|
|
Re: Installing 2022-12 products warns about unsigned content [message #1856636 is a reply to message #1856635] |
Tue, 20 December 2022 13:11 |
Elie Richa Messages: 72 Registered: February 2016 |
Member |
|
|
What about this list of unsigned JARs in 2022-12?
https://download.eclipse.org/releases/2022-12/202212071000/buildInfo/reporeports/reports/unsigned8.txt
With a few trials with the installer I was able to determine that the problem doesn't happen with 2022-03 (I didn't try older) and starts to happen with 2022-06+
This matches observations of the unsigned8.txt file. In 2022-03 the file is empty, and in 2022-06 the list of JARs matches (more or less - it depends on the product selected for installation) what is reported by the installer.
https://download.eclipse.org/releases/2022-06/202206151000/buildInfo/reporeports/reports/unsigned8.txt
The following reports have a count of invalid or missing signatures. 0 for 2022-03, then it grows to 40, 116 then 135:
https://download.eclipse.org/releases/2022-03/202203161000/buildInfo/reporeports/reports/verified8.txt
https://download.eclipse.org/releases/2022-06/202206151000/buildInfo/reporeports/reports/verified8.txt
https://download.eclipse.org/releases/2022-09/202209141001/buildInfo/reporeports/reports/verified8.txt
https://download.eclipse.org/releases/2022-12/202212071000/buildInfo/reporeports/reports/verified8.txt
I'm not an expert in software signing, but AFAIU from this link, GPG signing is different than JAR signing, and while GPG signing is there according to the report you linked, it seems that JAR signing is not there.
https://wiki.eclipse.org/IT_Infrastructure_Doc#What_about_GPG_signing.3F
Also I'm seeing 2 acronyms, GPG and PGP. Do they mean the same roughly?
Elie Richa, Ph.D
Software Engineer, AdaCore
https://www.adacore.com
|
|
|
|
|
|
|
|
|
Re: Installing 2022-12 products warns about unsigned content [message #1856701 is a reply to message #1856644] |
Fri, 23 December 2022 12:59 |
Elie Richa Messages: 72 Registered: February 2016 |
Member |
|
|
Hello Ed,
Thanks for the help with my setup. I now have a few general questions for which I couldn't find answers in the documentation, apologies if I missed something!
My organization would like to start signing JARs distributed internally to developers. Ideally I would like for developers to not have to explicitly trust certificates or keys to avoid mistakes and avoid perpetuating a habit of trusting unsigned/untraceable software.
First, given the two kinds of signing, JAR signing and PGP signing, is there a recommendation on which one should be used? Both?
I tried JAR signing with a self-signed certificate and of course Eclipse Installer asked to explicitly trust the certificate. Do I understand correctly that if a CA-issued certificate is used, the installer would be able to verify the validity without asking the user for explicit trust?
And I tried PGP signing with a self-generated key that is not submitted to a key server and as expected the installer also asks if the key is to be trusted. It suggests to check the key fingerprint outside the installer before trusting. So I assume the installer doesn't have a way of checking the validity/origin of the key?
What would it take to make a PGP key trusted by default? In the Eclipse Installer Trust preference page, I'm seeing a pre-defined list of trusted PGP keys. Would we have to add the organization's PGP key to that list? How would we do that - would we have to package our own version of Eclipse Installer with the organization's PGP key included as trusted?
Thanks,
Elie Richa, Ph.D
Software Engineer, AdaCore
https://www.adacore.com
|
|
|
Re: Installing 2022-12 products warns about unsigned content [message #1856706 is a reply to message #1856701] |
Fri, 23 December 2022 15:09 |
Ed Merks Messages: 33140 Registered: July 2009 |
Senior Member |
|
|
Where are the jars you want to sign coming from?
Keep in mind that if you jar-sign an artifact, you change it, so it will have a different checksum in the artifact metadata. But the artifact ID remains the same, so it's easy to mix up the original artifact and the resigned artifact because p2 considers them the same (considering only the ID as the identity). So resigning jars from Eclipse is resiging jars in general is not a great idea. The PGP signature is external and you can have one or more PGP signatures associated with each artifact in the artifact.xml metadata. And even jar-signed artifacts can also be PGP signed...
Yes, p2 in general (as used by the installer too) won't ask for trust if the certificate is rooted on a certificate in Java's cacerts. Another point to note is that the product catalog used by the installer also includes a set of pre-trusted PGP keys:
https://git.eclipse.org/c/oomph/org.eclipse.oomph.git/tree/setups/keys/trusted-keys.asc
That resource is referenced from this resource:
https://git.eclipse.org/c/oomph/org.eclipse.oomph.git/tree/setups/org.eclipse.setup
These are generated from the SimRel repository and are the PGP signing keys of the projects contributing PGP-signed artifacts to the release train repository.
The installer/p2 does have support for using a key server but this is not enabled by default but you can use -Dp2.keyservers=keyserver.ubuntu.com to enable it. That doesn't help establish trust though, it just helps provide more information about the chain of trust of the key, i.e., who all signed the key as being recognized. Anyone can create a key and upload it and get anyone else to sign it too.
In principle, if you provide your own index you can choose which keys you want trusted. There is also analogous support for pre-trusting certificates (e.g., self-signed ones), but that's not currently used...
Ed Merks
Professional Support: https://www.macromodeling.com/
|
|
|
|
Re: Installing 2022-12 products warns about unsigned content [message #1856712 is a reply to message #1856708] |
Fri, 23 December 2022 17:44 |
Ed Merks Messages: 33140 Registered: July 2009 |
Senior Member |
|
|
I agree that jar-signing your own artifacts with your own rooted certificate is ideal. That's generally how Eclipse is doing it. It's only the redistributed Maven artifacts (and the jar-signed artifacts that are suddenly no longer considered to be securely signed by recent Java 11/17 releases) that are being PGP signed. In general, no wants to see trust prompts nor to make such trust decisions with so little basis for making an informed decision...
Ed Merks
Professional Support: https://www.macromodeling.com/
|
|
|
Powered by
FUDForum. Page generated in 0.03896 seconds