Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [platform-dev] PGP Signing Question?

Mickael,

Thanks. 

More comments below.

On 03.01.2022 13:18, Mickael Istria wrote:


On Mon, Jan 3, 2022 at 11:55 AM Ed Merks <ed.merks@xxxxxxxxx> wrote:
Is there a bug here?  I don't think we can expect the users to grant trust on the basis of some hexadecimal numbers...

Actually, they can grant trust based on  those numbers because users should verify those signers are trusted, eg by checking whether the ids are matching some verified keys in some external PGP services.
But indeed, the UI is still rough and still needs to be improved.
I've opened https://bugs.eclipse.org/bugs/show_bug.cgi?id=578024 to track this issue.    Minimally the help for the dialog should describe how to find such external PGP services and in our case specifically how to verify that this is an Eclipse project's key.  We can discuss the details there.  I can try to help iron out the wrinkles...

Where/what is the best way for asking question and for discussing the implementation details? I posted on platform-dev because the entire platform is affected by these design decisions, but perhaps I should restrict this to p2-dev or elsewhere?

Bugs against p2 are the best channel IMO.

So, for example, if I have the question "is it guaranteed that two different org.bouncycastle.openpgp.PGPPublicKey instances might have the same org.bouncycastle.openpgp.PGPPublicKey.getKeyID() values" that should be a p2 Bugzilla?  I wouldn't ask that on platform-dev but I would have thought to ask on p2-dev rather than open a question Bugzilla.  I see no reason to assume that the getKeyID values are unique, though I suppose the chances of collisions are vanishingly small (and downstream utility class seem to assume this).

 
I expect there is a concern about the size of many such the duplicates keys, but with both jar and *.xz compression that isn't really so much a problem.  I.e., 1000 copies of the key has minimal impact on the size compressed artifacts as seen here where the artifacts.xml has 1000 copies of the key:

OK, I probably made a wrong estimation back then, and maybe adding the signer key to each artifact would be preferable.

And even the org.eclipse.equinox.p2.tests.engine.CertificateCheckerTest.testPGPSignedArtifactUntrustedKey() test works that way...

Yes, this is supposed to work with key as artifact property. The metrics you shared seem to highlight it would be a better approach, so please open a bug to Platform/Releng so we can try to improve that.
I've opened https://bugs.eclipse.org/bugs/show_bug.cgi?id=578023 to track this issue.

_______________________________________________
platform-dev mailing list
platform-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/platform-dev

Back to the top