Re: [p2-dev] Documentation about pgp signing of Eclipse plugins
Andrey, There is a small self-contained sample attached here: https://github.com/eclipse/tycho/issues/872#issuecomment-1094060216 I've been using that to understand how this all works with a very simple example; an example that I can run locally on Windows where I created a "test" PGP key. Perhaps if you can't get this sample to work for you, you could ask further questions on that issue... PGP signing works for 2.7.1 (just released) and 3.0.0-SNAPSHOT. I think for earlier versions as well, but I've not tested that. Very old versions of Eclipse will see PGP-signed bundles thing as unsigned content. More recent versions of Eclipse (< 4.23) will lose information about the PGP keys and that can result in a corrupted bundle pool where attempts to install or update will "auto-cancel". Even without a bundle pool, if one cancels once, the bundles will be local to the installation and further attempts too will auto-cancel. Many bugs were fix during the most recent release cycle: https://gitlab.eclipse.org/eclipse-wg/ide-wg/eclipseide.org/-/issues/11 Regards, Ed On 10.04.2022 10:35, Andrey Loskutov wrote: Hi, in context of expired spotbugs certificate (see https://github.com/spotbugs/spotbugs/issues/2008) I'm looking for pointers (wiki/blog/help page) about how one can "sign" Eclipse bundles with pgp? Google finds few bugs but no explanation to following questions : - prerequisites (which Eclipse version supports that) - build requirements (which tooling needed, on which platform etc) - instructions for signing itself (command line etc) - which side effects ot has on compatibility with old Eclipse platforms (can pgp signed bundle be installed on older Eclipse that doesn't know anything about pgp) These below seem to be related but don't give answers to questions above: https://bugs.eclipse.org/bugs/show_bug.cgi?id=576895 https://bugs.eclipse.org/bugs/show_bug.cgi?id=572816 Is there any official documentation available ? -- Kind regards, Andrey Loskutov https://www.eclipse.org/user/aloskutov Спасение утопающих - дело рук самих утопающих ___ p2-dev mailing list p2-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev ___ p2-dev mailing list p2-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev
[p2-dev] Documentation about pgp signing of Eclipse plugins
Hi, in context of expired spotbugs certificate (see https://github.com/spotbugs/spotbugs/issues/2008) I'm looking for pointers (wiki/blog/help page) about how one can "sign" Eclipse bundles with pgp? Google finds few bugs but no explanation to following questions : - prerequisites (which Eclipse version supports that) - build requirements (which tooling needed, on which platform etc) - instructions for signing itself (command line etc) - which side effects ot has on compatibility with old Eclipse platforms (can pgp signed bundle be installed on older Eclipse that doesn't know anything about pgp) These below seem to be related but don't give answers to questions above: https://bugs.eclipse.org/bugs/show_bug.cgi?id=576895 https://bugs.eclipse.org/bugs/show_bug.cgi?id=572816 Is there any official documentation available ? -- Kind regards, Andrey Loskutov https://www.eclipse.org/user/aloskutov Спасение утопающих - дело рук самих утопающих ___ p2-dev mailing list p2-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev
Re: [p2-dev] [platform-dev] Documentation about pgp signing of Eclipse plugins
I've created https://github.com/eclipse-equinox/p2/issues/32 Am 10. April 2022 10:35:48 MESZ schrieb Andrey Loskutov : >Hi, > >in context of expired spotbugs certificate (see >https://github.com/spotbugs/spotbugs/issues/2008) > >I'm looking for pointers (wiki/blog/help page) about how one can "sign" >Eclipse bundles with pgp? > >Google finds few bugs but no explanation to following questions : > >- prerequisites (which Eclipse version supports that) >- build requirements (which tooling needed, on which platform etc) >- instructions for signing itself (command line etc) >- which side effects ot has on compatibility with old Eclipse platforms (can >pgp signed bundle be installed on older Eclipse that doesn't know anything >about pgp) > >These below seem to be related but don't give answers to questions above: >https://bugs.eclipse.org/bugs/show_bug.cgi?id=576895 >https://bugs.eclipse.org/bugs/show_bug.cgi?id=572816 > >Is there any official documentation available ? >-- >Kind regards, >Andrey Loskutov > >https://www.eclipse.org/user/aloskutov >Спасение утопающих - дело рук самих утопающих >___ >platform-dev mailing list >platform-...@eclipse.org >To unsubscribe from this list, visit >https://www.eclipse.org/mailman/listinfo/platform-dev -- Kind regards, Andrey Loskutov https://www.eclipse.org/user/aloskutov Спасение утопающих - дело рук самих утопающих ___ p2-dev mailing list p2-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/p2-dev
