Closed jonahgraham closed 1 month ago
@ghentschke I will try to resolve this before release as I don't think we can release like this. If you happen to know what may have caused this, do let me know.
The problem turned out to be rather straightforward - I never turned on the gpg signing of the p2 repo. PR about to be merged.
The reason I didn't notice before is that it depends on where p2 decides to pull bundles from which can depend on which available sites are listed. The snakeyaml in the cdt-lsp repo was never signed, but it was often pulled from CDT's repo coincidentally (where it was always signed)
I don't know yet why it regressed, but the rc1 build of CDT-LSP 2.0.0 (https://download.eclipse.org/tools/cdt/builds/cdt-lsp-2.0/cdt-lsp-2.0.0-rc1/) has unsigned content.
There is a secondary problem that the source bundle of snakeyml is being installed
Here is the trust dialog when just using cdt-lsp:
This wasn't a problem in m2 https://download.eclipse.org/tools/cdt/builds/cdt-lsp-2.0/cdt-lsp-2.0.0-m2/ so I don't know what changed yet between these versions.
I don't think this shows up in simrel because the source bundle is resigned in simrel, and the main bundle comes from CDT instead which is signed already.
Here is the trust dialog when using staging
fyi @merks