StonesLegalStarKeys / google-plugin-for-eclipse

Automatically exported from code.google.com/p/google-plugin-for-eclipse
Eclipse Public License 1.0
0 stars 0 forks source link

Warning: You are installing software that contains unsigned content #256

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Update to Google Plugin for Eclipse 4.3 from inside Eclipse Kepler

What is the expected output? What do you see instead?

Warning: You are installing software that contains unsigned content. The 
authenticity or validity of this software cannot be established. Do you want to 
continue with the installation?

  plugins/com.google.appengine.eclipse.core_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.datatools_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.webtools_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.webtools.e43_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.wtp_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.wtp.jpa_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.wtp.jpa.e43_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.appengine.eclipse.wtp.swarm_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.apiclientlib_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.appengine.api_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.appengine.swarm_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.appengine.swarm_backend_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.core_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.drive_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.gph_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.gph.e36_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.gph.hge_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.gph.subclipse_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.gph.subversive_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.login_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.managedapis_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.maven_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.maven.e37_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.platform_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.platform.e42_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.platform.shared_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.suite_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.suite.ext_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gdt.eclipse.suite.ext.e38_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gwt.eclipse.core_3.5.1.v201312301723-rel-r43.jar
  plugins/com.google.gwt.eclipse.oophm_3.5.1.v201312301723-rel-r43.jar
  features/com.google.gdt.eclipse.suite.e43.feature_3.5.1.v201312301723-rel-r43

What version of the product are you using? On what operating system?

* Eclipse Kepler, Google Plugin for Eclipse 4.3

Please provide any additional information below.

I am aware that the warning can probably be ignored from a pragmatic 
standpoint, but is there a good reason for Google not signing content with a 
credential that Eclipse would recognize? Or is it a matter of installing 
another (root) certificate into Eclipse somehow?

The issue is also known on StackOverflow.

Original issue reported on code.google.com by tiptopl...@gmail.com on 9 Jan 2014 at 4:48

GoogleCodeExporter commented 9 years ago
I don't believe this is an issue, happens on most eclipse plugin installs

Original comment by ben.tech...@gmail.com on 11 Jan 2014 at 2:59

GoogleCodeExporter commented 9 years ago
This is certainly a security issue, for both the developer and any potential 
users of software subsequently developed using that Eclipse environment.

Given this unsigned content, how can we be sure that we are installing the 
legitimate plugin and not some malicious code inserted by a man-in-the-middle?

Please correct me if I am wrong, but this seems to me to be quite a serious 
issue.

Original comment by christop...@gmail.com on 24 Jul 2014 at 2:27