Community
Participate
Working Groups
This is the programmatic counterpart of bug 577193. In order to rely more widely on PGP keys instead of jarsigner, p2 needs to implement a chain of trust from installed artifacts allowing to trust some other keys/artifacts, so one can install in a product a set of trusted keys from trusted projects. There is already such capability for product packages, but that doesn't cover the case of updates. So we need a way to provide such keys from update-able artifacts. Initially, there was such strategy directly built-in in p2 IUs providing a property in their metadata, but it was then identified as unsafe because metadata are not signed and are too easy to forge; so it was removed. The only "signed" data or metadata we have are the plugins themselves. So most likely the safest way is to use the extensibility provided by plugins/bundles directly.
Recommendation here is to inject keys via the Provide-Capability header: https://www.eclipse.org/lists/equinox-dev/msg09344.html
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/189269
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/189270
(In reply to Mickael Istria from comment #1) > Recommendation here is to inject keys via the Provide-Capability header: > https://www.eclipse.org/lists/equinox-dev/msg09344.html Actually, we have access to RegistryObject.getRegistry from inside p2 engine. So we can use the good old plugin.xml, see attached Gerrit patches which provide a working implementation.
New Gerrit change created: https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/189435
Gerrit change https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/189270 was merged to [master]. Commit: http://git.eclipse.org/c/equinox/rt.equinox.p2.git/commit/?id=9ea96950f33f9e87c1c035eed375b56b44d37289
Gerrit change https://git.eclipse.org/r/c/www.eclipse.org/eclipse/news/+/189435 was merged to [master]. Commit: http://git.eclipse.org/c/www.eclipse.org/eclipse/news.git/commit/?id=79de56828e02636ea3a57b6316818e3f74db1107