search

eclipse-tycho / tycho

Tycho project repository (tycho)
https://tycho.eclipseprojects.io
Eclipse Public License 2.0
170 stars 191 forks source link

Allow PGP signature verification to be disabled #1239

Open sewe opened 2 years ago

sewe commented 2 years ago

This may sometimes be necessary, e.g., when facing bugs in a repository manager like Nexus (cf. NEXUS-34538).

Likely, target-platform-configuration will need to learn a new option. (A global switch is probably enough.)

Unfortunately, it seems as if p2's SimpleArtifactRepository always unconditionally adds a PGPSignatureVerifier if signatures are present, so this may necessitate upstream changes. (Oddly enough, checksum verification can be disabled in p2.)

laeubi commented 2 years ago

when facing bugs in a repository manager like Nexus (cf. NEXUS-34538.

I can't read the bug report as it seems not public visible... I assume you mean that nexus mess up the xml.

Likely, target-platform-configuration will need to learn a new option. (A global switch is probably enough.)

I don't think Tycho will add special options to fix bugs of commercial sold products.

Oddly enough, checksum verification can be disabled in p2.

The problem here is that the XML is messed up, so disabling verification will likely not be a solution here.

sewe commented 2 years ago

I can't read the bug report as it seems not public visible... I assume you mean that nexus mess up the xml.

Yes, seems to be a security precaution of Sonatype.

At any rate, here is a diffoscope diff, which is not top secret; just the good old Eclipse 2022-06 update site mirrored by Nexus: https://try.diffoscope.org/daaheuvxhkxa.html

laeubi commented 2 years ago

Yep that's a known (nexus) issue as nexus seem not handling XML content property, literal new lines are not valid content in an attribute definition. No idea why this is a security incident...