Currently on macOS, trying to install the development builds by double-clicking on the installer results in an error, because the installer is not signed. To continue, you must bypass this error by right-clicking on the installer and selecting "open" from the menu, and confirm that you want to run an app from an untrusted source. The downside is that without the signature there's no way to know if the installer was altered or replaced.
The development builds used to be signed, and they probably should still be signed since the installer requires 'root'-like privileges on macOS, and prompts you for an admin password to continue. Once admin access is granted, the installer can do anything to the system, therefore the installer should be signed (they used to be). Currently users are getting used to allowing an installer--that could be altered or replaced by an attacker--root access to their system, simply because it is named "NetBeans" and they trust the name. Bad! I called this a "reminder" because I assumed that this issue had been brought up previously. The build used to be broken because it no longer has access to Oracle's key for signing. Someone "fixed" this by changing the build to not sign the installer. -Alvin > On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga > <[email protected]> wrote: > > Not sure about the reminder part -- can you point to an issue that you're > referring to here and a way to reproduce or somehow reproduce this? > > Gj > > On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <[email protected]> > wrote: > >> I figure I'd write an annoying reminder that currently the installer (at >> least on macOS) requires admin privileges, but is not signed. This provides >> an inviting target for someone to alter the installer with malicious >> content, especially since the NetBeans brand enjoys a high "trust" factor >> so many developers will not think twice about installing it. If a trojan >> can happen in Apple's Xcode, it can happen here. Let's not get people used >> to trusting an unsigned NetBeans installer. >> >> Is there any chance we can get these things signed again? >> >> -Alvin >> >>
