I recently acquired a Code Signing Certificate from Comodo for use with my NetBeans RCP Application. Signing the installer app.exe was fairly painless and incorporated into my Ant Build.xml script.
I wasn't able to figure out how to get NetBeans to utilize a tsaurl while signing all the nmb's in my app; but I did get my nbm's signed using my code signing certificate. I verified this with jarsigner and also looked into the manifest of the nbm's and found the required *.RSA file there. When my users download the updates, they are presented with a Dialog listing all the nbm's and state that they are signed but not trusted. Is there another step I am missing or hints of what to check next? I'd like to have them trusted, as that is why I acquired the certificate. I did resign the nmb's manually using jarsigner again to force the tsurl to be applied. This had no effect on the results. FYI |
I have a patch that's almost a year old about tsaurl on this issue https://netbeans.org/bugzilla/show_bug.cgi?id=243213 I should probably just push the patch myself and stop waiting for a review. You might be running into the fact that only Oracle is hardcoded as trusted: https://github.com/emilianbold/incubator-netbeans/blob/3c8b489a1f71bc1bc9dab9f3ac33acaff361a175/autoupdate.services/src/org/netbeans/modules/autoupdate/services/Utilities.java#L231 if (certDNName.contains("CN=\"Oracle America, Inc.\"") Also note this comment: // signed by trusted certificate stored in user's keystore od ide.ks PS: Please start using the Apache dev@ mailing list dev --emi On Tue, Jul 18, 2017 at 10:49 PM, sonideft <[hidden email]> wrote: I recently acquired a Code Signing Certificate from Comodo for use with my NetBeans RCP Application. Signing the installer app.exe was fairly painless and incorporated into my Ant Build.xml script. |
In reply to this post by sonideft-2
To be more specific, I am using NetBeans 8.02 still and the clients are using Java 8.0.74 that is bundled with the RCP app, built through Ant.
As an experiment I published another update through my update center. This time the Dialog stating all my nbms were signed but not trusted did not appear. I followed the NetBeans sourcecode and it appears that Java/NetBeans may treat all certificates as untrusted until they are accepted at least once by the end user. If this is true, I still don't want my users to see this Dialog even the first time. It will confuse them and they may not trust my app. I paid for a code signing certificate so that all trust concerns should be minimized. Any ideas how I can suppress this Dialog from appearing the first time? |
There's probably no solution if you submit an IDE plugin.
But, for your own RCP app, you could look into org.netbeans.spi.autoupdate.KeyStoreProvider and how org.netbeans.modules.updatecenters.resources.NetBeansKeyStoreProvider uses the included core/ide.ks and replicate that. > I paid for a code signing certificate so that all trust concerns should be minimized. Well, they have been minimized, but not reduced to zero. Even bad guys could get a certificate for $84 from ksoftware.net Perhaps the wording should be a bit better, but explaining security to users is hard as Google Chrome and every other major app discovered. Would you prefer a text "You have no other plugins from this publisher" and "You already installed plugins from this publisher"? Even that might confuse users. PS: Start using the Apache dev@ mailing list [hidden email] --emi On Thu, Jul 20, 2017 at 5:07 AM, sonideft <[hidden email]> wrote: > To be more specific, I am using NetBeans 8.02 still and the clients are using Java 8.0.74 that is bundled with the RCP app, built through Ant. > > As an experiment I published another update through my update center. This time the Dialog stating all my nbms were signed but not trusted did not appear. I followed the NetBeans sourcecode and it appears that Java/NetBeans may treat all certificates as untrusted until they are accepted at least once by the end user. > > If this is true, I still don't want my users to see this Dialog even the first time. It will confuse them and they may not trust my app. I paid for a code signing certificate so that all trust concerns should be minimized. > > Any ideas how I can suppress this Dialog from appearing the first time? > > > > |
In reply to this post by sonideft-2
I meant to post this to the Platform User Group. Sorry.
|
Free forum by Nabble | Edit this page |