This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | Warning message for untrusted plugins needs to be improved | ||
---|---|---|---|
Product: | platform | Reporter: | jason_s |
Component: | Plugin Importer | Assignee: | Libor Fischmeistr <lfischmeistr> |
Status: | NEW --- | ||
Severity: | normal | Keywords: | UI |
Priority: | P1 | ||
Version: | 8.0 | ||
Hardware: | PC | ||
OS: | Windows 7 | ||
Issue Type: | DEFECT | Exception Reporter: | |
Attachments: | screenshot of netbeans untrusted warning |
Description
jason_s
2017-11-08 18:25:01 UTC
p.s. the advice on http://wiki.netbeans.org/DevFaqSignNbm for signing .nbm plugins is inadequate. Plugin authors need to be directed that their plugins should be signed and trusted, otherwise they run the risk that someone else can impersonate them, and they need to be referred to further information about cryptographic security certificates. <quote> Some notes: 1. You can probably get a root-authorized certificate from VeriSign or the like, and the Auto Update wizard should treat this as more trusted. Not yet investigated (please update this FAQ entry if you experiment with this). </quote> Please don't just refer to VeriSign, they're not free and you shouldn't be assuming that developers know how to find a certificate authority. Either throw out a bunch of names (including LetsEncrypt), or point to a reputable source of information about security certificates. <quote> 2. Keeping the keystore and its password in the private dir ensures that you will not accidentally commit either to source repository or include it in a source ZIP made with the Project Packager module. It may be safe to put the keystore in a shared directory (e.g. nbproject) if you are sure that the storepass is too hard to guess. </quote> Don't give this advice. This is the computing equivalent of putting a key hidden under a rock near your house. If someone cracks the password, they can then impersonate the owner of the certificate. I have a plugin that show signed but not trusted warning, although show certificate button does have certificate from digicert. Following is detail of certificate. Subject: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Can anybody have idea what else needs to be done to make it trusted, and avoid warning. |