Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [] Future of Jarsigning requirement


I think the direction is good, but there is a but.

1)  -0.5  At this point, I don't think we should approve changes to the requirements for the current release cycle but rather indicate that we intend to do so for the next release cycle, with the caveat that the current release will release with a fully-functional, properly-vetted implementation of the proposed PGP approach.  Why?   Because a great many  people update their installation from the previous release to the latest release if not broken by  on Windows.  If those people see warnings about unsigned content they'll be rightly concerned.   Of course I do not know the current state of the 2021--09 PGP implementation and few of us do.  Maybe it's already fully functional in 2021-09 without security flaws.   But, based on lack of details on this front, I personally will not give this a +1.

2)  Of course -1 for this unless there is a +1 for 1).

3) +1  We should ask for a review of the PGP proposal and its current released implementation in 2021-09.

4) +1  Note though that whatever is done here impacts the installer and that falls on me personally to resolve.  The installer has "extended" p2 in rather invasive non-API ways (because p2 has so few APIs).   The installer can remember the licenses (SUAs) the user has agreed to, can remember that the user is okay with unsigned content, and can remember certificates.   These are important usability concerns.  All this is easily broken by the platform and when that happens a lot of righteous finger pointing ensues.   So all such work ends up not just being thankless, but really unpleasantly thankless, and that's something I wish we, as a team, will avoid.


On 13.10.2021 20:33, Jonah Graham wrote:
Hi folks,

We had a fairly productive meeting on Wednesday with regards to the future of the Jarsigning requirement.

The current signing requirement is defined as follows in the simrel requirements:

Signing (tested)

Projects must use signed plugins and features using the Eclipse certificate.

[added 12/2015, for Neon]. Note: If a jar is already signed by the Eclipse certificate, then it must not be re-signed by projects for the release train.

And the handbook says:

Signed Artifacts

Where technically sensible, all downloadable artifacts should be signed by an Eclipse Foundation certificate.


This is the proposed replacement for SimRel


Projects must deliver signed plugins and features to the Eclipse SimRel repository. These can be jarsigned with the Eclipse certificate, or they can be signed using a PGP key in the web of trust of the Eclipse Foundation key with the signature stored in the p2 metadata. The Eclipse Webmaster issues per-project keys which are suitable for such use.

It is permissible to sign with both methods, see the wiki entry on Jar Signing to ensure that the multiple signatures are handled correctly or for any other information on how to perform the signing.

The signing of artifacts delivered by SimRel is an important piece to achieve the overall goal of "Build artifacts made available at the Eclipse Foundation are verifiably the ones built by respective projects." The signing allows users to either as part of the installation, or at a later time, to verify that the downloaded artifacts are the ones that various projects have published. See the wiki entry on Jar Signing for information on how to perform such verification.

The Eclipse Platform (Equinox's p2 specifically) will verify, using checksums, that downloaded artifacts match the checksums in the metadata. Users can optionally enable various levels of signature verification as made available by the Eclipse Platform (Equinox's p2 specifically).

Assuming the above is acceptable for SimRel, then the Eclipse Handbook could be updated to read as follows:

Signed Artifacts

Where technically sensible, all downloadable artifacts should be signed by an Eclipse Foundation certificate or a PGP key that is in the Eclipse Foundation's web of trust.

What Next?

There are a number of items left to resolve:

1) The Planning Council must approve the changes to SimRel requirements. Please reply +1 to indicate your approval.

2) The Planning Council will recommend to the Eclipse Foundation the changes to the handbook. Please reply +1 to indicate your approval of this recommendation to the Eclipse Foundation.

3) The Planning Council will recommend to the Steering Committee that an audit of the security practices of the SimRel be conducted. Please reply +1 to indicate your approval of this recommendation to the steering committee.

4) The Eclipse Platform team has indicated their intention to do some additional usability improvements. The summary is that the current implementation of PGP signing in Eclipse Platform causes security prompts to confirm users trust the content (IIUC similar to how self signed jars are presented). Please reply +1 to indicate your approval with having an initial release with these prompts. 

Therefore, can all planning council members reply with +1 for each of the four items. I think the first three above are fairly straightforward. If you don't think the third item is ok as is, please indicate what you believe the minimal viable implementation looks like? 



Jonah Graham
Kichwa Coders

_______________________________________________ mailing list
To unsubscribe from this list, visit

Back to the top