Netbeans.org › Netbeans Project Developers (not for user help)

Plugins in Custom Update Center appear as "Signed but not Trusted"

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

5 messages Options

sonideft-2

Plugins in Custom Update Center appear as "Signed but not Trusted"

I recently acquired a Code Signing Certificate from Comodo for use with my NetBeans RCP Application. Signing the installer app.exe was fairly painless and incorporated into my Ant Build.xml script.

I wasn't able to figure out how to get NetBeans to utilize a tsaurl while signing all the nmb's in my app; but I did get my nbm's signed using my code signing certificate. I verified this with jarsigner and also looked into the manifest of the nbm's and found the required *.RSA file there.

When my users download the updates, they are presented with a Dialog listing all the nbm's and state that they are signed but not trusted. Is there another step I am missing or hints of what to check next? I'd like to have them trusted, as that is why I acquired the certificate.

I did resign the nmb's manually using jarsigner again to force the tsurl to be applied. This had no effect on the results. FYI

Emilian Bold-2

Re: Plugins in Custom Update Center appear as "Signed but not Trusted"

I have a patch that's almost a year old about tsaurl on this issue https://netbeans.org/bugzilla/show_bug.cgi?id=243213

I should probably just push the patch myself and stop waiting for a review.

You might be running into the fact that only Oracle is hardcoded as trusted: https://github.com/emilianbold/incubator-netbeans/blob/3c8b489a1f71bc1bc9dab9f3ac33acaff361a175/autoupdate.services/src/org/netbeans/modules/autoupdate/services/Utilities.java#L231

if (certDNName.contains("CN=\"Oracle America, Inc.\"")
&& (certDNName.contains("OU=Software Engineering") || certDNName.contains("OU=Code Signing Bureau"))) {
res = 2;

...
switch (res) {
case 2:
return TRUSTED;

Also note this comment:

// signed by trusted certificate stored in user's keystore od ide.ks
return TRUSTED;

PS: Please start using the Apache dev@ mailing list dev@netbeans.incubator.apache.org . I've also cross-posted to the new mailing list which I recommend you join.

--emi

On Tue, Jul 18, 2017 at 10:49 PM, sonideft <[hidden email]> wrote:

I recently acquired a Code Signing Certificate from Comodo for use with my NetBeans RCP Application. Signing the installer app.exe was fairly painless and incorporated into my Ant Build.xml script.

I wasn't able to figure out how to get NetBeans to utilize a tsaurl while signing all the nmb's in my app; but I did get my nbm's signed using my code signing certificate. I verified this with jarsigner and also looked into the manifest of the nbm's and found the required *.RSA file there.

When my users download the updates, they are presented with a Dialog listing all the nbm's and state that they are signed but not trusted. Is there another step I am missing or hints of what to check next? I'd like to have them trusted, as that is why I acquired the certificate.

I did resign the nmb's manually using jarsigner again to force the tsurl to be applied. This had no effect on the results. FYI

sonideft-2

Plugins in Custom Update Center appear as "Signed but not Trusted"

In reply to this post by sonideft-2

To be more specific, I am using NetBeans 8.02 still and the clients are using Java 8.0.74 that is bundled with the RCP app, built through Ant.

As an experiment I published another update through my update center. This time the Dialog stating all my nbms were signed but not trusted did not appear. I followed the NetBeans sourcecode and it appears that Java/NetBeans may treat all certificates as untrusted until they are accepted at least once by the end user.

If this is true, I still don't want my users to see this Dialog even the first time. It will confuse them and they may not trust my app. I paid for a code signing certificate so that all trust concerns should be minimized.

Any ideas how I can suppress this Dialog from appearing the first time?

Emilian Bold-2

Re: Plugins in Custom Update Center appear as "Signed but not Trusted"

There's probably no solution if you submit an IDE plugin.

But, for your own RCP app, you could look into
org.netbeans.spi.autoupdate.KeyStoreProvider and how
org.netbeans.modules.updatecenters.resources.NetBeansKeyStoreProvider
uses the included core/ide.ks and replicate that.

> I paid for a code signing certificate so that all trust concerns should be minimized.

Well, they have been minimized, but not reduced to zero. Even bad guys
could get a certificate for $84 from ksoftware.net

Perhaps the wording should be a bit better, but explaining security to
users is hard as Google Chrome and every other major app discovered.
Would you prefer a text "You have no other plugins from this
publisher" and "You already installed plugins from this publisher"?
Even that might confuse users.

PS: Start using the Apache dev@ mailing list [hidden email]

--emi

On Thu, Jul 20, 2017 at 5:07 AM, sonideft <[hidden email]> wrote:

> To be more specific, I am using NetBeans 8.02 still and the clients are using Java 8.0.74 that is bundled with the RCP app, built through Ant.
>
> As an experiment I published another update through my update center. This time the Dialog stating all my nbms were signed but not trusted did not appear. I followed the NetBeans sourcecode and it appears that Java/NetBeans may treat all certificates as untrusted until they are accepted at least once by the end user.
>
> If this is true, I still don't want my users to see this Dialog even the first time. It will confuse them and they may not trust my app. I paid for a code signing certificate so that all trust concerns should be minimized.
>
> Any ideas how I can suppress this Dialog from appearing the first time?
>
>
>
>

sonideft-2

Plugins in Custom Update Center appear as "Signed but not Trusted"

In reply to this post by sonideft-2

I meant to post this to the Platform User Group. Sorry.