Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [p2-dev] Current status of missing pgp-keys
Yes, without a key server enabled it fails completely.  I think that's no longer necessary.  We could treat it as unsigned content without introducing a security problem because with the new approach of recording the key and signature only after a successful validation, we would record neither the signature nor the key for such a downloaded artifact if the key wasn't found; so it would indeed look like an unsigned artifact and would in fact be an unsigned artifact on the client side.   But the Bugzila for that was closed after the previous change was reverted because previously the checker relied on seeing the signature as evidence that the artifact was verified and previously the signature was always copied to the destination.  In any case, it's obvious that if we can't find the key, we can't verify anything...

On Thu, Feb 17, 2022 at 7:18 PM Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
Is it still the case that p2 completely fails if a public key is missing
or could it work with only the pgp.signatures property?
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev

Back to the top