Re: [cbi-dev] Eclipse Foundation public PGP key?
|Note that the page https://wiki.eclipse.org/GPG is quite old and some instructions are outdated. See https://wiki.eclipse.org/Jenkins#How_can_artifacts_be_deployed_to_OSSRH_.2F_Maven_Central.3F for up to date instruction. |
I'll update the GPG specific page in the next few days.
Manager — Release Engineering and Technology | Eclipse Foundation
_______________________________________________cbi-dev mailing listcbi-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
Not sure if this is the most appropriate mailing-list, but it's my best guess since it's about infra; feel free to redirect me someplace else if necessary.
We're investigating alternative approach to signing in p2. Nowadays standard is PGP and would like to enable some integration with PGP that can be useful to Eclpse projects.
One approach we're thinking about is to include in p2 metadata the PGP signtures and have a p2 processingStep to verify the signature matches a trusted one. We'd like to start by have the EF signatures as being trusted, similarly to how the x509 certificate is trusted. However, we don't have trust chain with paid certificates here, so we need to know in advance what's the key we trust.
Does Eclipse Foundation provide a public PGP key that we could use to verify signatures? I'm aware it does have some PGP keys to allow publishing to Maven Central from CI. Are all projects using the same key to sign (🤞yes)? If so, what is the public key?
Once we have a capability to verify the signature at installation, the next step would be creating a Tycho mojo to sign the artifacts and add signature in p2 metadata when building on Eclipse infra.
According to  there is an EF gpg key and project leads keys can be signed by this EF gpg "main" key on request. There are also project specific gpg keys which are available in JIPPs. An assumption I have is the project specific keys are signed by the "main" EF gpg key and that such a signature can be publicly distributed. This should allow to ship project specific gpg keys in p2 metadata together with EF signature verifying the project key. This should be significant web of trust to verify the projects gpg keys.
Infrastructure team am I missing smth?
cbi-dev mailing list
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
Red Hat Eclipse Team
Description: Message signed with OpenPGP