Re: [p2-dev] Documentation about pgp signing of Eclipse plugins

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [p2-dev] Documentation about pgp signing of Eclipse plugins

From: Ed Merks <ed.merks@xxxxxxxxx>
Date: Sun, 10 Apr 2022 10:48:34 +0200
Delivered-to: p2-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/p2-dev/>
List-help: <mailto:p2-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/p2-dev>, <mailto:p2-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/p2-dev>, <mailto:p2-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0

Andrey,

There is a small self-contained sample attached here:

https://github.com/eclipse/tycho/issues/872#issuecomment-1094060216

I've been using that to understand how this all works with a very simpleexample; an example that I can run locally on Windows where I created a"test" PGP key.

Perhaps if you can't get this sample to work for you, you could askfurther questions on that issue...

PGP signing works for 2.7.1 (just released) and 3.0.0-SNAPSHOT. I thinkfor earlier versions as well, but I've not tested that.

Very old versions of Eclipse will see PGP-signed bundles thing asunsigned content. More recent versions of Eclipse (< 4.23) will loseinformation about the PGP keys and that can result in a corrupted bundlepool where attempts to install or update will "auto-cancel". Evenwithout a bundle pool, if one cancels once, the bundles will be local tothe installation and further attempts too will auto-cancel. Many bugswere fix during the most recent release cycle:


https://gitlab.eclipse.org/eclipse-wg/ide-wg/eclipseide.org/-/issues/11

Regards,
Ed

On 10.04.2022 10:35, Andrey Loskutov wrote:

Hi,

in context of expired spotbugs certificate (see https://github.com/spotbugs/spotbugs/issues/2008)

I'm looking for pointers (wiki/blog/help page) about how one can "sign" Eclipse bundles with pgp?

Google finds few bugs but no explanation to following questions :

- prerequisites (which Eclipse version supports that)
- build requirements (which tooling needed, on which platform etc)
- instructions for signing itself (command line etc)
- which side effects ot has on compatibility with old Eclipse platforms (can pgp signed bundle be installed on older Eclipse that doesn't know anything about pgp)

These below seem to be related but don't give answers to questions above:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=576895
https://bugs.eclipse.org/bugs/show_bug.cgi?id=572816

Is there any official documentation available ?
--
Kind regards,
Andrey Loskutov

https://www.eclipse.org/user/aloskutov
Спасение утопающих - дело рук самих утопающих
_______________________________________________
p2-dev mailing list
p2-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev

References:
- [p2-dev] Documentation about pgp signing of Eclipse plugins
  - From: Andrey Loskutov

Prev by Date: [p2-dev] Documentation about pgp signing of Eclipse plugins
Next by Date: Re: [p2-dev] [platform-dev] Documentation about pgp signing of Eclipse plugins
Previous by thread: [p2-dev] Documentation about pgp signing of Eclipse plugins
Next by thread: Re: [p2-dev] [platform-dev] Documentation about pgp signing of Eclipse plugins
Index(es):
- Date
- Thread

Breadcrumbs