Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It's not possible to verify a PGP signature of a folder #374

Closed
merks opened this issue Nov 4, 2023 · 0 comments
Closed

It's not possible to verify a PGP signature of a folder #374

merks opened this issue Nov 4, 2023 · 0 comments

Comments

@merks
Copy link
Contributor

merks commented Nov 4, 2023
edited
Loading

When p2 is asked to transfer an artifact from one repository to another and both repositories are in the file system, it's possible that some of such artifacts to be transferred are folders and then p2 will just copy the folder (recursively) from one place in the file system to another place in the file system. It will also try to do signature verification, which works fine for jar-signed content because p2 creates a jar and then verifies the jar-signature of that synthesized jar. But for PGP, this just doesn't work because the order of the contents in the jar will produce different bytes that do not match the original bytes of the original jar. As such, p2 must omit the PGP verification step in such a case.

eclipse-platform/eclipse.platform.releng.aggregator#1502
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@merks