Installing artifacts is by nature a security risk as it will allow the artifacts to execute potentially malicious code. To mitigate this risk, p2 verifies artifact signatures during installation and selectively prompts for artifact trust.
One of the main goals of digital signatures is to match a signer identity to each artifact, such that trusting an artifact is simply a decision of whether to trust the signer.
Often all artifacts have a signature but the identity of each signer may not be known. Artifacts signed by a X509 certificate rooted in the Java runtime's trust store are trusted by default. Artifacts signed by a PGP public key are trusted only if that key is trusted in the preferences. Unsigned artifacts are always treated as untrusted; such an artifact can be relatively easily tampered such that the artifact being installed contains different content than expected.
In the case of unverified artifact signers or unsigned artifacts, the Trust Artifacts dialog shows the artifacts along with associated certificates and PGP public keys, if any, for the user's review and approval. The user may choose which signers are trusted, and may even choose to install unsigned content. If all artifacts are signed by at least 1 trusted key or certificate or if unsigned artifacts are permitted, installation will continue; otherwise it's aborted.
The
Install/Update > Trust
preference page's Artifacts tab lists all the certificates and PGP public keys that are considered as trusted and allows to add or remove certificates and keys,
or even to allow all artifacts to be installed without confirmation.