[Bug 533361] Untrusted certificates in Eclipse plugin certificate chains
Bugzilla Link | 533361 |
Status | NEW |
Importance | P3 major |
Reported | Apr 08, 2018 18:34 EDT |
Modified | Oct 13, 2021 16:17 EDT |
See also | 489708, 496730, 499207, 529302, 533359, 533360, 482215 |
Reporter | Piotr Orzechowski |
Description
Some Eclipse plugins have untrusted certificates in their certificate chains. This leads to "Do you trust these certificates" dialog issue, reported over and over again.
I have written a simple bash script to detect such plugins and it seems there's quiet a few of them.
In my case (Eclipse 3.7.3 Oxygen Java with Xtend IDE from http://download.eclipse.org/modeling/tmf/xtext/updates/composite/releases) there are two recurring certificates: "GTE CyberTrust Global Root" and "VeriSign Class 3 Code Signing 2004 CA".
Both were removed from keystore due to security reasons: https://bugzilla.mozilla.org/show_bug.cgi?id=1047011, https://bugzilla.mozilla.org/show_bug.cgi?id=676799.
My understanding is that this imposes security risks on Eclipse users, especially that plugins are typically downloaded using http.
I have already reported two plugins (https://bugs.eclipse.org/bugs/show_bug.cgi?id=533359, https://bugs.eclipse.org/bugs/show_bug.cgi?id=533360) but going this way is not enough.
So, IMHO, there should be an automated check to verify Eclipse jars at least before release and existing plugins with untrusted roots should be signed again so they can be properly verified on install.