Installing artifacts is by nature a security risk as it will then allow the artifacts to execute potentially malicious code. To mitigate this risk, p2 does verify artifact signatures during installations and warns of any discrepancy.
If some artifacts have no digital signatures attached (using jarsigner
or PGP signing technologies),
the Unsigned artifacts dialog pops-up to warn that there is no signature for those artifacts.
An artifact without a signature can easily be tampered so that the artifact being installed contains different content as what's expected during installation. So artifacts without signatures are a security thread and installating them is a risky action, much care should be taken before approving such installation.
The pop-up allows to abort installation, or to take the risk of installing an installed artifact and continue installation.
One of the main goal of signatures is to match a signer identity to an artifact, so that in order to trust an artifact, a user can simply decide whether they trust the signer. It's usually an easier decision to take.
Sometimes, all artifacts have a signature but the identity of the signer is not know whether it can be trusted or not. The strategy to decide whether a signer can be trusted or not is up to the user; different users can have different workflows to decide whether to trust a signer or not.
In such case, the Trust dialog shows the list of certificates or PGP public keys along with extra information to let user define whether those can be trusted (Is the key itself trust? If yes, do I trust the signer?...).
If all artifacts are signed by at least 1 trusted key or certificate, installation will continue; otherwise it's aborted.
Install/Update >
Trust preference page lists all the PGP public keys that are considered as already trusted and allows to
add or remove some.