[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [p2-dev] Current status of missing pgp-keys
|
Christoph,
Comments below.
Note that I've been tracking overall issues via
https://gitlab.eclipse.org/eclipse-wg/ide-wg/ide-wg.eclipse.org/-/issues/11
On 22.02.2022 05:50, Christoph Läubrich wrote:
Hi Ed thanks for the explanation.
> Yes, without a key server enabled it fails completely.
So given I have a key-server configured it will try to fetch the key
from there? Is this UI only or will this also work for the commandline?
It currently works only by setting a system property p2.keyservers,
i.e., no UI support at all. The specified value is split by split("[,;
\t]+") to allow multiple servers. I've been testing manually using this:
-Dp2.keyservers=keyserver.ubuntu.com,keys.openpgp.org
I'd like to provide UI support but without an eclipse key server it
seems kind of odd to do so:
https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/797
> We could treat it as unsigned content
that would be great I think.
Yes, I think that would have less extreme failure behavior should there
be a failure to find the key. There's not much development runway left
for this release cycle. Could you reopen the bug you had open?
> In any case, it's obvious that if we can't find the key,
> we can't verify anything...
Sure, I more like to support the case where the key is not embedded
but I give a keyserver to download the key later on, especially with
tycho on the commandline.
Yes, that should work. I've been testing installs where
org.mockito.mockito-core has two signatures, both the one the
platform/Tycho added and the original one from maven repository and it
is able to verify both signatures when a key server is specified.
It seems to me that it might be better if Tycho preserved the original
signature, or had the option to do so, so that one can better track the
original originator of the artifact... One might even argue that its
unnecessary to add a signature to the original signature, but there is
the issue of prompting users whether to trust each key and I don't think
users want to see dozens of such keys while being told to "be very careful".
Am 17.02.22 um 19:35 schrieb Ed Merks:
Yes, without a key server enabled it fails completely. I think
that's no longer necessary. We could treat it as unsigned content
without introducing a security problem because with the new approach
of recording the key and signature only after a successful
validation, we would record neither the signature nor the key for
such a downloaded artifact if the key wasn't found; so it would
indeed look like an unsigned artifact and would in fact be an
unsigned artifact on the client side. But the Bugzila for that was
closed after the previous change was reverted because previously the
checker relied on seeing the signature as evidence that the artifact
was verified and previously the signature was always copied to the
destination. In any case, it's obvious that if we can't find the key,
we can't verify anything...
On Thu, Feb 17, 2022 at 7:18 PM Christoph Läubrich
<laeubi@xxxxxxxxxxxxxx <mailto:laeubi@xxxxxxxxxxxxxx>> wrote:
Is it still the case that p2 completely fails if a public key is
missing
or could it work with only the pgp.signatures property?
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx <mailto:p2-dev@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/p2-dev
<https://www.eclipse.org/mailman/listinfo/p2-dev>
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/p2-dev
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/p2-dev
