org.bndtools.p2: Update the build for the p2 repository to replace md5 checksum

[bjhargrave]

The latest Eclipse now complains that our p2 repository only generates md5 checksums. We use the p2 repository builder from Eclipse 3.5.2 (circa 2009). Recent p2 updates now generate sha256 checksums.

So we need to modernize the p2 repository building in the org.bndtools.p2 project. I suspect we will need to move to use the Maven Tycho support. For example, https://www.eclipse.org/tycho/sitedocs/tycho-p2/tycho-p2-repository-plugin/assemble-repository-mojo.html.

eclipse.buildId=4.22.0.I20211124-1800
java.version=17.0.2
java.vendor=Azul Systems, Inc.
BootLoader constants: OS=macosx, ARCH=x86_64, WS=cocoa, NL=en_US
Framework arguments:  -product org.eclipse.epp.package.java.product -keyring /Users/hargrave/.eclipse_keyring
Command-line arguments:  -os macosx -ws cocoa -arch x86_64 -product org.eclipse.epp.package.java.product -keyring /Users/hargrave/.eclipse_keyring

org.eclipse.equinox.p2.repository
Warning
Thu Mar 03 09:22:46 EST 2022
The digest algorithms (md5) used to verify osgi.bundle,biz.aQute.bndlib,6.3.0.202203030031-SNAPSHOT have severely compromised security. Please report this concern to the artifact provider.

[bjhargrave]

We also need to support the PGP signing recently added to eclipse. See https://gitlab.eclipse.org/eclipse-wg/ide-wg/community/-/issues/11#downstream-product-considerations.

[pkriens]

@maho7791 has a p2 exporter. he will talk to Jürgen and make a plan of action.

[pkriens]

Could you look at the P2 PR? I've created a new P2 exporter and that would solve this issue. Need someone to engage before I want to use it ourselves

[pkriens]

I plan to include the P2 exporter in release 7 but not use it yet. For 7.1.0-SNAPSHOT I will try to use it for the release

[laeubi]

@bjhargrave @pkriens Tycho contains a demo that shows how to build a p2 repository from plain maven dependencies (what could be build by BND / Felix / Whatever / ...)