Plugins in Custom Update Center appear as "Signed but not Trusted"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Plugins in Custom Update Center appear as "Signed but not Trusted"

sonideft-2
I recently acquired a Code Signing Certificate from Comodo for use with my NetBeans RCP Application. Signing the installer app.exe was fairly painless and incorporated into my Ant Build.xml script.

I wasn't able to figure out how to get NetBeans to utilize a tsaurl while signing all the nmb's in my app; but I did get my nbm's signed using my code signing certificate. I verified this with jarsigner and also looked into the manifest of the nbm's and found the required *.RSA file there.

When my users download the updates, they are presented with a Dialog listing all the nbm's and state that they are signed but not trusted. Is there another step I am missing or hints of what to check next? I'd like to have them trusted, as that is why I acquired the certificate.

I did resign the nmb's manually using jarsigner again to force the tsurl to be applied. This had no effect on the results. FYI




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Plugins in Custom Update Center appear as "Signed but not Trusted"

Emilian Bold-2
I have a patch that's almost a year old about tsaurl on this issue https://netbeans.org/bugzilla/show_bug.cgi?id=243213

I should probably just push the patch myself and stop waiting for a review.

You might be running into the fact that only Oracle is hardcoded as trusted: https://github.com/emilianbold/incubator-netbeans/blob/3c8b489a1f71bc1bc9dab9f3ac33acaff361a175/autoupdate.services/src/org/netbeans/modules/autoupdate/services/Utilities.java#L231

if (certDNName.contains("CN=\"Oracle America, Inc.\"")
&& (certDNName.contains("OU=Software Engineering") || certDNName.contains("OU=Code Signing Bureau"))) {
res = 2;

...
switch (res) {
case 2:
return TRUSTED;

Also note this comment:

// signed by trusted certificate stored in user's keystore od ide.ks
return TRUSTED;

PS: Please start using the Apache dev@ mailing list dev@netbeans.incubator.apache.org . I've also cross-posted to the new mailing list which I recommend you join.
 


--emi

On Tue, Jul 18, 2017 at 10:49 PM, sonideft <[hidden email]> wrote:
I recently acquired a Code Signing Certificate from Comodo for use with my NetBeans RCP Application. Signing the installer app.exe was fairly painless and incorporated into my Ant Build.xml script.

I wasn't able to figure out how to get NetBeans to utilize a tsaurl while signing all the nmb's in my app; but I did get my nbm's signed using my code signing certificate. I verified this with jarsigner and also looked into the manifest of the nbm's and found the required *.RSA file there.

When my users download the updates, they are presented with a Dialog listing all the nbm's and state that they are signed but not trusted. Is there another step I am missing or hints of what to check next? I'd like to have them trusted, as that is why I acquired the certificate.

I did resign the nmb's manually using jarsigner again to force the tsurl to be applied. This had no effect on the results. FYI





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Plugins in Custom Update Center appear as "Signed but not Trusted"

sonideft-2
In reply to this post by sonideft-2
To be more specific, I am using NetBeans 8.02 still and the clients are using Java 8.0.74 that is bundled with the RCP app, built through Ant.

As an experiment I published another update through my update center. This time the Dialog stating all my nbms were signed but not trusted did not appear. I followed the NetBeans sourcecode and it appears that Java/NetBeans may treat all certificates as untrusted until they are accepted at least once by the end user.

If this is true, I still don't want my users to see this Dialog even the first time. It will confuse them and they may not trust my app. I paid for a code signing certificate so that all trust concerns should be minimized.

Any ideas how I can suppress this Dialog from appearing the first time?




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Plugins in Custom Update Center appear as "Signed but not Trusted"

Emilian Bold-2
There's probably no solution if you submit an IDE plugin.

But, for your own RCP app, you could look into
org.netbeans.spi.autoupdate.KeyStoreProvider and how
org.netbeans.modules.updatecenters.resources.NetBeansKeyStoreProvider
uses the included core/ide.ks and replicate that.

> I paid for a code signing certificate so that all trust concerns should be minimized.

Well, they have been minimized, but not reduced to zero. Even bad guys
could get a certificate for $84 from ksoftware.net

Perhaps the wording should be a bit better, but explaining security to
users is hard as Google Chrome and every other major app discovered.
Would you prefer a text "You have no other plugins from this
publisher" and "You already installed plugins from this publisher"?
Even that might confuse users.

PS: Start using the Apache dev@ mailing list [hidden email]

--emi


On Thu, Jul 20, 2017 at 5:07 AM, sonideft <[hidden email]> wrote:

> To be more specific, I am using NetBeans 8.02 still and the clients are using Java 8.0.74 that is bundled with the RCP app, built through Ant.
>
> As an experiment I published another update through my update center. This time the Dialog stating all my nbms were signed but not trusted did not appear. I followed the NetBeans sourcecode and it appears that Java/NetBeans may treat all certificates as untrusted until they are accepted at least once by the end user.
>
> If this is true, I still don't want my users to see this Dialog even the first time. It will confuse them and they may not trust my app. I paid for a code signing certificate so that all trust concerns should be minimized.
>
> Any ideas how I can suppress this Dialog from appearing the first time?
>
>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Plugins in Custom Update Center appear as "Signed but not Trusted"

sonideft-2
In reply to this post by sonideft-2
I meant to post this to the Platform User Group. Sorry.




Loading...