Skip to main content
aboutsummaryrefslogtreecommitdiffstats
path: root/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox
diff options
context:
space:
mode:
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox')
-rw-r--r--bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java41
1 files changed, 31 insertions, 10 deletions
diff --git a/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java b/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java
index 92aee7199..83aef67a9 100644
--- a/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java
+++ b/bundles/org.eclipse.equinox.p2.engine/src/org/eclipse/equinox/internal/p2/engine/phases/CertificateChecker.java
@@ -96,6 +96,7 @@ public class CertificateChecker {
private IStatus checkCertificates(SignedContentFactory verifierFactory) {
UIServices serviceUI = agent.getService(UIServices.class);
ArrayList<Certificate> untrustedCertificates = new ArrayList<>();
+ Map<IArtifactDescriptor, Collection<Long>> untrustedPGPKeyIDArtifacts = new HashMap<>();
Map<IArtifactDescriptor, Collection<PGPPublicKey>> untrustedPGPArtifacts = new HashMap<>();
Map<IArtifactDescriptor, File> unsigned = new HashMap<>();
ArrayList<Certificate[]> untrustedChain = new ArrayList<>();
@@ -132,14 +133,26 @@ public class CertificateChecker {
if (!signatures.isEmpty()) {
if (trustedKeysIds.isEmpty() && !trustedKeys.get().isEmpty()) {
trustedKeysIds.addAll(trustedKeys.get().all().stream()
- .map(PGPPublicKey::getKeyID).map(Long::valueOf).collect(Collectors.toSet()));
+ .map(PGPPublicKey::getKeyID).collect(Collectors.toSet()));
}
- if (signatures.stream().map(PGPSignature::getKeyID).noneMatch(trustedKeysIds::contains)) {
- untrustedPGPArtifacts.put(artifact.getKey(),
- signatures.stream().map(PGPSignature::getKeyID)
- .map(id -> findKey(id, artifact.getKey()))
- .filter(Objects::nonNull)
- .collect(Collectors.toList()));
+ Set<Long> untrustedKeyIds = signatures.stream().map(PGPSignature::getKeyID)
+ .collect(Collectors.toCollection(LinkedHashSet::new));
+ // If any key is already trusted, then we don't need to prompt for any of the
+ // other keys.
+ if (!untrustedKeyIds.removeAll(trustedKeysIds)) {
+ untrustedPGPKeyIDArtifacts.put(artifact.getKey(), untrustedKeyIds);
+ List<PGPPublicKey> untrustedKeys = untrustedKeyIds.stream()
+ .map(id -> findKey(id, artifact.getKey()))
+ .filter(Objects::nonNull)
+ .collect(Collectors.toList());
+ if (untrustedKeys.isEmpty()) {
+ // If no keys can be found for any of the signatures, treat the artifact like
+ // unsigned content because none of the signatures can actually be verified.
+ unsigned.put(artifact.getKey(), artifactFile);
+ } else {
+ // Otherwise, one of these keys needs to be trusted.
+ untrustedPGPArtifacts.put(artifact.getKey(), untrustedKeys);
+ }
}
} else {
unsigned.put(artifact.getKey(), artifactFile);
@@ -196,7 +209,15 @@ public class CertificateChecker {
}
String[] details = EngineActivator.UNSIGNED_ALLOW.equals(policy) || unsigned.isEmpty() ? null
- : unsigned.values().stream().map(Object::toString).toArray(String[]::new);
+ : unsigned.entrySet().stream().map(entry -> {
+ String detail = entry.getValue().toString();
+ Collection<Long> unknownIds = untrustedPGPKeyIDArtifacts.get(entry.getKey());
+ if (unknownIds != null) {
+ return detail + unknownIds.stream().map(Objects::toString)
+ .collect(Collectors.joining(", ", " [", "]")); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
+ }
+ return detail;
+ }).toArray(String[]::new);
Certificate[][] unTrustedCertificateChains = untrustedCertificates.isEmpty() ? null
: untrustedChain.toArray(Certificate[][]::new);
// If there was no unsigned content, and nothing untrusted, no need to prompt.
@@ -326,8 +347,8 @@ public class CertificateChecker {
}
// load from bundles providing capability
for (IConfigurationElement extension : RegistryFactory.getRegistry()
- .getConfigurationElementsFor(EngineActivator.ID + ".pgp")) {
- if ("trustedKeys".equals(extension.getName())) {
+ .getConfigurationElementsFor(EngineActivator.ID + ".pgp")) { //$NON-NLS-1$
+ if ("trustedKeys".equals(extension.getName())) { //$NON-NLS-1$
String pathInBundle = extension.getAttribute("path"); //$NON-NLS-1$
if (pathInBundle != null) {
Stream.of(EngineActivator.getContext().getBundles())

Back to the top