On Fri, 10 Jul 2020, 17:56 Tim Boudreau, <niftin...@gmail.com> wrote:
> That said, since we're unlikely to change the situation with regard to > code-signing certs worldwide any time soon, Jesse's suggestion in the bug > linked above is the more reasonable way to go: As long as signature > information is downloaded via HTTPS from the same origin as the NBM, and > the receiver knows how to verify the bits with it, the HTTPS connection is > solving the "am I being man-in-the-middled" problem, and that's the only > thing the certificate in JAR signing adds to the picture. The IDE just > needs to enforce that the signature must by downloaded from the same domain > using the same HTTPS cert as the NBM. > What does this offer in practice, assuming any catalogue is downloaded from a trusted location over https, above validating the file against the file hash in the catalogue? Best wishes, Neil >
