Community
Participate
Working Groups
With bug 570907, p2 will now verify if the signature provided in p2 metadata is correct and match the file. That allows to provide a form of certification. Next step after certification is about defining trust, and is the topic of that ticket: the resolved "PGP Certifiactions" which in practice can be reduced to the PGP public key of the signer(s) need to be trusted, similarly to Certificates. The CheckTrust mechanism should be augemented to also support trusting relevant PGP public keys that were involved in artifact signing.
I imagine this will impact the installer. Many of the other p2 dialogs do not work in the installer because of dependencies on the existence of a workbench so likely there will be similar issues.
(In reply to Ed Merks from comment #1) > I imagine this will impact the installer. Many of the other p2 dialogs do > not work in the installer because of dependencies on the existence of a > workbench so likely there will be similar issues. How does the installer deal with content with untrusted certificates?
This creates a dialog: org.eclipse.oomph.p2.internal.ui.P2ServiceUI.getTrustInfo(Certificate[][], String[]) This contains helper classes: org.eclipse.oomph.p2.core.CertificateConfirmer This helps implement storage of certificates in the User.setup so that they are available/reusable in all installers and all installations after trust is confirmed and the user requests to remember that confirmation: org.eclipse.oomph.setup.internal.core.util.SetupCoreUtil.createCertificateConfirmer(User, boolean)
Unless I misunderstood something, the patch adds a method and a new constructor; so it shouldn't break extenders (such as installer). Extenders however would have to implement support for PGP signatures in their "trust" dialog similarly to what they do for Certificates if they want to install p2 artifacts that have PGP signtures using newer version of p2. For artifacts that don't have PGP signatures, nothing additional is necessary, they'll keep being installable without change.
Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179275 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=45af7098437c45a46e7637d9aeb0177ca998e209
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/181998
Gerrit change https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/181998 was merged to [master]. Commit: http://git.eclipse.org/c/www.eclipse.org/eclipse/news.git/commit/?id=fbae5dc1150e8fbd21d25f67a08728e269fcd3b2
(In reply to Eclipse Genie from comment #5) > Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179275 was > merged to [master]. > Commit: > http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/ > ?id=45af7098437c45a46e7637d9aeb0177ca998e209 This causes two compilation error in the IDE: Description Resource Path Location Type Discouraged access: The type 'PGPSignatureVerifier' is not API (restriction on required library '/data/eclipse4.21/eclipse/plugins/org.eclipse.equinox.p2.artifact.repository_1.4.100.v20210418-1636.jar') CertificateChecker.java /org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases line 26 Java Problem Discouraged access: The type 'PGPSignatureVerifier' is not API (restriction on required library '/data/eclipse4.21/eclipse/plugins/org.eclipse.equinox.p2.artifact.repository_1.4.100.v20210418-1636.jar') CertificateChecker.java /org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases line 129 Java Problem
(In reply to Andrey Loskutov from comment #8) > (In reply to Eclipse Genie from comment #5) > > Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/179275 was > > merged to [master]. > > Commit: > > http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/ > > ?id=45af7098437c45a46e7637d9aeb0177ca998e209 > > This causes two compilation error in the IDE: Sorry, I haven't org.eclipse.equinox.p2.artifact.repository in the workspace
Me again. Releng test complain about javadoc errors: https://download.eclipse.org/eclipse/downloads/drops4/I20210615-1800/testresults/html/org.eclipse.releng.tests_ep421I-unit-cen64-gtk3-java11_linux.gtk.x86_64_11.html https://download.eclipse.org/eclipse/downloads/drops4/I20210615-1800/compilelogs/platform.doc.isv.javadoc.txt ../../../rt.equinox.p2/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/p2/core/UIServices.java:20: error: package org.bouncycastle.openpgp does not exist import org.bouncycastle.openpgp.PGPPublicKey; ^ ../../../rt.equinox.p2/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/p2/core/UIServices.java:222: error: cannot find symbol public TrustInfo getTrustInfo(Certificate[][] unTrustedCertificateChains, Collection<PGPPublicKey> untrustedPGPKeys, ^ symbol: class PGPPublicKey location: class UIServices ../../../rt.equinox.p2/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/p2/core/UIServices.java:80: error: cannot find symbol private final Collection<PGPPublicKey> trustedPGPKeys; ^ symbol: class PGPPublicKey location: class TrustInfo ../../../rt.equinox.p2/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/p2/core/UIServices.java:107: error: cannot find symbol public TrustInfo(Collection<Certificate> trustedCertificates, Collection<PGPPublicKey> trustedPGPKeys, ^ symbol: class PGPPublicKey location: class TrustInfo ../../../rt.equinox.p2/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/p2/core/UIServices.java:132: error: cannot find symbol public Collection<PGPPublicKey> getTrustedPGPKeys() { ^ symbol: class PGPPublicKey location: class TrustInfo 5 errors
(In reply to Andrey Loskutov from comment #10) > Releng test complain about javadoc errors: Thanks for reporting Andrey! Anyone knows how I can reproduce this error locally, I tried mistria@localhost:~/git/eclipse.platform.releng.aggregator/eclipse.platform.common/bundles/org.eclipse.platform.doc.isv$ mvn clean verify -Pbuild-individual-bundles but didn't see the issue mentioned with up-to-date modules, however it seems that Javadoc generation as a whole is skipped. @Sravan: do you have any clue on the simplest way to reproduce Javadoc build issues from CLI?
(In reply to Mickael Istria from comment #11) > (In reply to Andrey Loskutov from comment #10) > > Releng test complain about javadoc errors: > > Thanks for reporting Andrey! > Anyone knows how I can reproduce this error locally, I tried > > mistria@localhost:~/git/eclipse.platform.releng.aggregator/eclipse.platform. > common/bundles/org.eclipse.platform.doc.isv$ mvn clean verify > -Pbuild-individual-bundles > > but didn't see the issue mentioned with up-to-date modules, however it seems > that Javadoc generation as a whole is skipped. > @Sravan: do you have any clue on the simplest way to reproduce Javadoc build > issues from CLI? I am able to reproduce the problem with the above command. You'll need all the submodules in aggregator up-to-date. The error log is in target/doc.bin.log The problem here is bouncycastle javadoc is not added as link in https://git.eclipse.org/c/platform/eclipse.platform.common.git/tree/bundles/org.eclipse.platform.doc.isv/platformOptions.txt#n191
New Gerrit change created: https://git.eclipse.org/r/c/platform/eclipse.platform.common/+/182127
Gerrit change https://git.eclipse.org/r/c/platform/eclipse.platform.common/+/182127 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.common.git/commit/?id=e9e1cd03fba1d5c8cbd777ea25b5cd7b4477dc31
Here is the new javadoc error log https://download.eclipse.org/eclipse/downloads/drops4/I20210617-1800/compilelogs/platform.doc.isv.javadoc.txt For the implSpec you'll need to add -tag "implSpec:a:Implementation Requirements:" to platformOptions.txt file. I think the other errors and warnings are self explanatory.
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/182152
Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/182152 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=b3de3dad4aa1bfe90eaa8cdc5081c80a1bbea9d9
Javadoc seems all right now