Re: Signing NBMs with a Trusted Certificate
I believe we discussed this before: https://lists.apache.org/thread.html/cc95584333ad21929346078ba42b4e3859dc0f6173d9700081178280@%3Cdev.netbeans.apache.org%3E > You might be running into the fact that only Oracle is hardcoded as > trusted: > https://github.com/emilianbold/incubator-netbeans/blob/3c8b489a1f71bc1bc9dab9f3ac33acaff361a175/autoupdate.services/src/org/netbeans/modules/autoupdate/services/Utilities.java#L231 > if (certDNName.contains("CN=\"Oracle America, Inc.\"") > > && (certDNName.contains("OU=Software Engineering") || > > certDNName.contains("OU=Code Signing Bureau"))) { > > res = 2; > > > > ... > > switch (res) { > > case 2: > > return TRUSTED; > > > Also note this comment: > // signed by trusted certificate stored in user's keystore od ide.ks > return TRUSTED; > But, for your own RCP app, you could look into > org.netbeans.spi.autoupdate.KeyStoreProvider and how > org.netbeans.modules.updatecenters.resources.NetBeansKeyStoreProvider > uses the included core/ide.ks and replicate that. If you control the main app, you don't even need to give Comodo any money, you can just pin your (self-signed) certificate. --emi ‐‐‐ Original Message ‐‐‐ On 22 March 2018 8:55 PM, stephen cumminger wrote: > This may be a simple question, but I could use some help nonetheless. > > > > I have a NetBeans RCP app based on version 8.2. I have a certificate from a > major trusted certificate provider (Comodo) that I use to sign the NBMs that > are posted to our Update Center. The question is “how do I get rid of the > following Dialog ?” > > > > > > I use the same certificate to sign the Installer file, and MS Windows does > not complain. The problem is that it is confusing to my users. From what I > read this Dialog needs to appear at least once for the User to “Accept” > before the certificate is installed into the Trust Store. > > > > The following is how I sign the nmb’s in the ant script of each module: > > > > > > > keystore="${keystore}" > > storepass="${storepass}" > > alias="${nbm_alias}" > > keypass="${storepass}" > > tsaurl="http://timestamp.comodoca.com/rfc3161"; > > digestalg="SHA-256" > > force="true" > > /> > > > > > > Hints or suggestions always welcome. > > > > Regards, > > > > > > Stephen > > - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Signing NBMs with a Trusted Certificate
Hi, This would make a great enhancement, IMHO. If we trust the CA we trust the module, and a "green" light should be shown somewhere. I'd file an enhancement a JIRA for this. Kind regards, Antonio On 24/03/18 12:49, stephen cumminger wrote: You raised some good points. If I relate this back to MS Windows running an exe file, the messages are different if the exe file was signed with a certificate that has a trusted root. It does always present the Dialog asking the user if they want to continue. If the exe is not signed as mentioned, the message contains various warnings and the coloring of red in various places (as opposed to green indicating MS was OK with the root certificate). What would be ideal is if NetBeans could recognize that all nmb's were signed with the same certificate and that the certificate was backed by a recognized certificate authority, provide some summary information as Markus suggests and perhaps include a green border or icon somehow. I withdraw my suggestion that the Dialog should not appear at all. It is scary for my users though as they would have been familiar with MS Windows popping up a very small dialog with green in it from time to time, but never anything that looks like the NetBeans Dialog. I think the point should be that NetBeans should be able to state that it trusts that the modules came from the provider indicated in the certificate, since it is backed with a known CA authority. What we should be asking the user is "Do you trust this supplier", in my situation. That would be a much easier question for my users to answer. Regards, Stephen -Original Message- From: Markus Kilås Sent: Saturday, March 24, 2018 8:05 AM To: users@netbeans.apache.org Subject: Re: Signing NBMs with a Trusted Certificate On 03/22/2018 07:55 PM, stephen cumminger wrote: I have a NetBeans RCP app based on version 8.2. I have a certificate from a major trusted certificate provider (Comodo) that I use to sign the NBMs that are posted to our Update Center. The question is "how do I get rid of the following Dialog ?" Hi Stephen, all, I think this dialog box could be improved to make it easier for the user to make a conscious decision on how to proceed. Getting rid of the dialog is likely not wanted though. I haven't yet looked into the details on exactly how this is handled in NetBeans so please correct me if I am wrong but my understanding is like the following: The signature on your plugins has been verified with your code signing certificate and that certificate has been verified to chain up to one of the trusted CAs in the system. This is shown in the dialog as "Signed and Valid". Somehow NetBeans identifies this as third-party plugins as opposite to let's say "core plugins" coming from the NetBeans project and in this case the user has to be consulted to make a decision about if this should be run or not. Remember that anyone can get a code signing certificate and that it does not say that the software from that publisher is safe to run or not. The certificate only says that it was signed by the publisher say "Acme Software Inc.". So the user needs to decide if it trusts that publisher to run code on its computer. Unfortunately, the warning in this dialog is the same also for unsigned (and self signed) plugins in which case the situation is much worse. In those cases there are no guarantees that the plugins has not been tampered with or who created them in the first place. For the user it is maybe not so easy to distinguish between those cases. For your case, what the user needs to do currently is to click on each of the plugins under "Signed and Valid" and then click Show details to see who is the publisher and then make a decision if it trusts that publisher or not. It would have been more clear if the dialog somehow already provided the needed information directly. Something like this: "You are about to install a third-party plugin. The signature has been verified correctly and comes from: Acme Software Inc., US [Show Details] Warning: only proceed if you trust that publisher to run code on your computer." For the other cases (i.e. unsigned and self-signed) there should be a more harsh message, more like the current one, so the user understands the risk if it chooses to proceed and potentially compromise its computer. Cheers, Markus - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-m
RE: Signing NBMs with a Trusted Certificate
You raised some good points. If I relate this back to MS Windows running an exe file, the messages are different if the exe file was signed with a certificate that has a trusted root. It does always present the Dialog asking the user if they want to continue. If the exe is not signed as mentioned, the message contains various warnings and the coloring of red in various places (as opposed to green indicating MS was OK with the root certificate). What would be ideal is if NetBeans could recognize that all nmb's were signed with the same certificate and that the certificate was backed by a recognized certificate authority, provide some summary information as Markus suggests and perhaps include a green border or icon somehow. I withdraw my suggestion that the Dialog should not appear at all. It is scary for my users though as they would have been familiar with MS Windows popping up a very small dialog with green in it from time to time, but never anything that looks like the NetBeans Dialog. I think the point should be that NetBeans should be able to state that it trusts that the modules came from the provider indicated in the certificate, since it is backed with a known CA authority. What we should be asking the user is "Do you trust this supplier", in my situation. That would be a much easier question for my users to answer. Regards, Stephen -Original Message- From: Markus Kilås Sent: Saturday, March 24, 2018 8:05 AM To: users@netbeans.apache.org Subject: Re: Signing NBMs with a Trusted Certificate On 03/22/2018 07:55 PM, stephen cumminger wrote: > I have a NetBeans RCP app based on version 8.2. I have a certificate > from a major trusted certificate provider (Comodo) that I use to sign > the NBMs that are posted to our Update Center. The question is "how do > I get rid of the following Dialog ?" Hi Stephen, all, I think this dialog box could be improved to make it easier for the user to make a conscious decision on how to proceed. Getting rid of the dialog is likely not wanted though. I haven't yet looked into the details on exactly how this is handled in NetBeans so please correct me if I am wrong but my understanding is like the following: The signature on your plugins has been verified with your code signing certificate and that certificate has been verified to chain up to one of the trusted CAs in the system. This is shown in the dialog as "Signed and Valid". Somehow NetBeans identifies this as third-party plugins as opposite to let's say "core plugins" coming from the NetBeans project and in this case the user has to be consulted to make a decision about if this should be run or not. Remember that anyone can get a code signing certificate and that it does not say that the software from that publisher is safe to run or not. The certificate only says that it was signed by the publisher say "Acme Software Inc.". So the user needs to decide if it trusts that publisher to run code on its computer. Unfortunately, the warning in this dialog is the same also for unsigned (and self signed) plugins in which case the situation is much worse. In those cases there are no guarantees that the plugins has not been tampered with or who created them in the first place. For the user it is maybe not so easy to distinguish between those cases. For your case, what the user needs to do currently is to click on each of the plugins under "Signed and Valid" and then click Show details to see who is the publisher and then make a decision if it trusts that publisher or not. It would have been more clear if the dialog somehow already provided the needed information directly. Something like this: "You are about to install a third-party plugin. The signature has been verified correctly and comes from: Acme Software Inc., US [Show Details] Warning: only proceed if you trust that publisher to run code on your computer." For the other cases (i.e. unsigned and self-signed) there should be a more harsh message, more like the current one, so the user understands the risk if it chooses to proceed and potentially compromise its computer. Cheers, Markus - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Signing NBMs with a Trusted Certificate
On 03/22/2018 07:55 PM, stephen cumminger wrote: > I have a NetBeans RCP app based on version 8.2. I have a certificate > from a major trusted certificate provider (Comodo) that I use to sign > the NBMs that are posted to our Update Center. The question is “how do I > get rid of the following Dialog ?” Hi Stephen, all, I think this dialog box could be improved to make it easier for the user to make a conscious decision on how to proceed. Getting rid of the dialog is likely not wanted though. I haven't yet looked into the details on exactly how this is handled in NetBeans so please correct me if I am wrong but my understanding is like the following: The signature on your plugins has been verified with your code signing certificate and that certificate has been verified to chain up to one of the trusted CAs in the system. This is shown in the dialog as "Signed and Valid". Somehow NetBeans identifies this as third-party plugins as opposite to let's say "core plugins" coming from the NetBeans project and in this case the user has to be consulted to make a decision about if this should be run or not. Remember that anyone can get a code signing certificate and that it does not say that the software from that publisher is safe to run or not. The certificate only says that it was signed by the publisher say "Acme Software Inc.". So the user needs to decide if it trusts that publisher to run code on its computer. Unfortunately, the warning in this dialog is the same also for unsigned (and self signed) plugins in which case the situation is much worse. In those cases there are no guarantees that the plugins has not been tampered with or who created them in the first place. For the user it is maybe not so easy to distinguish between those cases. For your case, what the user needs to do currently is to click on each of the plugins under "Signed and Valid" and then click Show details to see who is the publisher and then make a decision if it trusts that publisher or not. It would have been more clear if the dialog somehow already provided the needed information directly. Something like this: "You are about to install a third-party plugin. The signature has been verified correctly and comes from: Acme Software Inc., US [Show Details] Warning: only proceed if you trust that publisher to run code on your computer." For the other cases (i.e. unsigned and self-signed) there should be a more harsh message, more like the current one, so the user understands the risk if it chooses to proceed and potentially compromise its computer. Cheers, Markus - To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Signing NBMs with a Trusted Certificate
This may be a simple question, but I could use some help nonetheless. I have a NetBeans RCP app based on version 8.2. I have a certificate from a major trusted certificate provider (Comodo) that I use to sign the NBMs that are posted to our Update Center. The question is "how do I get rid of the following Dialog ?" [cid:image001.jpg@01D3C1F5.B7329490] I use the same certificate to sign the Installer file, and MS Windows does not complain. The problem is that it is confusing to my users. From what I read this Dialog needs to appear at least once for the User to "Accept" before the certificate is installed into the Trust Store. The following is how I sign the nmb's in the ant script of each module: http://timestamp.comodoca.com/rfc3161"; digestalg="SHA-256" force="true" /> Hints or suggestions always welcome. Regards, Stephen