Hi, Am Montag, den 28.10.2019, 19:24 +0000 schrieb Neil C Smith: > On Mon, 28 Oct 2019 at 19:00, Matthias Bläsing > <mblaes...@doppel-helix.eu> wrote: > > if I'm not mistaken, currently the NBMs we produce are not signed when > > we release. This is what I suggest: > > No, they're not.
I just remembered, where I saw this in the build: nb/updatecenters/build.xml there a new signing key is created, the nbms for javafx and nbjavac are build and signed with that key. Then the public key/certificate is embedded in the build as ide.ks. ide.ks is provided by org.netbeans.modules.updatecenters.resources.NetBeansKeyStoreProvider to the update center to be used to check the signatures embedded in the NBMs (see the META-INF directory of the javafx/nbjavac nbms to see the signature). That way the NBMs are fully trusted by the IDE and don't even trigger the Validation dialog (so far my reading of the update center gui). My idea would add a trusted certificate to ide.ks, that corresponds with a signing key, that only PMC members have access to. > > - all updates will be signed with that key, as it is trusted, it can be > > used to safely install updates > > How, or actually, where? That would still be a manual, local, job? > It would be great if we could sign during the Jenkins build. Or does > that just open another can of worms? Yes my idea would be to require the release manager to get the signing key from the SVN, decrypt it with his/her GPG key, use it to sign the update-center nbms and the remove the signing key again. > The other option that comes to mind - Jan mentioned validating the GPG > signatures - but would it be possible to just get the IDE to use our > KEYS file as a source for validation? Then you need to artifacts: The NBM and its corresponding detached signature. I agree, that it is possible to verify the signature that way, but how to get them combined? And we would still need to push an update to the current install base. Greetings Matthias --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
