Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds


> I would like to have a chance of discovering if someone tampered
> artifacts on my machine *after* installation.

I think we had recently the discussion about if eclipse should check signatures on startup:

If someone has access to your machine to tamper any file your almost lost and signatures does not help. A signature only provides you with some kind of trust of the origin and was not tampered on transit.


Am 21.01.21 um 16:05 schrieb Mickael Istria:
On Thu, Jan 21, 2021 at 3:52 PM Wim Jongman <wim.jongman@xxxxxxxxx <mailto:wim.jongman@xxxxxxxxx>> wrote:

    I mean, does it matter if the wrapper is not signed as long as the
    wrapped jar is signed?


It mostly depends on the requirement on the consumer side. For most technologies, no-one seems to care about signatures inside jars; SimRel does.

> I would like to have a chance of discovering if someone tampered artifacts on my machine *after* installation. Checksums help with installation but not after installation.

This is IMO not the issue signing is about.
Checking the last modification date of the file is sufficient to know when an artifact has been tampered. Keeping checksums of baseline vs current can also help. For some previous company I was working on, a checksum was requested for all files under the plugins/ folder to verify whether artifacts were tampered compared to the provided set. No signing was involved.

_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user



Back to the top