Plugin must be signed

Question

Plugin must be signed

protoism opened this issue 2 years ago · 1 comments

Having an unsigned plugin is both annoying and insecure.

Eclipse is requesting confirmation to install unsigned software.

Answer 1 · 2023-02-15T11:11:03.000Z

I tried to look for alternate solutions based on sigstore, which looks very promising. But I'm afraid that there's no easy solution readily available.

Here a maven plugin for jar signing

https://github.com/sigstore/sigstore-maven

If I get it right, this plugin generates x509 based jar signatures outside of the jar file. PGP signature support is being dismissed.

Eclipse seems to support jarsigner signatures:

https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Fguide%2Fbundle_security.html&cp%3D2_0_3_7_1

and PGP signatures (I think that the signatures are stored as metadata, in content.xml, or artifacts.xml)

https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Fguide%2Fp2_pgp.html

There's also a maven task provided by tycho people for PGP based signature

https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html