On Fri, Oct 25, 2019 at 1:04 PM Neil C Smith <neilcsm...@apache.org> wrote:
> On Thu, 24 Oct 2019 at 21:17, Jan Lahoda <lah...@gmail.com> wrote: > >> Still unsure about how we handle catalog and signing issues though. > >> Am I right in thinking with current situation people will see a > >> warning on update? Definitely see this already when re-enabling > >> nb-javac. > > > > That is one of the things I'd like to try. The update will be a two > phase process - first update the nb/updatecenters module, and then > nb-javac. I *think* there should be no warning for the second update > (because the NBM is signed using the key that is embedded in the > updatecenters module), but I am less sure about how exactly the first > update will work. > > I'm fairly sure the first update at least will show a warning. > Installing other nbms from the distribution UC does now. > Yes, i am afraid so, unless we find a way to sensibly sign the NBMs. There is this (which is probably what Reema shared): https://blogs.apache.org/infra/entry/code_signing_service_now_available But I have no idea if we asked to an access there. (And if ASF would pay for each signed file, then singing several hundreds NBMs would not fly anyway, I think.) But we could at least use that for this update release (which will likely only consist of a handful of NBMs), and try to do something better for the future. But the second update should be without warning, if the NBMs is done properly. > Check the link Reema shared that I posted earlier. We might be able > to use that, in the short term manually signing the relevant updates > via the web interface? Except that shows a browser security error for > me. And also specifies .jar extension. > > What other options are there? Is there any *secure* way that we can > add trust in the IDE for modules built on ASF infrastructure? If I > understand it correctly, the current way the third-party UC does this > will only work for a single build? > I wonder if we could validate the GPG signatures (.asc) we need to use anyway - the IDE could then have a list of "trusted" KEYs. Jan > Best wishes, > > Neil >