tycho icon indicating copy to clipboard operation
tycho copied to clipboard
verified publisher icon eclipse-tycho

Using tycho-p2-repository-plugin in combination with tycho-gpg-plugin creates *.asc files in the repository

Open merks opened this issue 3 years ago • 9 comments

For example, if you look in this repository zip:

https://download.eclipse.org/eclipse/downloads/drops4/S-4.24M1-202204070240/repository-4.24M1.zip

it contains these files:

image

These files are not referenced from the artifacts.xml but rather their contents are encoded by the pgp.signatures property of the corresponding artifact.

I think the 24.24 M1 repository was created with 3.0.0-SNAPSHOT and I noticed this problem using 2.7.1-SNAPSHOT.

merks avatar Apr 09 '22 14:04 merks

can you share the pom.xml used to create that repository? by default, the repository copies resources from the target to the resulting site, I assume the tycho-gpg-plugin creates some temp files that then get included.

By the way, does this harm in any way if these are included?

laeubi avatar Apr 09 '22 14:04 laeubi

This is what I tested while investigating how this all works:

repo-sample-asm-with-signing.zip

Note that the value <gpg-keyname>146BA106</gpg-keyname> in the root pom is a magic number; the last 8 hex digits of the PGP key. For my local testing, I created a key in my local ring...

And no, including useless files does no significant harm; it's just pointless and somewhat confusing bloat.

merks avatar Apr 09 '22 14:04 merks

I think this could be fixed by delete the signature file after it was read here:

https://github.com/eclipse/tycho/blob/79bf9f08c7f6214ba49d98da4a8f7116edc989f9/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java#L134

@mickaelistria what do you think?

laeubi avatar Apr 09 '22 15:04 laeubi

@laeubi yes, a delete here should work. However, although they're not yet used/useful as far as I know, I have some intuition that those .asc files may become helpful one day (eg to publish artifacts from a p2 repo to Maven). So I wonder whether it should be something to keep as a secret functionality, maybe controlled by a switch.

mickaelistria avatar Apr 11 '22 08:04 mickaelistria

@mickaelistria I already suggested this once a while but the idea has not gotten much support: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575540 actually it won't harm to keep those, but I think @merks has had something in mind when opening this report...

laeubi avatar Apr 11 '22 08:04 laeubi

I think consumers will expect the content to be purely the artifacts and not files that are a side-effect of the build process.

When publishing to Maven, all artifacts need a *.asc so having them for some artifacts seems not terribly helpful; they can be produced as needed as they are for all the jar-signed artifacts that are published.

So there is no current use case nor a compelling need for them to bloat (slightly) the repository size and to propagate to all the mirrors...

merks avatar Apr 11 '22 08:04 merks

@mickaelistria @akurtakov should we take any actions here? As I'm currently preparing a service release with some PGP stuff in it, it would be good to include this fix as well if we plan to change anything.

laeubi avatar Jun 28 '22 04:06 laeubi

I see these asc files like pack.gz files they don't harm although not directly used. If there is contribution for that we can reconsider but right now it's very low priority for me.

akurtakov avatar Jun 28 '22 05:06 akurtakov

I don't think this is much about implementation (as deleting them is a trivial fix), more should we do it or not.

laeubi avatar Jun 28 '22 05:06 laeubi

The latest implementation doesn't do this anymore.

merks avatar Nov 24 '22 11:11 merks