tycho
tycho copied to clipboard
eclipse-tycho
Allow PGP signature verification to be disabled
This may sometimes be necessary, e.g., when facing bugs in a repository manager like Nexus (cf. NEXUS-34538).
Likely, target-platform-configuration will need to learn a new option. (A global switch is probably enough.)
Unfortunately, it seems as if p2's SimpleArtifactRepository always unconditionally adds a PGPSignatureVerifier if signatures are present, so this may necessitate upstream changes. (Oddly enough, checksum verification can be disabled in p2.)
when facing bugs in a repository manager like Nexus (cf. NEXUS-34538.
I can't read the bug report as it seems not public visible... I assume you mean that nexus mess up the xml.
Likely,
target-platform-configurationwill need to learn a new option. (A global switch is probably enough.)
I don't think Tycho will add special options to fix bugs of commercial sold products.
Oddly enough, checksum verification can be disabled in p2.
The problem here is that the XML is messed up, so disabling verification will likely not be a solution here.
I can't read the bug report as it seems not public visible... I assume you mean that nexus mess up the xml.
Yes, seems to be a security precaution of Sonatype.
At any rate, here is a diffoscope diff, which is not top secret; just the good old Eclipse 2022-06 update site mirrored by Nexus: https://try.diffoscope.org/daaheuvxhkxa.html
Yep that's a known (nexus) issue as nexus seem not handling XML content property, literal new lines are not valid content in an attribute definition. No idea why this is a security incident...