Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds

> On Jan 21, 2021, at 16:12, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
> If someone has access to your machine to tamper any file your almost lost and signatures does not help. A signature only provides you with some kind of trust of the origin and was not tampered on transit.

The claims in this statement apply to a narrow scenario and simply don't hold true in the broader case. Please talk to security experts about threat modelling and mitigation.

Signed content is a fine way of verifying that content has not been tempered with. Any re-signing requires either access to the original signing key (which Eclipse.org webmasters protect) or injecting a new authority into a trust system, which *if* done properly, requires a different level of file system access than the process with write access to plugin jar files would have.

-Gunnar




Back to the top