sign-p2-artifacts does not PGP sign features

[yafred]

Hi,

I am trying to sign a p2 with tycho-gpg-plugin:sign-p2-artifacts (I tried 2.73 and 3.0.4)

It is only signing the plugins, not the features.

The plugin are artifacts with classifier osgi.bundle in artifacts.xml and are properly updated with gpg properties The features are artifacts with classifier org.eclipse.update.feature and are not updated with gpg properties

Maven logs show nothing interesting.

What can I do to understand why the features are not signed ?

Thanks

[laeubi]

Can you provide an integration-test to demonstrate the issue? I'm not sure if signing of features is actually supported (@merks ?) in the P2 UI but technically it would be possible of course, I just think there is no test for this at the moment.

[merks]

Feature jars are “normally” jar-signed. I’ve never tried to pgp sign such things. It’s not something an Eclipse project would ever seem to need. But it nevertheless ought to be supported. A test case will be needed for sure.

[yafred]

You say 'Feature jars are “normally” jar-signed'. Do you have a link to how to sign a p2 (allowing the Trust dialog to display to the user that everything is signed) ?

[merks]

Eclipse projects use this:

https://www.eclipse.org/cbi/sitedocs/eclipse-jarsigner-plugin/sign-mojo.html

But if you're not an Eclipse-hosted project, that's not very helpful advice.

I'm not sure how to use this one:

https://maven.apache.org/plugins/maven-jarsigner-plugin/

I would expect this to work on features:

https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html

If that doesn't work, I'd expect it to be relatively straight-forward to fix it...

[martinlippert]

We are trying to move the Spring Tools to GPG signing as well and stumbled upon this as well, so the regular bundles gets GPG signed, but not the features. Unless we sign then the "regular jar signing way", they show up as unsigned in the install dialog.

[mickaelistria]

While the solution was designed ignoring features (the story was to be able to consume 3rd-party bundles directly and get them signed without altering them), the mojo could most likely be improved to also read and sign feature artifacts. A PR to add that support would be very welcome.

[yafred]

@martinlippert can you describe how you proceed to make the unsigned warning disappear ? (do you modify the artifacts.xml file ?) Thanks

I have tried to jarsign the feature jar file to no avail. I have tried to gpg sign the feature jar file too (including updating artifacts.xml to add the properties pgp.signatures and pgp.publicKeys)

(By the way how is it that the properties are called pgp and not gpg ?)

[BoykoAlex]

If signing of features with PGP means only adding: <property name='pgp.publicKeys' value='MY-PGP-KEY'/> under the proper artifact descriptor for a feature (i.e. classifier='org.eclipse.update.feature') then I think it is working... Or is there more than just artifacts.xml file?

[mickaelistria]

@BoykoAlex The page https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Fguide%2Fp2_pgp.html should tell it all.

(By the way how is it that the properties are called pgp and not gpg ?)

PGP is the cryptography strategy, gpg is one implementation, which we're not even using in Eclipse p2.

[merks]

If an artifact has been PGP signed, its artifact metadata will have both pgp.signatures and pgp.publicKeys properties like this one:

<artifact classifier='osgi.bundle' id='slf4j.api.source' version='2.0.7'>
  <properties size='13'>
    <property name='maven-groupId' value='org.slf4j'/>
    <property name='maven-artifactId' value='slf4j-api'/>
    <property name='maven-version' value='2.0.7'/>
    <property name='maven-classifier' value='sources'/>
    <property name='maven-repository' value='eclipse.maven.central.mirror'/>
    <property name='maven-type' value='jar'/>
    <property name='download.size' value='72932'/>
    <property name='artifact.size' value='72932'/>
    <property name='download.checksum.sha-512' value='0bf2f5807dedcc81b23c9dcd341c59e81339a1ef898f39a257b76c8a0ebdf7f4e94b8fda6e5c4c1e5981843a922a712b6f113b74435fc10485d7943d41d62563'/>
    <property name='download.checksum.sha-1' value='a017c6fd9ea69485bb22198ec8d5dd3d5805d467'/>
    <property name='download.checksum.sha-256' value='e75c0f77298ceaa7a5be9a43b5cc3af27067c0ce39c8c048cde2f50d0efd839b'/>
    <property name='pgp.signatures' value='-----BEGIN PGP SIGNATURE-----&#xA;&#xA;iQIzBAABCgAdFiEER3fdMHEepq82fzR46zw49seg8A0FAmSYT1wACgkQ6zw49seg&#xA;8A2t4w//aYQaYboWjpW1LD+UqSDTV3OkUJFgMPq6o8sIhkCAz4xMuQJz2zTj3jL9&#xA;edK/Bh6ISSBMS3w5qoyex/9L0qvYpSdooE81zI1a+D3aQH9444VgmVO2S3IjzDBs&#xA;x4e9pE6KLAFw/YV3Diz0IAebofBQeOqj/65lDXxYT3Z6a3e884FXTQa5eEW3WgbV&#xA;zKMbQPblJgAzow2asAwZeC+wUzMXfDye7lakul43kUyV3QUvuT79PFCtlyKO2dee&#xA;tmB6Ur33U9DpdJPBcQ9YlDgIBuwH7l5Ov9Gl6sWojDxjIx2qS//rLf83XBYkN1yb&#xA;pLznQL2TwYg4HIPLpzd+5qOkUrrp59z16Pb14/+j+txuuhp4CXQxy/8+pq/0qsdQ&#xA;HeY9cxHyaM9IHzJriQujnSfLEPpRyWGKeUvGwlq92061uTul2PKRfLGlqkXTlVWa&#xA;2VLKEdCFsXRMj3CBGcyZRVhoQumeVOP3pq7KuGY5FXvSDE8PptdyoYCa6RrT9J0B&#xA;70Ld04NGpLGUSWmeOh+F7DCY78mb8ZEW7RRepM/F9Y/xxm1+hloQmOyyZ0KT3OxC&#xA;eoYcxQhx2Qao1+1UMhofqGaj0kYkUa/2cB1OrCCP4QgrkQcR4VteTHDSZjo60HVU&#xA;YNfScmaomx2OYPxL7q1pibkAJ6wtHVgUfArylJ+PQDhr4OL6QtM=&#xA;=eH5F&#xA;-----END PGP SIGNATURE-----'/>
    <property name='pgp.publicKeys' value='-----BEGIN PGP MESSAGE-----&#xA;&#xA;uQINBGNEVwsBEAC0ZZzrNCeIQ9SxvmwABXboQ3fVJJoYTW2kbreoV7GxMpeY8mls&#xA;CJRtc496Hx1qNuuVVVSwVkp5Vx4X/QLb6pbFzWRPRY9uhdSt+ymjP/ku7FzmcKr4&#xA;px4NmUlErgmcQyNC3PIKz2k4jSJuIPmO+h1K9bghAyq5fWJ8FWMfTyw0vQtBQxwC&#xA;B45slDzdOVlMxIZ4ifs6wBEhLkK1K/jxtTy1U5ZMLNOyenQKQCUldTr7aE7ivR9z&#xA;DIYGOpsr5OqdedXSkX4fgAKtgz7cR4sjXmbIZz16pxWd1T1U1MzzR2LBrX4856z9&#xA;TUXoI6IgRpMTDK5cy0bhxgrCafqiJ3NbDhOi8k3hXL5kSLY5g2FsLVoOWdojK3AR&#xA;3OoJXwpQM5TLzLtPR3XHBkQhBZllxhDhQ55E1KwevRE8j1nh7MF9+6QUk4V7XlHL&#xA;MLzjf0Z0oYTSi+RYf3PTXuVSQFGqy74vp4Jdp0PvXzXLWHqcYkbs5u0jxsqn5amB&#xA;pCwRnDISfTri6R/VWqWSTpsJ+0Uv9FcfcxGq4yv6C6VfaiktjMefBIKzwGIUVn/y&#xA;87bsMHDp2+fkicSsTePY+iOE8JH+dEUFkuVSZFU0GwhsiSVQr5bpq9BsyArJu7uM&#xA;tSt1awkWSTESX2qqkd7SOXno54/+t/XbBQSOk8rEzgtTTnFuFcQLn04LXQARAQAB&#xA;iQRyBBgBCAAmFiEEHm+ZeUV2tgMtJXKTw0rr1i6OnPgFAmNEVwsCGwIFCQlmAYAC&#xA;QAkQw0rr1i6OnPjBdCAEGQEIAB0WIQRHd90wcR6mrzZ/NHjrPDj2x6DwDQUCY0RX&#xA;CwAKCRDrPDj2x6DwDaYnEACsJKUih/2WZ0Uam0YM4qB+ar6HgWNesuZeRn8lyze5&#xA;HKMit52zcTw41X2+1Ab0S44PgWoGQoKaLGP4ij62DYDud/KI3CMsPo0I4aKcF5rk&#xA;EZcY5CWxk1waYnzG/YUXzII2eT318l3YfiCuZXRNG7TVoeEWqBUY2WgRDoCkqyQD&#xA;ASyEmKpbdXKcvGdibnZcGNyZm5xHwDvV2m9OqyEyUWIqsJccV1pQ5bRy15ZjSEfe&#xA;25emHwcp4P7y5SycLKTddfupLFDgTNWksJq2CZjGP8A6l1J7O1/xhiHaODew2/rK&#xA;7GDB3vDOIWoCJrr3xrI4KhNmCN8q+mSTwm5wbJtYZYirq6yfICfB7g2bDmVivUUA&#xA;iiNNWpmsUPsnICA8BK+1nJ2wecYtUNTpiTv6bdVvhe4mIuR0yNVGgO8oxvzZGvi4&#xA;iDtxDe1Xws4LxHsozyCyl96jNXtis94klfnuSxCcosEc0nCyL0J0JAdwHgDV3VjX&#xA;yt1r7yJzej68xDadxZVM7K9TJJ/M1lOYuxTYC+o4NWK8AHYBki6lYMBMB0ez5MB8&#xA;OSMcrdZRt1qE6965wh/bVndpHEIZKQt5k9gtsoHeKzoD0IsnzUM/YdBIDShP8LpK&#xA;PvhVvYq5ZIhSPfEv3n6EuM9umfMwp743+SqNsFjUBilUTNn7LRPSU9HbDEFb5xwN&#xA;a+UNEACUi4HqL12H0cIaKEgOI6RBxBPIuE7+NSbR2+btmkflEzLFYeTE/l8/yjFA&#xA;7KXDx/QzhC2UvR3+hwjO8yNcAl/esiW9BoYu/6rnqKMzn2ReAx977S92WsgiJjvI&#xA;ISPTuWm1DW8GeZ6jUyCmp45ANDTVPrUjnU8m+DbhkcarDD1f5fV4XJdva2zU065G&#xA;+sAxj+/v2n8Ha+dfBadjV6ZfqkKBV4I+o96j7NV/cwKMswDB4yThTFZoI30/47W6&#xA;1Tb2e+Z9mriQmo5rXO/XnEyGVODBI4cTcNsP4T9EAZUc6yPW1kEBnt1xgJPUGFzN&#xA;NeirMHoZXgJI8aeXArLgfjvF4FiPb/wPyfXd+CQU7VEPQl3of6rwZ4fPAVjYRppy&#xA;dnT2I2PjFDEbZEowddu5/QyvGdlxe9W2NC1BARqhB+Ra2DJSd/dXdGoEmqIjwpnT&#xA;o1UiLAUqNqUVzIGl4OqKpYFCLRUFMnaI83Ta/K+rGBEvQ6Xr0I9IJ2VH8bK365YI&#xA;rBdLK3UyXmuIXmTxHbdGJ1Uf8lfent5g58GQErHyRl2GNbC8h4shl3iC3DsvIGno&#xA;GIxFsGdB7o7jAMxYmc2O+hUHS5lRArccMIUR0aDYYrk6z1KmrJGfk6zJRDFlvzXl&#xA;1CtyrPFu7jXtyBgrfdQbUKfiT6q8Nq4vL1WGaf6EQ55B25jDGQ==&#xA;=e76V&#xA;-----END PGP MESSAGE-----'/>
  </properties>
</artifact>