This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
I received a verification request for the plugin 'nbgit' yesterday and when I went to install it into NetBeans, it wasn't signed. Under the current version of the Plugin Portal, plugins are checked to be sure they are signed before they are allowed to be uploaded. However, this plugin was originally submitted on September 10, 2008, *before* plugins were required to be signed prior to uploading. So, in this case, the system didn't check to be sure the plugin was signed before it was uploaded. This seems to be a bug with the Portal. Each time a plugin is being uploaded for verification, it should be forced to be signed. From what I understand, right now all the Portal does is reset the verification, but doesn't check to be sure the author had signed the new version of the plugin. Is there any way to correct this, so that no unsigned plugins are uploaded to the server, regardless of whether the plugin is a new plugin or just a new version of an existing plugin?
This is not a problem with some plugin. It's rather a valid defect in the implementation hence changing the subcomponents accordingly. As for the solution, in my opinion it should be possible to upload signed plugin however if such plugin had verification requested before it should be automatically removed upon the upload and verification request should be disabled as it works already now with version 1.4 of the Plugin Portal. What do you think about it David?
Oh, I did a serious mistake! Of course I meant "...to upload NOT signed plugin..." - I am sorry for confusion.
The current logic only checks for a signed plugin is the plugin owner submits a verification request on the plugin detail page. There may be cases, however, where a verification request was done for an unsigned plugin BEFORE the plugin portal only allowed for signed plugins. This would account for some existing verification requests with plugins that are not signed. Any new verification requests from the plugin owner on the unsigned plugin should be stopped by the plugin portal. I'm closing this because the solution is for each plugin owner to resubmit a new plugin file and the plugin portal will catch unsigned NBM files not.
I know how it works now. But is it really so hard to check for the signature on update of a plugin binary and not only when publishing brand new plugin? I realize though this request solves only very rare situation which in addition to that will happen less and less often. :-)
The plugin portal does NOT currently check for a signed NBM file when adding a new plugin. We only care about signed NBM files if someone wants their plugin verified. The current verification request feature on the PluginDetail page will take care of any new verification requests with NBM files that are not signed. However... I did a quick report to find out what verifications had NBM files that were unsigned. I thought I would only find Verification requests that were done prior to the plugin portal checking for signed NBMs. I was wrong. I found a defect that allows .zip files to contain unsigned NBMs. I've corrected the defect and will close this issue when we roll out the new version of plugin portal.
I am glad we are on the same page now. Thanks a lot David!