signing certificate for tools from marketplace [message #1864491] |
Tue, 19 March 2024 21:00  |
Eclipse User |
|
|
|
I just downloaded and installed Eclipse IDE for Ent Java and Web.
Click on Help, then Marketplace. Search for android. The second result from the top. Install Android Development Tools.
Then I'm being asked to trust a cert without a cn and the signing algo md2withRSA. Who here is trusting md2?
See screenshot.
Now, if I try the same in Eclipse 2023-06, the cert is different. From Let's Encrypt. But also it displays that update authority is ieclipse.cn - Chinese tld domain...
Is this ieclipse.cn trustworthy source or no so?...
|
|
|
Re: signing certificate for tools from marketplace [message #1864496 is a reply to message #1864491] |
Wed, 20 March 2024 06:39   |
Eclipse User |
|
|
|
You've mostly covered the content associated with that certificate. But I see one bundle there that appears to be from 2012. Such old bundles will often have signatures using a certificate where the root of that certificate is no longer present in cacerts of the JDK used by the installation, hence the dialog comes up. They often use weaker algorithms. And these days, some JDKs consider some signatures so weak, they they ignore them and treat the jar as unsigned.
The other picture shows information about the host from which you are downloading the content and the certificate there is the certificate used for https traffic via that host. That's a totally different certificate than one that might be used to sign content.
I cannot decide for you what you should trust. Even if everything is signed properly, that doesn't mean can't "do bad thing."
|
|
|
Re: signing certificate for tools from marketplace [message #1864507 is a reply to message #1864496] |
Wed, 20 March 2024 13:52   |
Eclipse User |
|
|
|
Ed,
thanks for your response.
Just to clarify:
1. I have windows 11
2. I have one instance of Eclipse IDE from 2023-06
3. I have another instance of Eclipse IDE that I downloaded yesterday - March 19, 2024
4. I followed the same process - click Help, Marketplace, etc
5. results in 2 different situations - hence the 2 screenshots
|
|
|
Re: signing certificate for tools from marketplace [message #1864509 is a reply to message #1864507] |
Wed, 20 March 2024 16:05   |
Eclipse User |
|
|
|
One dialog is for Trust Authorities and the other for Trust Artifacts, so one show you URLs for web sites from which content is being fetched, and you can inspect the certificate used for the https connection (just as you can do in a browser). The other dialog shows you signature information about the jar signatures (certificate-based), PGP signatures, or lack there of (unsigned). So it's apples and oranges.
|
|
|
Re: signing certificate for tools from marketplace [message #1864510 is a reply to message #1864509] |
Wed, 20 March 2024 16:12   |
Eclipse User |
|
|
|
Ed,
I did understand that the first time you explained it.
I followed the same steps. The same process.
Why is Eclipse IDE displaying these 2 different certificates?
I understand that Eclipse pulls Android Development Tool package from 2 different repos, but why?
Why the same steps in one case result in asking me to accept an installation of a binary signed with md2WithRSA?
Why the same steps in another case result in another case in pulling a package from ieclipse.cn signed by Let's Encrypt?
Is China-based repo trustworthy?
[Updated on: Wed, 20 March 2024 16:14] by Moderator Report message to a moderator
|
|
|
|
Re: signing certificate for tools from marketplace [message #1864525 is a reply to message #1864524] |
Thu, 21 March 2024 14:55   |
Eclipse User |
|
|
|
Ed,
thanks for responding.
I{m attaching 4 screenshots.
The first one shows that I have 2 different versions of Eclipse installed.
I did try installing this adt thing using both versions of Eclipse.
So, on second screenshot I {m in 2023'06 version of Eclipse.
I clicked Help and then Marketplace. etc.
If repeat these steps for the Eclipse 2024 (see the first screenshot), then I get a binary signed with md2/rsa. with md2/rsa a binary may be laced with crap.
Okay, there are many case studies that illustrate the risks.
I'll remind you just 2:
1. abandoned project Trader_X was modified by the koreans and redistributed.... later supply chain side attacks were staged - google for 3CX attack
2. https://qwiet.ai/a-rising-threat-malicious-python-packages/
I'm totally new to Eclipse repos. But looks like a cleanup effort maybe in order.
Also, my experience installing adt illustrates the lack of consistency in how extensions/repos are handled.
Attachment: ecl1.png
(Size: 772.73KB, Downloaded 249 times)
Attachment: ecl2.png
(Size: 104.65KB, Downloaded 62 times)
Attachment: ecl3.png
(Size: 92.56KB, Downloaded 71 times)
Attachment: ecl4.png
(Size: 130.75KB, Downloaded 75 times)
|
|
|
|
Re: signing certificate for tools from marketplace [message #1864531 is a reply to message #1864527] |
Thu, 21 March 2024 20:20   |
Eclipse User |
|
|
|
##I suggest you don't install things that you don't trust.##
yeah, obvio... the sky is blue, the water is wet, and don't install things that you don't trust... jajaja I'm glad you finally got my point
I would NOT accept neither of the 2 installation cases that I have described.
You are doubting that I followed exactly the same process? Why? in your mind it is almost impossible to repeat the same 5-6 clicks in the same interface? jajaja
|
|
|
Re: signing certificate for tools from marketplace [message #1864535 is a reply to message #1864531] |
Fri, 22 March 2024 04:16   |
Eclipse User |
|
|
|
Clearly you feel insulted, which was not the intent, and you feel compelled to share that feeling with sarcasm and personal attacks, which is not so appropriate.
The point is that I tried installing the following and I get the host prompt dialog you showed using both 2023-06 and on 2024-03:
https://marketplace.eclipse.org/content/android-adt-extensions
But I do not get the prompt about artifact certificates for that listing in either installation.
On the other hand, I do get that artifact trust dialog you show using this listing, but that content comes from a different host:
https://marketplace.eclipse.org/content/andmore-development-tools-android%E2%84%A2
So given you didn't tell me exactly which thing you installed, I needed to make assumptions. Then, given I could reproduce what you showed using these two different listings, it seemed a safe assumption.
In any case, I think I'm done spending time helping you because I can better spend my time where its effective appreciated.
|
|
|
Re: signing certificate for tools from marketplace [message #1864550 is a reply to message #1864535] |
Fri, 22 March 2024 13:20  |
Eclipse User |
|
|
|
in the very first message I did say what exactly I tried installing.
1. Eclipse marketplace
2. the word "android" in the search box
3. with both versions of Eclipse search yields the same top results.
4. I did not try to install the very first result
5. as I mentioned in my very first message, it was always the second.
Now ADT is no longer supported by google. The question is Why is it still in the marketplace?
The second question, why a product that may potentially be laced with malware (it is signed with md2/rsa) is in the marketplace?
and the third question is: how is the default repo determined by the search box in Eclipse (under marketplace)?
Is my geolocation having any effect of how the Ecliplse Marketplace displaying results or what versions of extensions are being offered?
Would a search from Iran and search from USA yield the same results?
(no, I am not in Iran).
|
|
|
Powered by
FUDForum. Page generated in 0.08302 seconds