On 03/22/2018 07:55 PM, stephen cumminger wrote: > I have a NetBeans RCP app based on version 8.2. I have a certificate > from a major trusted certificate provider (Comodo) that I use to sign > the NBMs that are posted to our Update Center. The question is “how do I > get rid of the following Dialog ?”
Hi Stephen, all, I think this dialog box could be improved to make it easier for the user to make a conscious decision on how to proceed. Getting rid of the dialog is likely not wanted though. I haven't yet looked into the details on exactly how this is handled in NetBeans so please correct me if I am wrong but my understanding is like the following: The signature on your plugins has been verified with your code signing certificate and that certificate has been verified to chain up to one of the trusted CAs in the system. This is shown in the dialog as "Signed and Valid". Somehow NetBeans identifies this as third-party plugins as opposite to let's say "core plugins" coming from the NetBeans project and in this case the user has to be consulted to make a decision about if this should be run or not. Remember that anyone can get a code signing certificate and that it does not say that the software from that publisher is safe to run or not. The certificate only says that it was signed by the publisher say "Acme Software Inc.". So the user needs to decide if it trusts that publisher to run code on its computer. Unfortunately, the warning in this dialog is the same also for unsigned (and self signed) plugins in which case the situation is much worse. In those cases there are no guarantees that the plugins has not been tampered with or who created them in the first place. For the user it is maybe not so easy to distinguish between those cases. For your case, what the user needs to do currently is to click on each of the plugins under "Signed and Valid" and then click Show details to see who is the publisher and then make a decision if it trusts that publisher or not. It would have been more clear if the dialog somehow already provided the needed information directly. Something like this: "You are about to install a third-party plugin. The signature has been verified correctly and comes from: Acme Software Inc., US [Show Details] Warning: only proceed if you trust that publisher to run code on your computer." For the other cases (i.e. unsigned and self-signed) there should be a more harsh message, more like the current one, so the user understands the risk if it chooses to proceed and potentially compromise its computer. Cheers, Markus --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
