257394 – Self signed plugins for Java EE Base bundle plugin

This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 257394 - Self signed plugins for Java EE Base bundle plugin

Summary: Self signed plugins for Java EE Base bundle plugin

Status:	NEW

Alias:	None

Product:	javaee
Classification:	Unclassified
Component:	Editor (show other bugs)
Version:	8.1
Hardware:	PC Windows 8.1

Importance:	P3 normal (vote)
Assignee:	issues@javaee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-01-04 17:14 UTC by assylias
Modified:	2018-01-12 12:41 UTC (History)
CC List:	0 users

See Also:
Issue Type:	DEFECT
Exception Reporter:

Attachments
Certificate warning snapshot (42.82 KB, image/png) 2016-01-04 17:14 UTC, assylias	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description assylias 2016-01-04 17:14:08 UTC

When installing the "Java EE Base" plugin, I get a warning about 4 self-signed plugins included in that bundle:

- Tyrus Based WebSockets
- OSGi json classes
- WebSocet server API
- DukeScript Project Wizard

See messages in the attached picture.

The details of the certificate are all similar and from the same issuer. For reference here are the details for the last plugin (DukeScript):

[
[
  Version: V3
  Subject: CN=Anton Epple, OU=Unknown, O=Eppleton IT Consulting, L=Munich, ST=Unknown, C=Unknown
  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3

  Key:  Sun DSA Public Key
    Parameters:DSA
	p:     fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669
    455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7
    6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb
    83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7
	q:     9760508f 15230bcc b292b982 a2eb840b f0581cf5
	g:     f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267
    5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1
    3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b
    cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a

  y:
    d23bbc5f 61a7c008 328dcccf 5b24943a 60c69aa2 1e8fcce0 119219c3 d6806d2a
    1919f2c2 84518e07 a8a5005b b72350fd bc2c8f69 b1a8f304 d18a8a9f 2a9883ee
    b55c544e 6aa8843f 284c784d b5f72aa2 50567443 1b60b650 b0057b02 2d417426
    b553d4e7 9dffa04d adbe6046 347a74c1 fb5a33df b3300b39 1e8955c3 a9d56967

  Validity: [From: Sun Feb 08 12:52:35 GMT 2015,
               To: Sat May 09 13:52:35 BST 2015]
  Issuer: CN=Anton Epple, OU=Unknown, O=Eppleton IT Consulting, L=Munich, ST=Unknown, C=Unknown
  SerialNumber: [    320c3c4b]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 35 A9 59 B8 EB BC C7 D9   10 4B 8B D0 01 B4 A5 28  5.Y......K.....(
0010: 0A F7 E3 0C                                        ....
]
]

]
  Algorithm: [SHA1withDSA]
  Signature:
0000: 30 2C 02 14 17 70 69 FD   74 8B 7C 89 EB 78 36 BE  0,...pi.t....x6.
0010: 35 DD 8E 6A 37 76 71 84   02 14 75 09 81 EE 0E 3A  5..j7vq...u....:
0020: 20 1E 2A 15 65 8F 14 5C   34 E9 4C 42 8A 0D         .*.e..\4.LB..

]

Comment 1 assylias 2016-01-04 17:14:57 UTC

Created attachment 157990 [details]
Certificate warning snapshot

Comment 2 retobg 2018-01-12 12:41:18 UTC

There are tons of "self-signed" plugins in the registry. For me this is the main reason not to use Netbeans directly on my system, but only on a VM that doesn't contain sensitive data.