Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] Using self signed certificates for plugins: the certificate is not stored?

On 2/25/16, 5:53 PM, "tycho-user-bounces@xxxxxxxxxxx on behalf of Tom Bryan (tombry)" <tycho-user-bounces@xxxxxxxxxxx on behalf of tombry@xxxxxxxxx> wrote:

For Eclipse: 

I don't remember whether Eclipse is just checking against the JVM's cacerts certificate store or whether it eventually goes back to the operating system's certificate store somehow.  I believe that it's *only* checking the JVM's certificate store.  If that's true, then you just need to follow instructions for importing certificates to the JVM.  

That is, each of your users who uses your self-signed certificate would need to import the certificate to his JVM's certificate store.

If you have a lot of users, I would recommend either not signing your code or purchasing a code signing certificate from a certificate authority that's in the JVM's list of default authorities.


For example, 


On 2/25/16, 2:20 PM, "tycho-user-bounces@xxxxxxxxxxx on behalf of Bruno Medeiros" <tycho-user-bounces@xxxxxxxxxxx on behalf of> wrote:

Perhaps I should be asking this in the "Eclipse Platform" forum, as it's not directly Tycho related (I think), but I thought to give it a try:

I've modified the Tycho build script to sign my plugin jars. I'm using a self-signed certificate. When I try to install the plugins, the Eclipse installer asks me, the user, if I want to trust that certificate for the installation. So far so good.

Thing is, I'd expect once the user accepts the certificate as valid, Eclipse wouldn't ask again in future installations signed with the same certificate. But it does. I've made a new release of the plugins and the installer asks again if I trust the certificate.

This seems to me to defeat the whole point, since for the user to trust that the new plugin release is from the same source as the previous one, they would have to open the details of the certificate, and manually compare the public key of the previous one to the new one and see that it matches. Obviously this is not practical, they are not gonna check. As as such theoretically someone could create a new self-signed certificate with the same name as mine, and use that to forge fake plugins.

Am I missing something here? Admittedly my knowledge of security stuff is weak. 😓

Back to the top