This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Steps to reproduce: 1. start 8.1 development build 2. go to Tools/Plugins/Settings 3. add plugin portal AU catalog: http://plugins.netbeans.org/nbpluginportal/updates/8.1/catalog.xml.gz 4. go to available plugins 5. search for "DukeScript" 6. install "DukeScript Project Wizard" After downloading the "Verify Certificate" dialog is shown. There are two self-signed modules (that is OK) and three unsigned ones (that is scary). I'd like to find a way to avoid scarying people by claiming these are unsigned, because (at the end) all three came from a Maven central repository where they had to be (at least) self-signed.
After installing the modules appeared in the netbeans installation directory: nbms/modules nbms/modules/de-twentyeleven-skysail-org-json_osgi.jar nbms/modules/javax-websocket_api.jar and yes, the JARs are not signed internally. On the other hand, all of them contain META-INF/maven/ with */*/pom.xml - the pom.properties as well as pom.xml contain artifactId, groupId and version that could be used to locate appropriate certificate on Maven central: http://repo1.maven.org/maven2/javax/websocket/javax.websocket-api/1.0/ there are .sha and .md5 files. If the checksum of a local JAR is the same as expected by these two files, I believe the JARs could be treated as signed.
I don't expect this to be implemented, right?
(In reply to Jaroslav Tulach from comment #2) > I don't expect this to be implemented, right? Unfortunately, right.