Details
-
Improvement
-
Status: In Progress
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
Note: we do have detached PGP signatures for the Eclipse update site artifacts - it is mandatory according to the ASF release policy - but they are currently not included in such a way that Eclipse can verify them and offer the user to trust them during the plugin installation process.
Currently, we do not sign the Eclipse plugins because it is extra effort and the old way of using the Symantec Service are gone anyway.
There is a new jarsigning approach which could be used.
Alternatively, it is meanwhile possible to embed PGP signatures in P2 repositories.
Let's see which of these options are viable for us.
Attachments
Issue Links
- links to