Andrey,
I looked in older p2 repos and this file was previously signed. E.g.,
the following one has a signed eclipse.exe:
https://download.eclipse.org/eclipse/updates/4.6/R-4.6.3-201703010400/binary/org.eclipse.platform.sdk.executable.win32.win32.x86_64_4.6.3.M20170301-0400
That is why I just assumed such things are signed because in they past
they were signed...
So at some point, in the build evolution, these stopped being signed.
Note that this issue is the platform's own repo and that none of this is
an Oomph bug because we can only install what's actually in the repo;
the producer of the repos is responsible for signing all the content
appropriately.
Also note that given that the executables for other "products" are
mostly just copies of the platform's executable, the fact the platform's
original version is not signed in the platform's own p2 repo is likely
the source of other the downstream problems. E.g., I already notice
that Oomph's installer product is signed *.exe for the native
self-launching executable, but the eclipse-inst.exe it contains is also
not signed. But that's not surprising because it use the p2 publisher
to produces it during the build and it can't produced signed results if
the source executable is not signed:
[INFO]*--- tycho-p2-publisher-plugin:0.23.1:publish-products
(default-publish-products) @ org.eclipse.oomph.setup.installer.product ---*
I've opened this:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=548397
Regards,
Ed
On 18.06.2019 17:01, Andrey Loskutov wrote:
Whoever is interested in solving this problem, please create a p2 or
oomph bug for that.
I think missing signature on Windows is not OK, independently if this
helps or not with the Windows Defender performance. Note: the exe file
from plain SDK *is* signed.
On 18.06.2019 16:52, Ed Merks wrote:
Rolf,
Indeed if I look at the two executables in the following:
https://download.eclipse.org/eclipse/updates/4.12/R-4.12-201906051800/binary/org.eclipse.platform.sdk.executable.win32.win32.x86_64_4.12.0.I20190605-1800
They do not show signature properties when extracted, so p2 installing
these (p2 director via the installer or via p2 update) would not produce
something with a signature in would appear.
I would have expected this file to contain two signed executables, but
that appears, as you suggest, not to be the case. :-(
I asked Dani just now, and he also expected these would be signed...
On 18.06.2019 16:13, Rolf Theunissen wrote:
First of all, the properties of the executable show it very clearly.
Second, https://bugs.eclipse.org/bugs/show_bug.cgi?id=509799#c4 this
comment.
eclipse.exe properties from Eclipse IDE for Java Developers Package
Eclipse properties for product installed via oomph.
Op 6/18/2019 om 4:04 PM schreef Ed Merks:
Rolf,
I don't believe what you suggest is the case. The eclipse.exe in the
p2 repository, like all the artifacts in the repository, is
signed. Otherwise, if one did an update and the executable needed
to be updated, it would be updated with an unsigned version, which
would not be acceptable. What makes you think/assume that these are
not signed?
On 18.06.2019 15:56, Rolf Theunissen wrote:
Hi,
I came across the bug below. What triggered me from the comments on
Bug 509799 is, that the 'eclipse.exe' is apparently signed as part
of the EPP build. As we are pushing Eclipse-Installer now, many
installations contain a 'eclipse.exe' that is not signed.
So maybe the problem is not how to let Microsoft trust the Eclipse
Signature, but more how to *ensure that the 'eclipse.exe' is signed
on all installations*.
*Bug 539954* <https://bugs.eclipse.org/bugs/show_bug.cgi?id=539954>
- eclipse installer "SimRel 2018‑09" from ibm cloud is reported as
virus infected
*Bug 509799* <https://bugs.eclipse.org/bugs/show_bug.cgi?id=509799>
- Symantec reports a Trojan SONAR.AM.C!g24 in eclipse
*Bug 485899* <https://bugs.eclipse.org/bugs/show_bug.cgi?id=485899>
- upgrading eclipse causes anti-virus to alert
Rolf
--
Kind regards,
Andrey Loskutov
https://www.eclipse.org/user/aloskutov
---------------------------------------------
Спасение утопающих - дело рук самих утопающих
---------------------------------------------
_______________________________________________
platform-dev mailing list
platform-dev@eclipse.org
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/platform-dev
_______________________________________________
platform-dev mailing list
platform-dev@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/platform-dev