installer is unsigned but requires admin privileges

[Alvin Thompson <al...@thompsonlogic.com>]

I figure I'd write an annoying reminder that currently the installer (at least on macOS) requires admin privileges, but is not signed. This provides an inviting target for someone to alter the installer with malicious content, especially since the NetBeans brand enjoys a high "trust" factor so many developers will not think twice about installing it. If a trojan can happen in Apple's Xcode, it can happen here. Let's not get people used to trusting an unsigned NetBeans installer.

Is there any chance we can get these things signed again?

-Alvin

Re: installer is unsigned but requires admin privileges

[Geertjan Wielenga <ge...@googlemail.com>]

Yes, those builds are valid. Yet they have nothing to do with Apache.

Can you stop writing in this thread and discuss in the other thread
instead, i.e., the one with Oracle engineers included?

Thanks,

Gj


On Wed, Sep 6, 2017 at 3:21 PM, Alvin Thompson <al...@thompsonlogic.com>
wrote:

> Especially since there's nothing on netbeans.org <http://netbeans.org/>
> to lead people to believe these builds aren't still valid...
>
>
> > On Sep 6, 2017, at 9:19 AM, Alvin Thompson <al...@thompsonlogic.com>
> wrote:
> >
> > Interesting--the daily builds are still working on the original site and
> are producing builds, which seem to have differences between them:
> >
> > http://bits.netbeans.org/download/trunk/nightly/latest/ <
> http://bits.netbeans.org/download/trunk/nightly/latest/>
> >
> > Should these be shut down?
> >
> >
> >> On Sep 6, 2017, at 2:37 AM, Geertjan Wielenga <
> geertjan.wielenga@googlemail.com <ma...@googlemail.com>>
> wrote:
> >>
> >> Please understand that there are no development builds yet for Apache
> >> NetBeans. There is no code yet in the Apache NetBeans repo and hence no
> >> builds at all.
> >>
> >> Thanks,
> >>
> >> Gj
> >>
> >> On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <alvin@thompsonlogic.com
> <ma...@thompsonlogic.com>> wrote:
> >>
> >>> Currently on macOS, trying to install the development builds by
> >>> double-clicking on the installer results in an error, because the
> installer
> >>> is not signed. To continue, you must bypass this error by
> right-clicking on
> >>> the installer and selecting "open" from the menu, and confirm that you
> want
> >>> to run an app from an untrusted source. The downside is that without
> the
> >>> signature there's no way to know if the installer was altered or
> replaced.
> >>>
> >>> The development builds used to be signed, and they probably should
> still
> >>> be signed since the installer requires 'root'-like privileges on
> macOS, and
> >>> prompts you for an admin password to continue.
> >>>
> >>> Once admin access is granted, the installer can do anything to the
> system,
> >>> therefore the installer should be signed (they used to be). Currently
> users
> >>> are getting used to allowing an installer--that could be altered or
> >>> replaced by an attacker--root access to their system, simply because
> it is
> >>> named "NetBeans" and they trust the name. Bad!
> >>>
> >>> I called this a "reminder" because I assumed that this issue had been
> >>> brought up previously. The build used to be broken because it no
> longer has
> >>> access to Oracle's key for signing. Someone "fixed" this by changing
> the
> >>> build to not sign the installer.
> >>>
> >>> -Alvin
> >>>
> >>>
> >>>> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga <
> >>> geertjan.wielenga@googlemail.com <mailto:geertjan.wielenga@
> googlemail.com>> wrote:
> >>>>
> >>>> Not sure about the reminder part -- can you point to an issue that
> you're
> >>>> referring to here and a way to reproduce or somehow reproduce this?
> >>>>
> >>>> Gj
> >>>>
> >>>> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <
> alvin@thompsonlogic.com <ma...@thompsonlogic.com>
> >>>>
> >>>> wrote:
> >>>>
> >>>>> I figure I'd write an annoying reminder that currently the installer
> (at
> >>>>> least on macOS) requires admin privileges, but is not signed. This
> >>> provides
> >>>>> an inviting target for someone to alter the installer with malicious
> >>>>> content, especially since the NetBeans brand enjoys a high "trust"
> >>> factor
> >>>>> so many developers will not think twice about installing it. If a
> trojan
> >>>>> can happen in Apple's Xcode, it can happen here. Let's not get people
> >>> used
> >>>>> to trusting an unsigned NetBeans installer.
> >>>>>
> >>>>> Is there any chance we can get these things signed again?
> >>>>>
> >>>>> -Alvin
> >>>>>
> >>>>>
> >>>
> >>>
> >
>
>

Re: installer is unsigned but requires admin privileges

[Alvin Thompson <al...@thompsonlogic.com>]

Especially since there's nothing on netbeans.org <http://netbeans.org/> to lead people to believe these builds aren't still valid...


> On Sep 6, 2017, at 9:19 AM, Alvin Thompson <al...@thompsonlogic.com> wrote:
> 
> Interesting--the daily builds are still working on the original site and are producing builds, which seem to have differences between them:
> 
> http://bits.netbeans.org/download/trunk/nightly/latest/ <http://bits.netbeans.org/download/trunk/nightly/latest/>
> 
> Should these be shut down?
> 
> 
>> On Sep 6, 2017, at 2:37 AM, Geertjan Wielenga <geertjan.wielenga@googlemail.com <ma...@googlemail.com>> wrote:
>> 
>> Please understand that there are no development builds yet for Apache
>> NetBeans. There is no code yet in the Apache NetBeans repo and hence no
>> builds at all.
>> 
>> Thanks,
>> 
>> Gj
>> 
>> On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <alvin@thompsonlogic.com <ma...@thompsonlogic.com>> wrote:
>> 
>>> Currently on macOS, trying to install the development builds by
>>> double-clicking on the installer results in an error, because the installer
>>> is not signed. To continue, you must bypass this error by right-clicking on
>>> the installer and selecting "open" from the menu, and confirm that you want
>>> to run an app from an untrusted source. The downside is that without the
>>> signature there's no way to know if the installer was altered or replaced.
>>> 
>>> The development builds used to be signed, and they probably should still
>>> be signed since the installer requires 'root'-like privileges on macOS, and
>>> prompts you for an admin password to continue.
>>> 
>>> Once admin access is granted, the installer can do anything to the system,
>>> therefore the installer should be signed (they used to be). Currently users
>>> are getting used to allowing an installer--that could be altered or
>>> replaced by an attacker--root access to their system, simply because it is
>>> named "NetBeans" and they trust the name. Bad!
>>> 
>>> I called this a "reminder" because I assumed that this issue had been
>>> brought up previously. The build used to be broken because it no longer has
>>> access to Oracle's key for signing. Someone "fixed" this by changing the
>>> build to not sign the installer.
>>> 
>>> -Alvin
>>> 
>>> 
>>>> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga <
>>> geertjan.wielenga@googlemail.com <ma...@googlemail.com>> wrote:
>>>> 
>>>> Not sure about the reminder part -- can you point to an issue that you're
>>>> referring to here and a way to reproduce or somehow reproduce this?
>>>> 
>>>> Gj
>>>> 
>>>> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <alvin@thompsonlogic.com <ma...@thompsonlogic.com>
>>>> 
>>>> wrote:
>>>> 
>>>>> I figure I'd write an annoying reminder that currently the installer (at
>>>>> least on macOS) requires admin privileges, but is not signed. This
>>> provides
>>>>> an inviting target for someone to alter the installer with malicious
>>>>> content, especially since the NetBeans brand enjoys a high "trust"
>>> factor
>>>>> so many developers will not think twice about installing it. If a trojan
>>>>> can happen in Apple's Xcode, it can happen here. Let's not get people
>>> used
>>>>> to trusting an unsigned NetBeans installer.
>>>>> 
>>>>> Is there any chance we can get these things signed again?
>>>>> 
>>>>> -Alvin
>>>>> 
>>>>> 
>>> 
>>> 
> 

Re: installer is unsigned but requires admin privileges

[Alvin Thompson <al...@thompsonlogic.com>]

Interesting--the daily builds are still working on the original site and are producing builds, which seem to have differences between them:

http://bits.netbeans.org/download/trunk/nightly/latest/ <http://bits.netbeans.org/download/trunk/nightly/latest/>

Should these be shut down?


> On Sep 6, 2017, at 2:37 AM, Geertjan Wielenga <ge...@googlemail.com> wrote:
> 
> Please understand that there are no development builds yet for Apache
> NetBeans. There is no code yet in the Apache NetBeans repo and hence no
> builds at all.
> 
> Thanks,
> 
> Gj
> 
> On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <al...@thompsonlogic.com> wrote:
> 
>> Currently on macOS, trying to install the development builds by
>> double-clicking on the installer results in an error, because the installer
>> is not signed. To continue, you must bypass this error by right-clicking on
>> the installer and selecting "open" from the menu, and confirm that you want
>> to run an app from an untrusted source. The downside is that without the
>> signature there's no way to know if the installer was altered or replaced.
>> 
>> The development builds used to be signed, and they probably should still
>> be signed since the installer requires 'root'-like privileges on macOS, and
>> prompts you for an admin password to continue.
>> 
>> Once admin access is granted, the installer can do anything to the system,
>> therefore the installer should be signed (they used to be). Currently users
>> are getting used to allowing an installer--that could be altered or
>> replaced by an attacker--root access to their system, simply because it is
>> named "NetBeans" and they trust the name. Bad!
>> 
>> I called this a "reminder" because I assumed that this issue had been
>> brought up previously. The build used to be broken because it no longer has
>> access to Oracle's key for signing. Someone "fixed" this by changing the
>> build to not sign the installer.
>> 
>> -Alvin
>> 
>> 
>>> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga <
>> geertjan.wielenga@googlemail.com> wrote:
>>> 
>>> Not sure about the reminder part -- can you point to an issue that you're
>>> referring to here and a way to reproduce or somehow reproduce this?
>>> 
>>> Gj
>>> 
>>> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <alvin@thompsonlogic.com
>>> 
>>> wrote:
>>> 
>>>> I figure I'd write an annoying reminder that currently the installer (at
>>>> least on macOS) requires admin privileges, but is not signed. This
>> provides
>>>> an inviting target for someone to alter the installer with malicious
>>>> content, especially since the NetBeans brand enjoys a high "trust"
>> factor
>>>> so many developers will not think twice about installing it. If a trojan
>>>> can happen in Apple's Xcode, it can happen here. Let's not get people
>> used
>>>> to trusting an unsigned NetBeans installer.
>>>> 
>>>> Is there any chance we can get these things signed again?
>>>> 
>>>> -Alvin
>>>> 
>>>> 
>> 
>> 

Re: installer is unsigned but requires admin privileges

[Geertjan Wielenga <ge...@googlemail.com>]

Please understand that there are no development builds yet for Apache
NetBeans. There is no code yet in the Apache NetBeans repo and hence no
builds at all.

Thanks,

Gj

On Wed, 6 Sep 2017 at 01:06, Alvin Thompson <al...@thompsonlogic.com> wrote:

> Currently on macOS, trying to install the development builds by
> double-clicking on the installer results in an error, because the installer
> is not signed. To continue, you must bypass this error by right-clicking on
> the installer and selecting "open" from the menu, and confirm that you want
> to run an app from an untrusted source. The downside is that without the
> signature there's no way to know if the installer was altered or replaced.
>
> The development builds used to be signed, and they probably should still
> be signed since the installer requires 'root'-like privileges on macOS, and
> prompts you for an admin password to continue.
>
> Once admin access is granted, the installer can do anything to the system,
> therefore the installer should be signed (they used to be). Currently users
> are getting used to allowing an installer--that could be altered or
> replaced by an attacker--root access to their system, simply because it is
> named "NetBeans" and they trust the name. Bad!
>
> I called this a "reminder" because I assumed that this issue had been
> brought up previously. The build used to be broken because it no longer has
> access to Oracle's key for signing. Someone "fixed" this by changing the
> build to not sign the installer.
>
> -Alvin
>
>
> > On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga <
> geertjan.wielenga@googlemail.com> wrote:
> >
> > Not sure about the reminder part -- can you point to an issue that you're
> > referring to here and a way to reproduce or somehow reproduce this?
> >
> > Gj
> >
> > On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <alvin@thompsonlogic.com
> >
> > wrote:
> >
> >> I figure I'd write an annoying reminder that currently the installer (at
> >> least on macOS) requires admin privileges, but is not signed. This
> provides
> >> an inviting target for someone to alter the installer with malicious
> >> content, especially since the NetBeans brand enjoys a high "trust"
> factor
> >> so many developers will not think twice about installing it. If a trojan
> >> can happen in Apple's Xcode, it can happen here. Let's not get people
> used
> >> to trusting an unsigned NetBeans installer.
> >>
> >> Is there any chance we can get these things signed again?
> >>
> >> -Alvin
> >>
> >>
>
>

Re: installer is unsigned but requires admin privileges

[Alvin Thompson <al...@thompsonlogic.com>]

Currently on macOS, trying to install the development builds by double-clicking on the installer results in an error, because the installer is not signed. To continue, you must bypass this error by right-clicking on the installer and selecting "open" from the menu, and confirm that you want to run an app from an untrusted source. The downside is that without the signature there's no way to know if the installer was altered or replaced.

The development builds used to be signed, and they probably should still be signed since the installer requires 'root'-like privileges on macOS, and prompts you for an admin password to continue.

Once admin access is granted, the installer can do anything to the system, therefore the installer should be signed (they used to be). Currently users are getting used to allowing an installer--that could be altered or replaced by an attacker--root access to their system, simply because it is named "NetBeans" and they trust the name. Bad!

I called this a "reminder" because I assumed that this issue had been brought up previously. The build used to be broken because it no longer has access to Oracle's key for signing. Someone "fixed" this by changing the build to not sign the installer.

-Alvin


> On Sep 5, 2017, at 6:07 PM, Geertjan Wielenga <ge...@googlemail.com> wrote:
> 
> Not sure about the reminder part -- can you point to an issue that you're
> referring to here and a way to reproduce or somehow reproduce this?
> 
> Gj
> 
> On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <al...@thompsonlogic.com>
> wrote:
> 
>> I figure I'd write an annoying reminder that currently the installer (at
>> least on macOS) requires admin privileges, but is not signed. This provides
>> an inviting target for someone to alter the installer with malicious
>> content, especially since the NetBeans brand enjoys a high "trust" factor
>> so many developers will not think twice about installing it. If a trojan
>> can happen in Apple's Xcode, it can happen here. Let's not get people used
>> to trusting an unsigned NetBeans installer.
>> 
>> Is there any chance we can get these things signed again?
>> 
>> -Alvin
>> 
>> 

Re: installer is unsigned but requires admin privileges

[Geertjan Wielenga <ge...@googlemail.com>]

Not sure about the reminder part -- can you point to an issue that you're
referring to here and a way to reproduce or somehow reproduce this?

Gj

On Tue, Sep 5, 2017 at 10:48 PM, Alvin Thompson <al...@thompsonlogic.com>
wrote:

> I figure I'd write an annoying reminder that currently the installer (at
> least on macOS) requires admin privileges, but is not signed. This provides
> an inviting target for someone to alter the installer with malicious
> content, especially since the NetBeans brand enjoys a high "trust" factor
> so many developers will not think twice about installing it. If a trojan
> can happen in Apple's Xcode, it can happen here. Let's not get people used
> to trusting an unsigned NetBeans installer.
>
> Is there any chance we can get these things signed again?
>
> -Alvin
>
>