Enhance the aggregator to handle problems with expired signatures and PGP signing #12
Comments
merks
added a commit
that referenced
this issue
Nov 13, 2022
merks
added a commit
that referenced
this issue
Nov 13, 2022
Change to --mergePGP to --pgpAction. #12
merks
added a commit
that referenced
this issue
Nov 14, 2022
Support '--ignored' and '--ignore value' to allow ignored arguments to be specified in pom.xml invocations. Support '-Dorg.eclipse.cbi.p2repo.aggregator.ignoreFeaturePGPSignature=true' for ignoring (temporarily and conditionally) PGP signatures on features. #12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Because of problems with expired signatures as describe here:
eclipse-platform/eclipse.platform.releng.aggregator#661
It will be good to find a workaround for signed jars that will be treated as unsigned by associating also a PGP signature. But it's hard to manage this because we only want to do this for a subset of artifacts. There is this option:
https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html#skipIfJarsigned
But at least for Tycho 2.7.5, this does not recognize the the jar will be treated as unsigned. If we set that to false, then all jars are PGP signed, but we don't want that. Also, things with an existing PGP signatures are signed again, but the XML has duplicate keys, so the existing PGP signatures will be replaced by new ones, which we also don't want.
So we enhance the aggregator to compute certificate fingerprints that we record in the artifact metadata. We also record the original PGP key and signature in the artifact metadata. Then we can post process the repository to keep PGP signatures for jar-signed artifacts only for those certificates that are expired. We can also restore the original PGP keys and signatures, or even merge them.
The text was updated successfully, but these errors were encountered: