Hi Mélanie and fellow planning council members,
Unfortunately tomorrow (Monday) is a holiday here and I cannot attend the meeting. I don't think I have too much unique experience in this case.
For the technical aspect of signing, IMHO the planning council should mandate that one of the methods that the Eclipse Platform (p2?) supports must be used to meet the requirement "Build artifacts made available at the Eclipse Foundation are verifiably the ones built by respective projects." and that as the Eclipse Platform (p2?) adds new methods of doing such verification, that SimRel should allow them. In practice (IIUC) for now that means jarsigning as it has always been done, but if and when GPG signing is implemented, then that could be used by projects instead. That would allow new methods of verifying as the Eclipse project evolves.
On the technical aspects of GPG, there is the question of maintaining a keyring or other web of trust. The EF already manages some GPG keys for projects.
Sorry I cannot attend the meeting,
Jonah