundle pool, and a fresh agent, nothing worked. I found a slight difference of the GPG version in the provided trust certificates but updating that didn't do anything.

I'll try the cleanup actions of the bundle pool and then if nothing works, I'll chug my ~/.p2 and ~/.eclipse directories.
Re: Installing 2022-12 products warns about unsigned content [message #1856701 is a reply to message #1856644] Fri, 23 December 2022 07:59 Go to previous messageGo to next message
Eclipse UserFriend
Hello Ed,

Thanks for the help with my setup. I now have a few general questions for which I couldn't find answers in the documentation, apologies if I missed something!

My organization would like to start signing JARs distributed internally to developers. Ideally I would like for developers to not have to explicitly trust certificates or keys to avoid mistakes and avoid perpetuating a habit of trusting unsigned/untraceable software.

First, given the two kinds of signing, JAR signing and PGP signing, is there a recommendation on which one should be used? Both?

I tried JAR signing with a self-signed certificate and of course Eclipse Installer asked to explicitly trust the certificate. Do I understand correctly that if a CA-issued certificate is used, the installer would be able to verify the validity without asking the user for explicit trust?

And I tried PGP signing with a self-generated key that is not submitted to a key server and as expected the installer also asks if the key is to be trusted. It suggests to check the key fingerprint outside the installer before trusting. So I assume the installer doesn't have a way of checking the validity/origin of the key?

What would it take to make a PGP key trusted by default? In the Eclipse Installer Trust preference page, I'm seeing a pre-defined list of trusted PGP keys. Would we have to add the organization's PGP key to that list? How would we do that - would we have to package our own version of Eclipse Installer with the organization's PGP key included as trusted?

Thanks,
Re: Installing 2022-12 products warns about unsigned content [message #1856706 is a reply to message #1856701] Fri, 23 December 2022 10:09 Go to previous messageGo to next message
Eclipse UserFriend
Where are the jars you want to sign coming from?

Keep in mind that if you jar-sign an artifact, you change it, so it will have a different checksum in the artifact metadata. But the artifact ID remains the same, so it's easy to mix up the original artifact and the resigned artifact because p2 considers them the same (considering only the ID as the identity). So resigning jars from Eclipse is resiging jars in general is not a great idea. The PGP signature is external and you can have one or more PGP signatures associated with each artifact in the artifact.xml metadata. And even jar-signed artifacts can also be PGP signed...

Yes, p2 in general (as used by the installer too) won't ask for trust if the certificate is rooted on a certificate in Java's cacerts. Another point to note is that the product catalog used by the installer also includes a set of pre-trusted PGP keys:

https://git.eclipse.org/c/oomph/org.eclipse.oomph.git/tree/setups/keys/trusted-keys.asc

That resource is referenced from this resource:

https://git.eclipse.org/c/oomph/org.eclipse.oomph.git/tree/setups/org.eclipse.setup

These are generated from the SimRel repository and are the PGP signing keys of the projects contributing PGP-signed artifacts to the release train repository.

The installer/p2 does have support for using a key server but this is not enabled by default but you can use -Dp2.keyservers=keyserver.ubuntu.com to enable it. That doesn't help establish trust though, it just helps provide more information about the chain of trust of the key, i.e., who all signed the key as being recognized. Anyone can create a key and upload it and get anyone else to sign it too.

In principle, if you provide your own index you can choose which keys you want trusted. There is also analogous support for pre-trusting certificates (e.g., self-signed ones), but that's not currently used...
Re: Installing 2022-12 products warns about unsigned content [message #1856708 is a reply to message #1856706] Fri, 23 December 2022 10:42 Go to previous messageGo to next message
Eclipse UserFriend
I intend to sign JARs that are produced by my organization. I don't intend to resign JARs from Eclipse. So I don't think that will be an issue.

It seems that if I use jarsigner with a CA-issued certificate, the installer would be able to to trust it seamlessly without having to provide our own product catalog. That sounds like the easiest path, if my organization can provide such a certificate.

Doing the same with PGP would require deploying our own index referencing a set of pre-trusted keys. I would rather avoid maintaining a catalog if possible for now.

Thanks for the help!
Re: Installing 2022-12 products warns about unsigned content [message #1856712 is a reply to message #1856708] Fri, 23 December 2022 12:44 Go to previous message
Eclipse UserFriend
I agree that jar-signing your own artifacts with your own rooted certificate is ideal. That's generally how Eclipse is doing it. It's only the redistributed Maven artifacts (and the jar-signed artifacts that are suddenly no longer considered to be securely signed by recent Java 11/17 releases) that are being PGP signed. In general, no wants to see trust prompts nor to make such trust decisions with so little basis for making an informed decision...
Previous Topic:How to use empty redirectable catalogs for projects
Next Topic:String Substitution Task
Goto Forum:
  


Current Time: Fri Jun 20 14:03:33 EDT 2025

Powered by FUDForum. Page generated in 0.30931 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly