I've opened
https://bugs.eclipse.org/bugs/show_bug.cgi?id=578024 to
track this issue. Minimally the help for the dialog should
describe how to find such external PGP services and in our case
specifically how to verify that this is an Eclipse project's key.
We can discuss the details there. I can try to help iron out the
wrinkles...
OK.
So, for example, if I have the question "is it guaranteed that
two different org.bouncycastle.openpgp.PGPPublicKey instances
might have the same
org.bouncycastle.openpgp.PGPPublicKey.getKeyID() values" that
should be a p2 Bugzilla? I wouldn't ask that on platform-dev but
I would have thought to ask on p2-dev rather than open a question
Bugzilla. I see no reason to assume that the getKeyID values are
unique, though I suppose the chances of collisions are vanishingly
small (and downstream utility class seem to assume this).
For question, p2-dev is probably the best place.
For the particular question about keyIDs, they should not really be used in practice (see
https://evil32.com/ ), instead, users should look at key fingerprints as what they'd expect as being the id.
Thanks.