Can’t we change/enhance the way we do signing? 1. If there is an .asc file next to the .nbm one, then use it to verify the NBM. Search https://www.apache.org/dist/netbeans/KEYS to get list of approved keys. Display trusted, if .asc file is OK.
2. If the NBM comes from Maven central, but isn’t listed among trusted keys, then verify the .asc file and display “signed by 3rd party” With such check in, we don’t need to change existing processes. All Apache released NetBeans bits will be signed by default. We have just one “technical” problem: we need somebody(!) to write the code. -jt PS: This doesn’t solve the current 11.2 problem. > 8. 11. 2019 v 11:53, Neil C Smith <neilcsm...@apache.org>: > > On Fri, 8 Nov 2019, 10:35 Geertjan Wielenga, <geert...@apache.org> wrote: > >> How is the signing done for Apache NetBeans during releases and why can't >> that be used for the patch too? > > Different kinds of signing. The releases and the updates will be signed as > ASF requires with an external .asc file. But the nbms in the release aren't > currently jar signed (ie. internal signature) so will show as unsigned with > a warning in the IDE. You can see this if you uninstall and reinstall > modules in the IDE. This is what we need to sort out. > > And yes, you're not the only one to have been confused by this distinction! > ;-) > > Best wishes, > > Neil