Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cbi-dev] Eclipse Foundation public PGP key?

Hi all,

Not sure if this is the most appropriate mailing-list, but it's my best guess since it's about infra; feel free to redirect me someplace else if necessary.

We're investigating alternative approach to signing in p2. Nowadays standard is PGP and would like to enable some integration with PGP that can be useful to Eclpse projects.
One approach we're thinking about is to include in p2 metadata the PGP signtures and have a p2 processingStep to verify the signature matches a trusted one. We'd like to start by have the EF signatures as being trusted, similarly to how the x509 certificate is trusted. However, we don't have trust chain with paid certificates here, so we need to know in advance what's the key we trust.
Does Eclipse Foundation provide a public PGP key that we could use to verify signatures? I'm aware it does have some PGP keys to allow publishing to Maven Central from CI. Are all projects using the same key to sign (🤞yes)? If so, what is the public key?
Once we have a capability to verify the signature at installation, the next step would be creating a Tycho mojo to sign the artifacts and add signature in p2 metadata when building on Eclipse infra.

Thanks in advance!
Mickael Istria
Eclipse IDE developer, for Red Hat Developers

Back to the top