Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [p2-dev] Documentation about pgp signing of Eclipse plugins


There is a small self-contained sample attached here:

I've been using that to understand how this all works with a very simple example; an example that I can run locally on Windows where I created a "test" PGP key.

Perhaps if you can't get this sample to work for you, you could ask further questions on that issue...

PGP signing works for 2.7.1 (just released) and 3.0.0-SNAPSHOT. I think for earlier versions as well, but I've not tested that.

Very old versions of Eclipse will see PGP-signed bundles thing as unsigned content.  More recent versions of Eclipse (< 4.23) will lose information about the PGP keys and that can result in a corrupted bundle pool where attempts to install or update will "auto-cancel".   Even without a bundle pool, if one cancels once, the bundles will be local to the installation and further attempts too will auto-cancel.  Many bugs were fix during the most recent release cycle:


On 10.04.2022 10:35, Andrey Loskutov wrote:

in context of expired spotbugs certificate (see

I'm looking for pointers (wiki/blog/help page) about how one can "sign" Eclipse bundles with pgp?

Google finds few bugs but no explanation to following questions :

- prerequisites (which Eclipse version supports that)
- build requirements (which tooling needed, on which platform etc)
- instructions for signing itself (command line etc)
- which side effects ot has on compatibility with old Eclipse platforms (can pgp signed bundle be installed on older Eclipse that doesn't know anything about pgp)

These below seem to be related but don't give answers to questions above:

Is there any official documentation available ?
Kind regards,
Andrey Loskutov
Спасение утопающих - дело рук самих утопающих
p2-dev mailing list
To unsubscribe from this list, visit

Back to the top