Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 234604

Summary: Should content.jar and artifacts.jar be signed?
Product: Community Reporter: David Williams <david_williams>
Component: Cross-ProjectAssignee: Cross-Project issues <cross-project.inbox>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: P3 CC: kim.moir
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description David Williams CLA 2008-05-29 08:42:05 EDT 
I suspect in a perfect world, these P2 metadata files on Ganymede site (or, on individual project sites, if they use them) should be signed by Eclipse certificate similar to plugin jars, correct? 

Especially, if it is, as I suspect, that the content.jar and artifacts.jar themselves can be "pulled" from mirrors, then we should take some steps to make sure they have not been tampered with. 

P2 Team ... would it make sense for you to verify these jars, as you received them in the client? Want a separate bug request for that? 

(BTW, I don't have strong intuitions about the immediate necessity of this ... just raising it as a issue that deserves some cross-project discussion, thanks).
Comment 1 John Arthorne CLA 2008-05-29 09:29:54 EDT 
We implemented these files as jars so that signing could be done on them, but didn't see an immediate need for signing in this release. These jars are not currently served up by mirrors, since the mirror definition URL is contained in the JAR itself - we don't know how to get the mirrors until we read that file. Currently there is no point in signing them because we would need to make the corresponding code changes in p2 to check the signatures, which we don't have time for in this release.

Having said that, there is definitely value in signing in the long term, so that clients can establish whether they came from a trusted source.
Comment 2 Kim Moir CLA 2008-05-29 10:51:21 EDT 
I've opened bug 234641 as a reminder to implement these changes in 3.5 for the Eclipse Project.
Comment 3 David Williams CLA 2009-04-02 01:33:06 EDT 
We'll let 234641 be _the_ bug to track this potential enhancement. 

*** This bug has been marked as a duplicate of bug 234641 ***