Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts direct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds

From: Mickael Istria <mistria@xxxxxxxxxx>
Date: Thu, 21 Jan 2021 16:05:25 +0100
Delivered-to: tycho-user@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tycho-user/>
List-help: <mailto:tycho-user-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tycho-user>, <mailto:tycho-user-request@eclipse.org?subject=unsubscribe>

On Thu, Jan 21, 2021 at 3:52 PM Wim Jongman <wim.jongman@xxxxxxxxx> wrote:

I mean, does it matter if the wrapper is not signed as long as the wrapped jar is signed?

It mostly depends on the requirement on the consumer side. For most technologies, no-one seems to care about signatures inside jars; SimRel does.

> I would like to have a chance of discovering if someone tampered artifacts on my machine *after* installation. Checksums help with installation but not after installation.

This is IMO not the issue signing is about.

Checking the last modification date of the file is sufficient to know when an artifact has been tampered. Keeping checksums of baseline vs current can also help. For some previous company I was working on, a checksum was requested for all files under the plugins/ folder to verify whether artifacts were tampered compared to the provided set. No signing was involved.

Follow-Ups:
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Christoph Läubrich

References:
- [tycho-user] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Christoph Läubrich
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Ed Willink
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Mickael Istria
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Ed Merks
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Christoph Läubrich
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Ed Merks
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Christoph Läubrich
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Wim Jongman
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Christoph Läubrich
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Ed Merks
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Wim Jongman
- Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
  - From: Wim Jongman

Prev by Date: Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
Next by Date: Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
Previous by thread: Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
Next by thread: Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
Index(es):
- Date
- Thread

Breadcrumbs