PGP signing mojo re-adds new signature properties for already signed artifacts #1466
Milestone
Comments
|
Yes, I can confirm that this happens. I've worked around various shortcomings and problems in the aggregator: eclipse-cbi/p2repo-aggregator#12 Here I add a fingerprint of the signing certificate to the artifact metadata, if there is one, and I record the original PGP signature/key: Then, after Tycho PGP signs all bundles and features, even ones that are jar-signed, I post process the metadata. That let's me implement what you describe above: Some of this might be reusable (copy it and improve it): The processing here also lets me "reject" certain certificates, ones Tycho doesn't recognize as being treated as unsigned (even when running with a 17.0.5+8 JRE where jarsigner should detect that) and then I retain the new PGP signatures for those artifacts. But my biggest problem now, one that I cannot work around, is that PGP signed features don't validate.
Obviously I need to open issues for some of these issues, but I'm been swamped... |
|
I'd like to start implementing support for this. Unless I've overlooked something though, I see no test cases related to org.eclipse.tycho.gpg.SignRepositoryArtifactsMojo. Or did I overlook something? I have been able to test it locally by creating a key in my ~/.gnupg folder and using that, but I don't know if such a thing can be made portable across OSes for an actual test case that's committed... |
|
I think we recently have had a similar case where it was considered to complex to have a full PGP setup for testing (even though there are some ways) because that uses the native PGP tooling. So this is mostly tested manually and tried to find issues by code reviews. |
merks
added a commit
to merks/tycho
that referenced
this issue
Nov 23, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.config so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. eclipse-tycho#1466
merks
added a commit
to merks/tycho
that referenced
this issue
Nov 23, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.config so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. eclipse-tycho#1466
merks
added a commit
to merks/tycho
that referenced
this issue
Nov 23, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.config so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. eclipse-tycho#1466
merks
added a commit
to merks/tycho
that referenced
this issue
Nov 23, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.conf so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. eclipse-tycho#1466
merks
added a commit
to merks/tycho
that referenced
this issue
Nov 24, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.conf so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. eclipse-tycho#1466
merks
added a commit
to merks/tycho
that referenced
this issue
Nov 24, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.conf so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. eclipse-tycho#1466
laeubi
pushed a commit
that referenced
this issue
Nov 24, 2022
Improve support for how already-PGP-signed artifacts are handled to support skip, replace, or merge. Use SignedContentFactory for checking jar signatures which allows for skipping jars that are only signed by certificates anchored in Java's cacerts. Support PGP signing features, and optionally also binary artifacts. Support using Bouncy Castle for signing to improve performance and to allow signing to be done in parallel. This also better support providing integration tests for the various sign-p2-artifacts mojo's options. Ensure that only keys actually used by signatures are added to the repository and/or artifact properties. Determining the default key is needed only when signing with Bouncy Castle, in which case it's determined by signing a document and checking which key is used; that's because the default key can be specified in the gpg.conf so just listing the secret key fingerprints will not always correctly identify the correct default. For testing purposes, support generating key information and loading it. Use that to provide integration tests for the new options as well as for existing options. #1466
|
@laeubi This can be closed as completed now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you're including in your p2 repo an artifact that already has some PGP signature (eg slf4j-api from Platform I-Build), and call the sign-p2-artifacts goal on it, then some new properties with the new signature and new key are added, leading to duplicated properties.
The mojo should provide a way to handle that case of already PGP-signed bundles:
The text was updated successfully, but these errors were encountered: