Re: [cbi-dev] Eclipse Foundation public PGP key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cbi-dev] Eclipse Foundation public PGP key?

From: Aleksandar Kurtakov <akurtako@xxxxxxxxxx>
Date: Thu, 11 Feb 2021 12:17:35 +0200
Delivered-to: cbi-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cbi-dev/>
List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>

On Thu, Feb 11, 2021 at 10:55 AM Mickael Istria <mistria@xxxxxxxxxx> wrote:

Hi all,

Not sure if this is the most appropriate mailing-list, but it's my best guess since it's about infra; feel free to redirect me someplace else if necessary.

We're investigating alternative approach to signing in p2. Nowadays standard is PGP and would like to enable some integration with PGP that can be useful to Eclpse projects.
One approach we're thinking about is to include in p2 metadata the PGP signtures and have a p2 processingStep to verify the signature matches a trusted one. We'd like to start by have the EF signatures as being trusted, similarly to how the x509 certificate is trusted. However, we don't have trust chain with paid certificates here, so we need to know in advance what's the key we trust.
Does Eclipse Foundation provide a public PGP key that we could use to verify signatures? I'm aware it does have some PGP keys to allow publishing to Maven Central from CI. Are all projects using the same key to sign (🤞yes)? If so, what is the public key?
Once we have a capability to verify the signature at installation, the next step would be creating a Tycho mojo to sign the artifacts and add signature in p2 metadata when building on Eclipse infra.

According to [1] there is an EF gpg key and project leads keys can be signed by this EF gpg "main" key on request. There are also project specific gpg keys which are available in JIPPs. An assumption I have is the project specific keys are signed by the "main" EF gpg key and that such a signature can be publicly distributed. This should allow to ship project specific gpg keys in p2 metadata together with EF signature verifying the project key. This should be significant web of trust to verify the projects gpg keys.

Infrastructure team am I missing smth?

[1] https://wiki.eclipse.org/GPG

Thanks in advance!
--
Mickael Istria
Eclipse IDE developer, for Red Hat Developers
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev

Aleksandar Kurtakov

Red Hat Eclipse Team

Follow-Ups:
- Re: [cbi-dev] Eclipse Foundation public PGP key?
  - From: Mikael Barbero

References:
- [cbi-dev] Eclipse Foundation public PGP key?
  - From: Mickael Istria

Prev by Date: [cbi-dev] Eclipse Foundation public PGP key?
Next by Date: Re: [cbi-dev] Eclipse Foundation public PGP key?
Previous by thread: [cbi-dev] Eclipse Foundation public PGP key?
Next by thread: Re: [cbi-dev] Eclipse Foundation public PGP key?
Index(es):
- Date
- Thread

Breadcrumbs