Dear Apache NetBeans Community, I hope this message finds you well. I am writing to seek assistance regarding a challenge we are facing with our integrated development environment (IDE), which we have built on top of the NetBeans Platform.
As part of our release process, we distribute our updates through update centers in the form of NetBeans Modules (NBMs). Historically, we have encountered a warning dialog by categorizing updating plugins as "Unsigned,". Until now, we have only signed our installer (.exe) files using a production code signing certificate. Recently, we attempted to sign our NBM files using a DigiCert Code Signing Certificate, yet the IDE continues to identify them as "Self Signed" rather than "Signed and Valid." We have explored various approaches to rectify this issue, but unfortunately, none have proven successful. Notably, the "Show Certificate" feature confirms that the certificate is indeed from DigiCert. To provide additional context, our DigiCert Code Signing Certificate is stored in an HSM-backed Azure Key Vault. The signing process is integrated into our Maven build cycle, and we have experimented with both the nbm-maven-plugin and the maven-jarsigner-plugin. Although the artifacts appear to be signed and can be verified using the jarsigner tool, the IDE still categorizes them as "Self Signed". We have also tried installing the root and intermediate certificates into the Java cacerts file, but this has not resolved the issue. I would greatly appreciate any insights or suggestions on how to address this problem and ensure that our plugins are recognized as "Signed and Valid". Thank you in advance for your help. Best regards, Deshan ________________________________ Confidentiality notice and disclaimer This e-mail is private and may contain confidential information. You must not use, disclose, or retain any of its content if you have received it in error: please notify its sender and then delete it. Any views or opinions expressed in this e-mail are strictly those of its author. We do not accept liability for the consequences of any data corruption, interception, tampering, or virus.
