[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [p2-dev] Current status of missing pgp-keys
|
Hi Ed thanks for the explanation.
> Yes, without a key server enabled it fails completely.
So given I have a key-server configured it will try to fetch the key
from there? Is this UI only or will this also work for the commandline?
> We could treat it as unsigned content
that would be great I think.
> In any case, it's obvious that if we can't find the key,
> we can't verify anything...
Sure, I more like to support the case where the key is not embedded but
I give a keyserver to download the key later on, especially with tycho
on the commandline.
Am 17.02.22 um 19:35 schrieb Ed Merks:
Yes, without a key server enabled it fails completely. I think that's
no longer necessary. We could treat it as unsigned content without
introducing a security problem because with the new approach of
recording the key and signature only after a successful validation, we
would record neither the signature nor the key for such a downloaded
artifact if the key wasn't found; so it would indeed look like an
unsigned artifact and would in fact be an unsigned artifact on the
client side. But the Bugzila for that was closed after the previous
change was reverted because previously the checker relied on seeing the
signature as evidence that the artifact was verified and previously the
signature was always copied to the destination. In any case, it's
obvious that if we can't find the key, we can't verify anything...
On Thu, Feb 17, 2022 at 7:18 PM Christoph Läubrich
<laeubi@xxxxxxxxxxxxxx <mailto:laeubi@xxxxxxxxxxxxxx>> wrote:
Is it still the case that p2 completely fails if a public key is
missing
or could it work with only the pgp.signatures property?
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx <mailto:p2-dev@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/p2-dev
<https://www.eclipse.org/mailman/listinfo/p2-dev>
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev