Re: [platform-dev] PGP Signing Question?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [platform-dev] PGP Signing Question?

From: Christoph Läubrich <laeubi@xxxxxxxxxxxxxx>
Date: Mon, 3 Jan 2022 12:06:40 +0100
Delivered-to: platform-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/platform-dev/>
List-help: <mailto:platform-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/platform-dev>, <mailto:platform-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/platform-dev>, <mailto:platform-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1

As this is a cross-cuting-concern I think its fine for platform dev list.

About handling of the keys, that's why I suggested to store them asseparate files here [1] (maybe still simply added to the artifacts.xmlas regular "artifacts" so the y got mirrored with default techniques) asthis makes the handling much easier. e.g if we add for each id anartifact with <id>.pgp it won't even accumulate for size.

I also like to not ethat I thing storing the public key in the metadatamight not strictly neccesary for the public-key If we support thekeyserverver concepts as suggested here [2].I have already addedkeyserver support to tycho [3]


[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=575540
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=575541

[3]https://github.com/eclipse/tycho/blob/master/tycho-p2/tycho-p2-repository-plugin/src/main/java/org/eclipse/tycho/plugins/p2/repository/MavenP2SiteMojo.java#L377


Am 03.01.22 um 11:54 schrieb Ed Merks:

Hi,
I've been investigating the new PGP signing support. To test it, Iinstall the Eclipse Test Framework from the 4.23 I-Builds because thatincludes several bundles that are PGP signed:
As a result of this action, the following dialog pops up asking me if Itrust "these signers":
There is no information in the name column. I believe it's populated byorg.eclipse.equinox.internal.p2.ui.dialogs.TrustCertificateDialog.createUpperDialogArea(Composite)like this:
             java.util.List<String> users = new ArrayList<>();
             pgp.getUserIDs().forEachRemaining(users::add);
             return String.join(",", users); //$NON-NLS-1
Looking at the implementation, I don't see how a PGPPublicKey ever endsup with associated "user IDs". (And the Details... button is onlyenabled for a selected X509Certificate.)
Is there a bug here? I don't think we can expect the users to granttrust on the basis of some hexadecimal numbers...
----------------------------------
Where/what is the best way for asking question and for discussing theimplementation details? I posted on platform-dev because the entireplatform is affected by these design decisions, but perhaps I shouldrestrict this to p2-dev or elsewhere?
For example, the fact that the keys are stored as repository properties,rather than as properties on the artifacts, seems quite problematic andwill tend to break downstream applications. We've already seen that thisbreaks mirroring because mirroring doesn't mirror repository propertiesnor should it in general do so. It also breaks the installer (i.e., ingeneral the use of p2 agents with a shared p2 bundle pool). It will nodoubt impact the aggregator as well. Every consumer will need to knowto "copy and merge" this specific repository property (but not any otherrepository properties) when copying/mirroring artifacts.
I expect there is a concern about the size of many such the duplicateskeys, but with both jar and *.xz compression that isn't really so much aproblem. I.e., 1000 copies of the key has minimal impact on the sizecompressed artifacts as seen here where the artifacts.xml has 1000copies of the key:
-rw-r--r-- 1 merks 197609  823870 Jan  3 11:31 artifacts.original.xml
-rw-r--r-- 1 merks 197609  119252 Jan  3 11:32 artifacts.original.xml.jar
-rw-r--r-- 1 merks 197609   89796 Jan  3 11:37 artifacts.original.xml.xz
-rw-r--r-- 1 merks 197609 1264772 Jan  3 11:14 artifacts.xml
-rw-r--r-- 1 merks 197609  122441 Jan  3 11:33 artifacts.xml.jar
-rw-r--r-- 1 merks 197609   90008 Jan  3 11:38 artifacts.xml.xz
The implementation sort of already assumes/supports it as an artifactkey inorg.eclipse.equinox.internal.p2.engine.phases.CertificateChecker.findKey(long,IArtifactDescriptor) like this:
// in case keys from artifact were not imported yet inkeystore, add them
         PGPSignatureVerifier.KNOWN_KEYS
.addKeys(artifact.getProperty(PGPSignatureVerifier.PGP_SIGNER_KEYS_PROPERTY_NAME));
         return PGPSignatureVerifier.KNOWN_KEYS.getKey(id);
And even theorg.eclipse.equinox.p2.tests.engine.CertificateCheckerTest.testPGPSignedArtifactUntrustedKey()test works that way...
Regards,
Ed


_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev

References:
- [platform-dev] PGP Signing Question?
  - From: Ed Merks

Prev by Date: [platform-dev] PGP Signing Question?
Next by Date: Re: [platform-dev] PGP Signing Question?
Previous by thread: [platform-dev] PGP Signing Question?
Next by thread: Re: [platform-dev] PGP Signing Question?
Index(es):
- Date
- Thread

Breadcrumbs