Hi, Assuming the update centre is distributed securely, you can probably just mark the update centre itself as trusted in the registration, and ignore code signing if you want. Like at https://github.com/apache/netbeans/blob/master/nb/updatecenters/src/org/netbeans/modules/updatecenters/resources/mf-layer.xml#L34
Best wishes, Neil On Mon, 4 Nov 2024 at 11:16, Deshan Abeykoon <deshan.abeyk...@ifs.com.invalid> wrote: > > Dear Apache NetBeans Community, > > I hope this message finds you well. I am writing to seek assistance regarding > a challenge we are facing with our integrated development environment (IDE), > which we have built on top of the NetBeans Platform. > > As part of our release process, we distribute our updates through update > centers in the form of NetBeans Modules (NBMs). Historically, we have > encountered a warning dialog by categorizing updating plugins as "Unsigned,". > Until now, we have only signed our installer (.exe) files using a production > code signing certificate. > > Recently, we attempted to sign our NBM files using a DigiCert Code Signing > Certificate, yet the IDE continues to identify them as "Self Signed" rather > than "Signed and Valid." We have explored various approaches to rectify this > issue, but unfortunately, none have proven successful. Notably, the "Show > Certificate" feature confirms that the certificate is indeed from DigiCert. > > To provide additional context, our DigiCert Code Signing Certificate is > stored in an HSM-backed Azure Key Vault. The signing process is integrated > into our Maven build cycle, and we have experimented with both the > nbm-maven-plugin and the maven-jarsigner-plugin. Although the artifacts > appear to be signed and can be verified using the jarsigner tool, the IDE > still categorizes them as "Self Signed". We have also tried installing the > root and intermediate certificates into the Java cacerts file, but this has > not resolved the issue. > > I would greatly appreciate any insights or suggestions on how to address this > problem and ensure that our plugins are recognized as "Signed and Valid". > Thank you in advance for your help. > > Best regards, > Deshan > > ________________________________ > Confidentiality notice and disclaimer > This e-mail is private and may contain confidential information. You must not > use, disclose, or retain any of its content if you have received it in error: > please notify its sender and then delete it. Any views or opinions expressed > in this e-mail are strictly those of its author. We do not accept liability > for the consequences of any data corruption, interception, tampering, or > virus. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org For additional commands, e-mail: users-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
