|Re: [p2-dev] Current status of missing pgp-keys|
Christoph, Comments below.Note that I've been tracking overall issues via https://gitlab.eclipse.org/eclipse-wg/ide-wg/ide-wg.eclipse.org/-/issues/11
On 22.02.2022 05:50, Christoph Läubrich wrote:
Hi Ed thanks for the explanation. > Yes, without a key server enabled it fails completely.So given I have a key-server configured it will try to fetch the key from there? Is this UI only or will this also work for the commandline?
It currently works only by setting a system property p2.keyservers, i.e., no UI support at all. The specified value is split by split("[,; \t]+") to allow multiple servers. I've been testing manually using this:
-Dp2.keyservers=keyserver.ubuntu.com,keys.openpgp.orgI'd like to provide UI support but without an eclipse key server it seems kind of odd to do so:
Yes, I think that would have less extreme failure behavior should there be a failure to find the key. There's not much development runway left for this release cycle. Could you reopen the bug you had open?> We could treat it as unsigned content that would be great I think.
> In any case, it's obvious that if we can't find the key, > we can't verify anything...Sure, I more like to support the case where the key is not embedded but I give a keyserver to download the key later on, especially with tycho on the commandline.
Yes, that should work. I've been testing installs where org.mockito.mockito-core has two signatures, both the one the platform/Tycho added and the original one from maven repository and it is able to verify both signatures when a key server is specified.
It seems to me that it might be better if Tycho preserved the original signature, or had the option to do so, so that one can better track the original originator of the artifact... One might even argue that its unnecessary to add a signature to the original signature, but there is the issue of prompting users whether to trust each key and I don't think users want to see dozens of such keys while being told to "be very careful".
Am 17.02.22 um 19:35 schrieb Ed Merks:Yes, without a key server enabled it fails completely. I think that's no longer necessary. We could treat it as unsigned content without introducing a security problem because with the new approach of recording the key and signature only after a successful validation, we would record neither the signature nor the key for such a downloaded artifact if the key wasn't found; so it would indeed look like an unsigned artifact and would in fact be an unsigned artifact on the client side. But the Bugzila for that was closed after the previous change was reverted because previously the checker relied on seeing the signature as evidence that the artifact was verified and previously the signature was always copied to the destination. In any case, it's obvious that if we can't find the key, we can't verify anything...On Thu, Feb 17, 2022 at 7:18 PM Christoph Läubrich <laeubi@xxxxxxxxxxxxxx <mailto:laeubi@xxxxxxxxxxxxxx>> wrote:Is it still the case that p2 completely fails if a public key is missing or could it work with only the pgp.signatures property? _______________________________________________ p2-dev mailing list p2-dev@xxxxxxxxxxx <mailto:p2-dev@xxxxxxxxxxx> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev <https://www.eclipse.org/mailman/listinfo/p2-dev> _______________________________________________ p2-dev mailing list p2-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev_______________________________________________ p2-dev mailing list p2-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev
Back to the top