how to ignore Signature is invalid for current content of "p2-maven-site"?

[diverse-bot]

Hi

I'm trying to build my own update site using tycho from p2-maven-site of jetty project.
Jetty seems to publish their bundles on maven central and p2-maven-site here: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-p2/

I wish to build my own classic eclipse update site out of it (an also add some missing feature they don't directly publish)
I use the repository url as stated here(https://www.eclipse.org/tycho/sitedocs/tycho-p2/tycho-p2-repository-plugin/plugin-info.html) in a tycho build

(a small test project : https://github.com/dvojtise/jetty-eclipse-p2/tree/main/jetty-eclipse-p2-repo and github action showing the problem)

Unfortunately, this raises a Signature is invalid for current content. error

1/ is there a way to ignore such error ? (so I can try to workaround it)
2/ how to know which signature is invalid ? ie. the one declared in the artefacts.xml file in the https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-p2/10.0.7/jetty-p2-10.0.7-p2site.zip or the one of the target bundles in maven central ? in order to inform jetty maintainers ...

[dvojtise]

(sorry, I sent the above message with the wrong account)

[laeubi]

Unfortunately, this raises a Signature is invalid for current content. error

What exact version of tycho do you use for your test? Can you try out the current tycho snapshot build?

[dvojtise]

2.7.0
(trying without success for now to use the snapshot version)

[laeubi]

Do you think you can provide a PR that transforms your test project as an integration-test to demonstrate the issue?

[dvojtise]

Ref to my thread with jetty project : https://www.eclipse.org/lists/jetty-users/msg10147.html

Apparently maybe there is some issue in the pgp signature in the aterfact.xml and according to jetty developers, this is actually Eclipse Tycho project that is contributing it ...

[laeubi]

It seems that the PGP key is not detected by P2, actually one should be able to simply use a key server then but there is a bug at P2: eclipse-equinox/p2#13

[laeubi]

For reference, here is the item P2 complains about:

Could not mirror artifact osgi.bundle,org.eclipse.jetty.websocket.common,10.0.7 into the local Maven repository
https://repo1.maven.org/maven2/org/eclipse/jetty/websocket/websocket-jetty-common/10.0.7/

[laeubi]

When I decode the metadata I get the following signature:

-----BEGIN PGP SIGNATURE-----

iQIcBAABAgAGBQJhXfsmAAoJEC0OH7j+S2i0KcUP/0Bi1igTxNwNkBfLJ1oknzmO
QmL7J1Pdsbb4VTIesEsIR7fSsQZneeZLduH7Ffj6H57kdJHbVVRUxop9yWcXAz5G
3ulpcvHXbqObP0GZzYsZWtSsqx9Xkda7e1rvlqMw46h7ieL6kmjwPvHNg/j0Xxwq
s25XOlopTtDoBi5FDUw1bY2BUEW7905nW0/ntocTXqaxlcGDKgyYCkiT14cim/Ma
hFFml6b4FRsjeqqrEOCLNLy0oK9yfRT+pAxiTNuDv22toL0cGzaBRXojUaZc7Qhn
Xk+x/ZtJvuq/NsGJ6Xy6uSLzB5z6YeJk112uCRYhxaWNxp3GWOW+efFCCiNciqMV
oF3toe6YhLN3HjTaClYmuof04vN/KWxUNwqe6pcin0x2R+OJ5OFbrCNpU6pXBPr8
X2ZL4tIhVijnqlO4A6UugGS3s5qCDeWDMdF2YIZZ439aq70HR5CzmjtFGoAQSF9u
FLwozT0Mqywe+Ma85n/8N+ieEM3ni/p38jcy6w3RBgNbKxJ60WVx7DVqPm5wK0Q2
t6A/8MijHtITsUakx5Von1YM6+Aig26ybLSNUPzE8ITRXXns+xMSRDNU/U6WL+Sc
T3eTp3k2uRkjkkOb4YKg+yNKkOVayuuK/cO3c491jNioVEt/kYA0ZjnwLAmeO1NF
H/sIv1XWOHRs6C8CHICE
=By76
-----END PGP SIGNATURE-----

At least this looks different to what is deployed here:
https://repo1.maven.org/maven2/org/eclipse/jetty/websocket/websocket-jetty-common/10.0.7/websocket-jetty-common-10.0.7.jar.asc

but matches the javadoc signature:
https://repo1.maven.org/maven2/org/eclipse/jetty/websocket/websocket-jetty-common/10.0.7/websocket-jetty-common-10.0.7-javadoc.jar.asc

So it seems there is a bug in tycho that the wrong signature is chosen...

[laeubi]

I requested a temporary fix for this see

• Disable PGP signature propagation for now jetty/jetty.project#7783

[joakime]

Merged into jetty-10.0.x and jetty-11.0.x branches.
It will show up in Jetty 10.0.9 and 11.0.9 releases. (hopefully next week)

[dvojtise]

thanks for having provided a quick fix :-) , I'll give it a try when available