[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
|
> I would like to have a chance of discovering if someone tampered
> artifacts on my machine *after* installation.
I think we had recently the discussion about if eclipse should check
signatures on startup:
If someone has access to your machine to tamper any file your almost
lost and signatures does not help. A signature only provides you with
some kind of trust of the origin and was not tampered on transit.
Am 21.01.21 um 16:05 schrieb Mickael Istria:
On Thu, Jan 21, 2021 at 3:52 PM Wim Jongman <wim.jongman@xxxxxxxxx
<mailto:wim.jongman@xxxxxxxxx>> wrote:
I mean, does it matter if the wrapper is not signed as long as the
wrapped jar is signed?
It mostly depends on the requirement on the consumer side. For most
technologies, no-one seems to care about signatures inside jars; SimRel
does.
> I would like to have a chance of discovering if someone tampered
artifacts on my machine *after* installation. Checksums help with
installation but not after installation.
This is IMO not the issue signing is about.
Checking the last modification date of the file is sufficient to know
when an artifact has been tampered. Keeping checksums of baseline vs
current can also help. For some previous company I was working on, a
checksum was requested for all files under the plugins/ folder to verify
whether artifacts were tampered compared to the provided set. No signing
was involved.
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user