Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 440430

Summary: Self-signed certificate not remembered upon second installation
Product: [Eclipse Project] Equinox Reporter: Joost van Pinxten <joostvanpinxten>
Component: p2Assignee: P2 Inbox <equinox.p2-inbox>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P3 CC: mn, tjwatson
Version: 3.10.0 Luna   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard: stalebug
Attachments:
Description Flags
CodeandMe example; runs with Maven 3.0.5 (change tycho version to 0.18+ to run with Maven 3.1.1+) none

Description Joost van Pinxten CLA 2014-07-25 07:29:19 EDT 
Created attachment 245380 [details]
CodeandMe example; runs with Maven 3.0.5 (change tycho version to 0.18+ to run with Maven 3.1.1+)

We have a self-signed certificate as per [1]. We tried to run this under Windows 7 (Oracle JDK7) and Linux Ubuntu 14.04 (OpenJDK-7) all 64-bits versions. We have no problem generating and signing the Eclipse p2 update site, and the certificate is shown. 

However, the user is always presented with the screen to indicate whether or not they trust our certificate; even when they already indicated that they trust it the previous time. We have tried to find ways to circumvent this, but Google does not provide insights, nor does the Jarsigning wiki-page [2]. It would be very nice if this process would be documented somewhere, and the requirements of the certificate explicit (such as the emailaddress necessity indicated in [3], which did not help us).

See the self-signed project attachment (adapted from [1] to updated jarsigner-plugin); it runs on Windows and on Linux.

To reproduce (with Maven 3.0.5);

$ mvn verify

point Eclipse (Luna, Kepler or Juno, we've tried them all) to the {...}.releng/target/{...}-SNAPSHOT.zip and install the feature.

Accept the certificate, when it asks you to trust it (by checking the checkbox).

Create an update site with a later timestamp by running again:

$ mvn verify 

Reinstall as before, and see that the "do you trust these certificates"-dialog prevails...

[1] http://codeandme.blogspot.nl/2013/07/tycho-10-signing-plugins-and-executables.html
[2] http://wiki.eclipse.org/JAR_Signing
[3] http://stackoverflow.com/questions/12035479/eclipse-trust-certificate-window-on-verisign-cert
Comment 1 Joost van Pinxten CLA 2014-08-18 16:20:19 EDT 
We'd like to know whether or not anyone has tried the example that we've provided.
Comment 2 Joost van Pinxten CLA 2014-09-15 05:13:52 EDT 
Has there been any activity on this bug? It feels like it's being ignored.
Comment 3 Joost van Pinxten CLA 2015-08-25 16:17:58 EDT 
Bug #340345 shows some insights that might explain why this is being ignored...
Comment 4 Eclipse Genie CLA 2020-03-06 16:21:26 EST 
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're closing this bug.

If you have further information on the current state of the bug, please add it and reopen this bug. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.

--
The automated Eclipse Genie.