Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Newcomers » Newcomers » signing certificate for tools from marketplace(weird certs)
signing certificate for tools from marketplace [message #1864491] Tue, 19 March 2024 21:00 Go to next message
Arik Eden is currently offline Arik EdenFriend
Messages: 6
Registered: March 2024
Junior Member
I just downloaded and installed Eclipse IDE for Ent Java and Web.

Click on Help, then Marketplace. Search for android. The second result from the top. Install Android Development Tools.

Then I'm being asked to trust a cert without a cn and the signing algo md2withRSA. Who here is trusting md2?

See screenshot.

Now, if I try the same in Eclipse 2023-06, the cert is different. From Let's Encrypt. But also it displays that update authority is ieclipse.cn - Chinese tld domain...

Is this ieclipse.cn trustworthy source or no so?...
Re: signing certificate for tools from marketplace [message #1864496 is a reply to message #1864491] Wed, 20 March 2024 06:39 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33185
Registered: July 2009
Senior Member
You've mostly covered the content associated with that certificate. But I see one bundle there that appears to be from 2012. Such old bundles will often have signatures using a certificate where the root of that certificate is no longer present in cacerts of the JDK used by the installation, hence the dialog comes up. They often use weaker algorithms. And these days, some JDKs consider some signatures so weak, they they ignore them and treat the jar as unsigned.

The other picture shows information about the host from which you are downloading the content and the certificate there is the certificate used for https traffic via that host. That's a totally different certificate than one that might be used to sign content.

I cannot decide for you what you should trust. Even if everything is signed properly, that doesn't mean can't "do bad thing."


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: signing certificate for tools from marketplace [message #1864507 is a reply to message #1864496] Wed, 20 March 2024 13:52 Go to previous messageGo to next message
Arik Eden is currently offline Arik EdenFriend
Messages: 6
Registered: March 2024
Junior Member
Ed,

thanks for your response.

Just to clarify:

1. I have windows 11
2. I have one instance of Eclipse IDE from 2023-06
3. I have another instance of Eclipse IDE that I downloaded yesterday - March 19, 2024
4. I followed the same process - click Help, Marketplace, etc
5. results in 2 different situations - hence the 2 screenshots
Re: signing certificate for tools from marketplace [message #1864509 is a reply to message #1864507] Wed, 20 March 2024 16:05 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33185
Registered: July 2009
Senior Member
One dialog is for Trust Authorities and the other for Trust Artifacts, so one show you URLs for web sites from which content is being fetched, and you can inspect the certificate used for the https connection (just as you can do in a browser). The other dialog shows you signature information about the jar signatures (certificate-based), PGP signatures, or lack there of (unsigned). So it's apples and oranges.

Ed Merks
Professional Support: https://www.macromodeling.com/
Re: signing certificate for tools from marketplace [message #1864510 is a reply to message #1864509] Wed, 20 March 2024 16:12 Go to previous messageGo to next message
Arik Eden is currently offline Arik EdenFriend
Messages: 6
Registered: March 2024
Junior Member
Ed,

I did understand that the first time you explained it.

I followed the same steps. The same process.

Why is Eclipse IDE displaying these 2 different certificates?

I understand that Eclipse pulls Android Development Tool package from 2 different repos, but why?

Why the same steps in one case result in asking me to accept an installation of a binary signed with md2WithRSA?

Why the same steps in another case result in another case in pulling a package from ieclipse.cn signed by Let's Encrypt?

Is China-based repo trustworthy?

[Updated on: Wed, 20 March 2024 16:14]

Report message to a moderator

Re: signing certificate for tools from marketplace [message #1864524 is a reply to message #1864510] Thu, 21 March 2024 13:49 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33185
Registered: July 2009
Senior Member
These are the only two listings that I can find from that source:

https://www.eclipse.org/setups/marketplace/?id=389177
https://www.eclipse.org/setups/marketplace/?id=393519

So my guess would be that the second time you tried to install this:

https://marketplace.eclipse.org/content/android-adt-extensions


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: signing certificate for tools from marketplace [message #1864525 is a reply to message #1864524] Thu, 21 March 2024 14:55 Go to previous messageGo to next message
Arik Eden is currently offline Arik EdenFriend
Messages: 6
Registered: March 2024
Junior Member
index.php/fa/44080/0/Ed,

thanks for responding.

I{m attaching 4 screenshots.

The first one shows that I have 2 different versions of Eclipse installed.

I did try installing this adt thing using both versions of Eclipse.

So, on second screenshot I {m in 2023'06 version of Eclipse.

I clicked Help and then Marketplace. etc.

If repeat these steps for the Eclipse 2024 (see the first screenshot), then I get a binary signed with md2/rsa. with md2/rsa a binary may be laced with crap.

Okay, there are many case studies that illustrate the risks.

I'll remind you just 2:

1. abandoned project Trader_X was modified by the koreans and redistributed.... later supply chain side attacks were staged - google for 3CX attack

2. https://qwiet.ai/a-rising-threat-malicious-python-packages/

I'm totally new to Eclipse repos. But looks like a cleanup effort maybe in order.

Also, my experience installing adt illustrates the lack of consistency in how extensions/repos are handled.

  • Attachment: ecl1.png
    (Size: 772.73KB, Downloaded 116 times)
  • Attachment: ecl2.png
    (Size: 104.65KB, Downloaded 36 times)
  • Attachment: ecl3.png
    (Size: 92.56KB, Downloaded 31 times)
  • Attachment: ecl4.png
    (Size: 130.75KB, Downloaded 37 times)
Re: signing certificate for tools from marketplace [message #1864527 is a reply to message #1864525] Thu, 21 March 2024 16:41 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33185
Registered: July 2009
Senior Member
Yes, picture 3 shows https://marketplace.eclipse.org/content/android-adt-extensions at the top of the list. That use the site in shown in the Trust Authorities dialog. I doubt you are repeating the steps exactly but rather are choosing different things to install.

I suggest you don't install things that you don't trust.


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: signing certificate for tools from marketplace [message #1864531 is a reply to message #1864527] Thu, 21 March 2024 20:20 Go to previous messageGo to next message
Arik Eden is currently offline Arik EdenFriend
Messages: 6
Registered: March 2024
Junior Member
##I suggest you don't install things that you don't trust.##

yeah, obvio... the sky is blue, the water is wet, and don't install things that you don't trust... jajaja I'm glad you finally got my point

I would NOT accept neither of the 2 installation cases that I have described.

You are doubting that I followed exactly the same process? Why? in your mind it is almost impossible to repeat the same 5-6 clicks in the same interface? jajaja
Re: signing certificate for tools from marketplace [message #1864535 is a reply to message #1864531] Fri, 22 March 2024 04:16 Go to previous messageGo to next message
Ed Merks is currently offline Ed MerksFriend
Messages: 33185
Registered: July 2009
Senior Member
Clearly you feel insulted, which was not the intent, and you feel compelled to share that feeling with sarcasm and personal attacks, which is not so appropriate.

The point is that I tried installing the following and I get the host prompt dialog you showed using both 2023-06 and on 2024-03:

https://marketplace.eclipse.org/content/android-adt-extensions

But I do not get the prompt about artifact certificates for that listing in either installation.

On the other hand, I do get that artifact trust dialog you show using this listing, but that content comes from a different host:

https://marketplace.eclipse.org/content/andmore-development-tools-android%E2%84%A2

So given you didn't tell me exactly which thing you installed, I needed to make assumptions. Then, given I could reproduce what you showed using these two different listings, it seemed a safe assumption.

In any case, I think I'm done spending time helping you because I can better spend my time where its effective appreciated.


Ed Merks
Professional Support: https://www.macromodeling.com/
Re: signing certificate for tools from marketplace [message #1864550 is a reply to message #1864535] Fri, 22 March 2024 13:20 Go to previous message
Arik Eden is currently offline Arik EdenFriend
Messages: 6
Registered: March 2024
Junior Member
in the very first message I did say what exactly I tried installing.

1. Eclipse marketplace
2. the word "android" in the search box
3. with both versions of Eclipse search yields the same top results.
4. I did not try to install the very first result
5. as I mentioned in my very first message, it was always the second.

Now ADT is no longer supported by google. The question is Why is it still in the marketplace?
The second question, why a product that may potentially be laced with malware (it is signed with md2/rsa) is in the marketplace?
and the third question is: how is the default repo determined by the search box in Eclipse (under marketplace)?

Is my geolocation having any effect of how the Ecliplse Marketplace displaying results or what versions of extensions are being offered?

Would a search from Iran and search from USA yield the same results?

(no, I am not in Iran).
Previous Topic:Unable to launch avr-gcc
Next Topic:Temurin
Goto Forum:
  


Current Time: Sat Jul 20 12:36:52 GMT 2024

Powered by FUDForum. Page generated in 0.09470 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top