search

vazexqi / CodingSpectator

Watches and analyzes code edits in the Eclipse IDE non-invasively
http://codingspectator.cs.illinois.edu
Other
20 stars 14 forks source link

Check the integrity of the files downloaded from the Eclipse update site #133

Closed reprogrammer closed 13 years ago

reprogrammer commented 13 years ago

We need to find a way to check the integrity of the files during the installation of CodingSpectator from the update site. If for some reason, the files cannot be fully fetched, we need to stop the installation and let the user know about the problem in downloading the files. Such a mechanism would help us spot issues such as issue #131 quickly.

Of course, we can check the integrity by signing the plugins. But, we need a CA certificate to sign (See issue #65).

reprogrammer commented 13 years ago

One option to check the integrity of our plugins is to self-sign them. See the following resources on signing Eclipse update site and the references in issue #65 for more details.

  1. http://nirmalsasidharan.wordpress.com/2010/09/04/signing_eclipse_plugins/
  2. http://wiki.eclipse.org/JAR_Signing
  3. UIMA script for signing the Eclipse update site
reprogrammer commented 13 years ago

Self-signing is not very useful because Eclipse doesn't stop the installation when it cannot verify the signatures. If Eclipse verifies the signature of a jar file, it shows a dialog asking if the user trusts the certificate; otherwise, it warns the user that some jar files are unsigned. I assume when some jar files are signed and some are not, it shows both dialogs.

reprogrammer commented 13 years ago

When I tried to update my installation of CodingSpectator at the office, I get the unsigned warning dialog regardless of what update site I use: GitHub pages. my home page or a local update site.

I verified the signatures of the jar files in my local Eclipse update site by issuing the command jarsigner -verify <jar file>. jarsigner gave me the message "jar verified." for all the jar files.

reprogrammer commented 13 years ago

I disregarded the "security warning" for unsigned content and forced the update. But, it broke my Eclipse severely. None of the following perspectives are available any more: Findbugs, Java, Plug-in Development, SVN Repository Exploring, CVS Repository Exploring, Team Synchronizing. Surprisingly, the contents of the help menu have reverted back to an old version of Eclipse where there was cascaded menu titled "Software Updates" and expanded to "Find and Install..." and "Manage Configuration...".