Re: [tycho-user] Using self signed certificates for plugins: the certificate is not stored?

For Eclipse: 

I don't remember whether Eclipse is just checking against the JVM's cacerts certificate store or whether it eventually goes back to the operating system's certificate store somehow.  I believe that it's *only* checking the JVM's certificate store.  If that's true, then you just need to follow instructions for importing certificates to the JVM.  

For example, 

https://blogs.oracle.com/blogbypuneeth/entry/steps_to_create_a_self  

http://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail

https://www.chrissearle.org/2007/10/25/Adding_self-signed_https_certificates_to_java_keystore/ 

http://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore

---Tom

On 2/25/16, 2:20 PM, "tycho-user-bounces@xxxxxxxxxxx on behalf of Bruno Medeiros" <tycho-user-bounces@xxxxxxxxxxx on behalf of bruno.do.medeiros@xxxxxxxxx> wrote:

Perhaps I should be asking this in the "Eclipse Platform" forum, as it's not directly Tycho related (I think), but I thought to give it a try:

I've modified the Tycho build script to sign my plugin jars. I'm using a self-signed certificate. When I try to install the plugins, the Eclipse installer asks me, the user, if I want to trust that certificate for the installation. So far so good.

Thing is, I'd expect once the user accepts the certificate as valid, Eclipse wouldn't ask again in future installations signed with the same certificate. But it does. I've made a new release of the plugins and the installer asks again if I trust the certificate.

This seems to me to defeat the whole point, since for the user to trust that the new plugin release is from the same source as the previous one, they would have to open the details of the certificate, and manually compare the public key of the previous one to the new one and see that it matches. Obviously this is not practical, they are not gonna check. As as such theoretically someone could create a new self-signed certificate with the same name as mine, and use that to forge fake plugins.

Am I missing something here? Admittedly my knowledge of security stuff is weak. ð

--

Bruno Medeiros
https://twitter.com/brunodomedeiros