[cbi-dev] PGP and p2 signature strategy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[cbi-dev] PGP and p2 signature strategy

From: Mickael Istria <mistria@xxxxxxxxxx>
Date: Thu, 21 Oct 2021 13:54:20 +0200
Delivered-to: cbi-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cbi-dev/>
List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

Here is a document that describes the strategy that has been implemented to allow PGP signatures as a valid replacement to jarsigner to ensure installed artifacts comes from trusted sources: https://docs.google.com/document/d/1dl10ia092X5hN1qfKoHYvriCNM-iBqiOkfjnntxaBbk/edit?usp=sharing

Feedback welcome!

--

Mickael Istria

Eclipse IDE developer, for Red Hat Developers

Prev by Date: Re: [cbi-dev] Eclipse Foundation public PGP key?
Next by Date: [cbi-dev] How to build my plugin on Jenkins?
Previous by thread: [cbi-dev] Open Source Software Supply Chain Best Practices at the Eclipse Foundation
Next by thread: [cbi-dev] How to build my plugin on Jenkins?
Index(es):
- Date
- Thread

Back to the top