Community
Participate
Working Groups
Artifacts that publish some PGP signatures in their metadata should have the artifact verified against the given signature at installation.
I've been playing a bit with it (see https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/175851 ). However, the tricky part is that we also need to have some access to the public key in a way or another (signature only contain a public key ID, not the whole key for verification). So we need to decide where such public key can/should leave: in the artifacts metadata, in some local storage of the eclipse IDE, reusing GPG default keyring...
In a new version of the patch, I've put the verification step directly inside the org.eclipse.equinox.p2.artifact.repository, so it's impossible for anyone to remove the signature check without tampering an official artifact. With the former approach (separate bundle), it was possible for anyone to just remove the .pgp bundle and no signature would be verified. This was a bit too weak. The current code verifies that the file that have signatures are 1. signed by the Eclipse webmaster key and 2. signature match.
Widening a big the scope here: verifying the signatures in a processingStep is a later step in the workflow. But this story also involves user being prompted, before installation, for signatures to trust before applying the installation plan, and this set of trusted signatures would then be passed to p2 for verification. The processingStep itself would be responsible of building a set of trusting keys, the set of trusted keys comes from the user, though the installation request.
Gerrit patch is ready for review. This patch does verify PGP signature present in p2 metadata when downloading an artifact. Note: this part is only about verifying the artifact is signed and by whom, nothing about trust yet, trust strategy is the topic of bug 572816.
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.releng.aggregator/+/179278
Gerrit change https://git.eclipse.org/r/c/platform/eclipse.platform.releng.aggregator/+/179278 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/commit/?id=8026fb0ee69f444c109a91d07e06bce560a53791
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/179388
Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/175851 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=d92c82f87cef36cc6840b14b6d8e85be55f9f335
Gerrit change https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/179388 was merged to [master]. Commit: http://git.eclipse.org/c/www.eclipse.org/eclipse/news.git/commit/?id=131cd7e6730e6d65864e365447ae73142d573067
Some thing went wrong with https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/175851 this commit. Build failed while creating base builder. Install location: file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ Configuration file: file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/configuration/config.ini loaded Configuration location: file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/configuration/ Framework located: file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/plugins/org.eclipse.osgi_3.16.200.v20210226-1447.jar Loading extension: reference:file:org.eclipse.osgi.compatibility.state_1.2.300.v20210212-1137.jar eclipse.properties not found Framework classpath: file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/plugins/org.eclipse.osgi_3.16.200.v20210226-1447.jar file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/plugins/ file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/plugins/org.eclipse.osgi.compatibility.state_1.2.300.v20210212-1137.jar Debug options: file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng.aggregator/eclipse.platform.releng.aggregator/cje-production/mbscripts/.options not found Time to load bundles: 58 Starting application: 3284 Installing org.eclipse.platform.ide 4.20.0.I20210416-1800. Installing org.eclipse.pde.api.tools 1.2.500.v20210415-0924. Installing org.eclipse.releng.build.tools.feature.feature.group 1.0.101.v20210108-0914. Installing org.eclipse.wtp.releng.tools.feature.feature.group 1.2.0.v201902122017. Installation failed. Cannot complete the install because one or more required items could not be found. Software being installed: Eclipse Platform 4.20.0.I20210416-1800 (org.eclipse.platform.ide 4.20.0.I20210416-1800) Missing requirement: Equinox Provisioning Artifact Repository Support 1.4.100.v20210416-1240 (org.eclipse.equinox.p2.artifact.repository 1.4.100.v20210416-1240) requires 'java.package; org.bouncycastle.bcpg 1.65.0' but it could not be found Cannot satisfy dependency: From: Equinox p2, headless functionalities 1.6.1000.v20210416-1240 (org.eclipse.equinox.p2.core.feature.feature.group 1.6.1000.v20210416-1240) To: org.eclipse.equinox.p2.iu; org.eclipse.equinox.p2.artifact.repository [1.4.100.v20210416-1240,1.4.100.v20210416-1240] Cannot satisfy dependency: From: Equinox p2, Provisioning for IDEs. 2.4.1200.v20210416-1240 (org.eclipse.equinox.p2.user.ui.feature.group 2.4.1200.v20210416-1240) To: org.eclipse.equinox.p2.iu; org.eclipse.equinox.p2.core.feature.feature.group [1.6.1000.v20210416-1240,1.6.1000.v20210416-1240] Cannot satisfy dependency: From: Eclipse Platform 4.20.0.I20210416-1800 (org.eclipse.platform.ide 4.20.0.I20210416-1800) To: org.eclipse.equinox.p2.iu; org.eclipse.equinox.p2.user.ui.feature.group [2.4.1200.v20210416-1240,2.4.1200.v20210416-1240]
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179035
Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179035 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=6b5269b19fefdfc34c819212c5fe6c0f838e349f
(In reply to Sravan Kumar Lakkimsetti from comment #10) > Some thing went wrong with > https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/175851 this commit. > > Build failed while creating base builder. > > Install location: > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > Configuration file: > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > configuration/config.ini loaded > Configuration location: > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > configuration/ > Framework located: > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > plugins/org.eclipse.osgi_3.16.200.v20210226-1447.jar > Loading extension: > reference:file:org.eclipse.osgi.compatibility.state_1.2.300.v20210212-1137. > jar > eclipse.properties not found > Framework classpath: > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > plugins/org.eclipse.osgi_3.16.200.v20210226-1447.jar > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > plugins/ > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/tmp/eclipse/ > plugins/org.eclipse.osgi.compatibility.state_1.2.300.v20210212-1137.jar > Debug options: > > file:/home/jenkins/agent/workspace/I-build-4.20/eclipse.platform.releng. > aggregator/eclipse.platform.releng.aggregator/cje-production/mbscripts/. > options not found > Time to load bundles: 58 > Starting application: 3284 > Installing org.eclipse.platform.ide 4.20.0.I20210416-1800. > Installing org.eclipse.pde.api.tools 1.2.500.v20210415-0924. > Installing org.eclipse.releng.build.tools.feature.feature.group > 1.0.101.v20210108-0914. > Installing org.eclipse.wtp.releng.tools.feature.feature.group > 1.2.0.v201902122017. > Installation failed. > Cannot complete the install because one or more required items could not be > found. > Software being installed: Eclipse Platform 4.20.0.I20210416-1800 > (org.eclipse.platform.ide 4.20.0.I20210416-1800) > Missing requirement: Equinox Provisioning Artifact Repository Support > 1.4.100.v20210416-1240 (org.eclipse.equinox.p2.artifact.repository > 1.4.100.v20210416-1240) requires 'java.package; org.bouncycastle.bcpg > 1.65.0' but it could not be found > Cannot satisfy dependency: > From: Equinox p2, headless functionalities 1.6.1000.v20210416-1240 > (org.eclipse.equinox.p2.core.feature.feature.group 1.6.1000.v20210416-1240) > To: org.eclipse.equinox.p2.iu; org.eclipse.equinox.p2.artifact.repository > [1.4.100.v20210416-1240,1.4.100.v20210416-1240] > Cannot satisfy dependency: > From: Equinox p2, Provisioning for IDEs. 2.4.1200.v20210416-1240 > (org.eclipse.equinox.p2.user.ui.feature.group 2.4.1200.v20210416-1240) > To: org.eclipse.equinox.p2.iu; > org.eclipse.equinox.p2.core.feature.feature.group > [1.6.1000.v20210416-1240,1.6.1000.v20210416-1240] > Cannot satisfy dependency: > From: Eclipse Platform 4.20.0.I20210416-1800 (org.eclipse.platform.ide > 4.20.0.I20210416-1800) > To: org.eclipse.equinox.p2.iu; > org.eclipse.equinox.p2.user.ui.feature.group > [2.4.1200.v20210416-1240,2.4.1200.v20210416-1240] Bouncycastle bundles are not there in the repository. Repository location used for the above build https://download.eclipse.org/eclipse/updates/4.20-I-builds/I20210416-1800
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179465
Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179465 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=b577f0cf8929a45bc95526fbeb2c25b08177b320
