Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [platform-dev] [cbi-dev] Eclipse Foundation public PGP key?
Hi Mickael,


On Fri, 23 Apr 2021 at 08:32, Mickael Istria <mistria@xxxxxxxxxx> wrote:
Hi all,

Thanks to Mikael (Barbero) for encouraging exclusion of any automated form of trust at the moment, we're making some concrete progress here:
* artifacts provider can now attach PGP signatures to the p2 metadata and p2 will ensure all those signatures are correct for the given artifact when downloading it; installation will fail early if a signature is incorrect. For the moment, public keys for verification current are also to be placed in p2 metadata. https://www.eclipse.org/eclipse/news/4.20/platform_isv.php#pgp-signature-verification

In the above link, what is the difference between artifact metadata and artifact repository? I feel like I am missing knowledge of some of the terminology.

Thanks,
Jonah



Back to the top