Perhaps I should be asking this in the "Eclipse Platform" forum, as it's not directly Tycho related (I think), but I thought to give it a try:
I've modified the Tycho build script to sign my plugin jars. I'm using a self-signed certificate. When I try to install the plugins, the Eclipse installer asks me, the user, if I want to trust that certificate for the installation. So far so good.
Thing is, I'd expect once the user accepts the certificate as valid, Eclipse wouldn't ask again in future installations signed with the same certificate. But it does. I've made a new release of the plugins and the installer asks again if I trust the certificate.
This seems to me to defeat the whole point, since for the user to trust that the new plugin release is from the same source as the previous one, they would have to open the details of the certificate, and manually compare the public key of the previous one to the new one and see that it matches. Obviously this is not practical, they are not gonna check. As as such theoretically someone could create a new self-signed certificate with the same name as mine, and use that to forge fake plugins.
Am I missing something here? Admittedly my knowledge of security stuff is weak. 😓