Hi, Am Sonntag, den 27.10.2019, 12:18 +0100 schrieb Jan Lahoda: > [How to handle updates] > But I have no idea if we asked to an access there. (And if ASF would pay > for each signed file, then singing several hundreds NBMs would not fly > anyway, I think.) But we could at least use that for this update release > (which will likely only consist of a handful of NBMs), and try to do > something better for the future.
if I'm not mistaken, currently the NBMs we produce are not signed when we release. This is what I suggest: - lets create a signing key for the netbeans releases, place the private key on the PMC SVN directory, as is done with the SSH key to access the ousol binaries site - add the public key for the signing key as a trusted code signing certificate to the netbeans distribution - all updates will be signed with that key, as it is trusted, it can be used to safely install updates - we should make sure, that we can handle multiple trusted keys, that way we can push a new key, using an existing key This still requires once a manual installation of the first netbeans version, that carries the key. What do you think? Greetings Matthias --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@netbeans.apache.org For additional commands, e-mail: dev-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists