Enhance the aggregator to handle problems with expired signatures and PGP signing #12
Description
Because of problems with expired signatures as describe here:
eclipse-platform/eclipse.platform.releng.aggregator#661
It will be good to find a workaround for signed jars that will be treated as unsigned by associating also a PGP signature. But it's hard to manage this because we only want to do this for a subset of artifacts. There is this option:
But at least for Tycho 2.7.5, this does not recognize the the jar will be treated as unsigned. If we set that to false, then all jars are PGP signed, but we don't want that. Also, things with an existing PGP signatures are signed again, but the XML has duplicate keys, so the existing PGP signatures will be replaced by new ones, which we also don't want.
So we enhance the aggregator to compute certificate fingerprints that we record in the artifact metadata. We also record the original PGP key and signature in the artifact metadata. Then we can post process the repository to keep PGP signatures for jar-signed artifacts only for those certificates that are expired. We can also restore the original PGP keys and signatures, or even merge them.