Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [p2-dev] Current status of missing pgp-keys

Hi Ed thanks for the explanation.

> Yes, without a key server enabled it fails completely.

So given I have a key-server configured it will try to fetch the key from there? Is this UI only or will this also work for the commandline?

> We could treat it as unsigned content

that would be great I think.

> In any case, it's  obvious that if we can't find the key,
> we can't verify anything...

Sure, I more like to support the case where the key is not embedded but I give a keyserver to download the key later on, especially with tycho on the commandline.

Am 17.02.22 um 19:35 schrieb Ed Merks:
Yes, without a key server enabled it fails completely.  I think that's no longer necessary.  We could treat it as unsigned content without introducing a security problem because with the new approach of recording the key and signature only after a successful validation, we would record neither the signature nor the key for such a downloaded artifact if the key wasn't found; so it would indeed look like an unsigned artifact and would in fact be an unsigned artifact on the client side.   But the Bugzila for that was closed after the previous change was reverted because previously the checker relied on seeing the signature as evidence that the artifact was verified and previously the signature was always copied to the destination.  In any case, it's obvious that if we can't find the key, we can't verify anything...

On Thu, Feb 17, 2022 at 7:18 PM Christoph Läubrich <laeubi@xxxxxxxxxxxxxx <mailto:laeubi@xxxxxxxxxxxxxx>> wrote:

    Is it still the case that p2 completely fails if a public key is
    missing
    or could it work with only the pgp.signatures property?
    _______________________________________________
    p2-dev mailing list
    p2-dev@xxxxxxxxxxx <mailto:p2-dev@xxxxxxxxxxx>
    To unsubscribe from this list, visit
    https://www.eclipse.org/mailman/listinfo/p2-dev
    <https://www.eclipse.org/mailman/listinfo/p2-dev>


_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev


Back to the top