Yes, without a key server enabled it fails completely. I think that's no longer necessary. We could treat it as unsigned content without introducing a security problem because with the new approach of recording the key and signature only after a successful validation, we would record neither the signature nor the key for such a downloaded artifact if the key wasn't found; so it would indeed look like an unsigned artifact and would in fact be an unsigned artifact on the client side. But the Bugzila for that was closed after the previous change was reverted because previously the checker relied on seeing the signature as evidence that the artifact was verified and previously the signature was always copied to the destination. In any case, it's obvious that if we can't find the key, we can't verify anything...
On Thu, Feb 17, 2022 at 7:18 PM Christoph Läubrich <[email protected]> wrote: > Is it still the case that p2 completely fails if a public key is missing > or could it work with only the pgp.signatures property? > _______________________________________________ > p2-dev mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/p2-dev >
_______________________________________________ p2-dev mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev
