[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [tycho-user] [cross-project-issues-dev] Using maven artifacts directly in eclipse target platform / tycho builds
|
> On Jan 21, 2021, at 16:12, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
> If someone has access to your machine to tamper any file your almost lost and signatures does not help. A signature only provides you with some kind of trust of the origin and was not tampered on transit.
The claims in this statement apply to a narrow scenario and simply don't hold true in the broader case. Please talk to security experts about threat modelling and mitigation.
Signed content is a fine way of verifying that content has not been tempered with. Any re-signing requires either access to the original signing key (which Eclipse.org webmasters protect) or injecting a new authority into a trust system, which *if* done properly, requires a different level of file system access than the process with write access to plugin jar files would have.
-Gunnar
