This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 269471 - Plugin installer show certificate dialog should provide useful certificate information for the user to make a decision
Summary: Plugin installer show certificate dialog should provide useful certificate in...
Status: NEW
Alias: None
Product: platform
Classification: Unclassified
Component: Autoupdate (show other bugs)
Version: 8.2
Hardware: PC Linux
: P3 normal (vote)
Assignee: Libor Fischmeistr
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-01 13:23 UTC by netmackan
Modified: 2017-01-01 15:28 UTC (History)
0 users

See Also:
Issue Type: ENHANCEMENT
Exception Reporter:


Attachments
Patch adding SHA1 and SHA-256 fingerprints. (2.58 KB, patch)
2017-01-01 15:28 UTC, netmackan
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description netmackan 2017-01-01 13:23:22 UTC
When installing plugins the user is presented with a "Verify Certificate" frame that has a "Show details" button to display certificate information.

However, the current information is just a simple toString() (?) on the certificate object not showing all information that would be useful for the user to make a decision if it anyway would be acceptable to continue.

The best thing of course would be if all plugin publishers (or a plugin portal/repository) would provide plugins signed with trusted certificates. In reality currently many plugins are provided signed with self-signed certificates. 

If the show certificate dialog would also display the certificate fingerprint that could potentially be compared by the user with the expected fingerprint if it were published on some other trusted source. In addition an export/save certificate option would also be useful for power-users to be able to inspect the certificate using other tools.

Suggestion:
- In addition to the certificate information, also at least compute SHA-1 and SHA-256 message digests (fingerprints/hashes) of the displayed certificate and output that after the certificate information.
- Bonus points for also providing a "Save certificate" feature or alternatively to just output the certificate in PEM format and allow copying it.
Comment 1 netmackan 2017-01-01 15:28:27 UTC
Created attachment 163320 [details]
Patch adding SHA1 and SHA-256 fingerprints.