This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Created attachment 165415 [details] screenshot of netbeans untrusted warning The warning message when installing untrusted plugins needs to be improved. Right now the message says "The following plugins are signed but not trusted: [list of plugin names] Warning: Installing untrusted plugins is potentially insecure. Use unsigned or untrusted plugins at your own risk." This is not adequate, for a number of reasons: - the terms "signed" and "trusted" have meaning in the context of NetBeans (+ Java) *developers*, not end users. They are imprecise and do not convey their intended meaning, which is: a signed plugin has a digital signature a signed, trusted plugin has a digital signature with a cryptographic certificate to prove identity When a plugin is signed but not trusted, it means there is no verifiable claim that the plugin author is who they say they are, and someone could be impersonating them. - Any aspect of software that involves security, in today's environment of malicious hacking, should have clear advice on how to proceed. Saying "Use unsigned or untrusted plugins at your own risk." is just a CYA kind of statement; there's no clear way for end users to learn more and decide whether to proceed. What it *really* means when you run into this message, is that the plugin authors have bothered to sign their plugin but they haven't bothered to create a verifiable security certificate, and the plugin authors should be informed about this so they can fix the issue. In 2017 with free CAs like https://letsencrypt.org/ there is absolutely no reason that a plugin developer should create plugins that are untrusted. In the meantime, the end user should install the plugin only if they have verified that the plugin comes from the alleged author and not from a malicious entity trying to impersonate the author. NetBeans should have text content that explains some of these issues in more detail and also link to detailed content where users can learn more to make a correct decision. The "Show certificate" button is good for informed users, but you have to know precisely what a certificate means for this to be any good. Please address this issue; it affects not only NetBeans itself (where presumably programmers are better-informed than the general population) but NetBeans-based platforms like Microchip's MPLAB X for embedded development. ---- The attached screenshot shows the result of installing the Special copy-paste plugin (http://plugins.netbeans.org/plugin/9275/special-copy-paste) on NetBeans 8.0.2
p.s. the advice on http://wiki.netbeans.org/DevFaqSignNbm for signing .nbm plugins is inadequate. Plugin authors need to be directed that their plugins should be signed and trusted, otherwise they run the risk that someone else can impersonate them, and they need to be referred to further information about cryptographic security certificates. <quote> Some notes: 1. You can probably get a root-authorized certificate from VeriSign or the like, and the Auto Update wizard should treat this as more trusted. Not yet investigated (please update this FAQ entry if you experiment with this). </quote> Please don't just refer to VeriSign, they're not free and you shouldn't be assuming that developers know how to find a certificate authority. Either throw out a bunch of names (including LetsEncrypt), or point to a reputable source of information about security certificates. <quote> 2. Keeping the keystore and its password in the private dir ensures that you will not accidentally commit either to source repository or include it in a source ZIP made with the Project Packager module. It may be safe to put the keystore in a shared directory (e.g. nbproject) if you are sure that the storepass is too hard to guess. </quote> Don't give this advice. This is the computing equivalent of putting a key hidden under a rock near your house. If someone cracks the password, they can then impersonate the owner of the certificate.
I have a plugin that show signed but not trusted warning, although show certificate button does have certificate from digicert. Following is detail of certificate. Subject: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Can anybody have idea what else needs to be done to make it trusted, and avoid warning.