Unsigned Plugins Risk?

I haven’t used jMonkey much yet…and when I went to update the plugins, it seems like all of them are unsigned, and at the bottom of the confirmation dialog window, it says

Warning: Installing untrusted plugins is potentially insecure. Use unsigned or untrusted plugins at your own risk.

From reading around the forum it seems like there is no certificate being used for jMonkey stuff…but I just wanted to make sure there isn’t much risk of anything.

Also, if there is virtually no risk, why not get rid of the prompt in the IDE?

I’m not sure how easy this would be, but I was also thinking: why not build in an (unregistered/un-paid-for) certificate into the IDE itself and just sign the plugins with that?

Off-topic: The “check for updates” under the help menu was confusing/misleading in that it didn’t seem to update RC2 to stable…at least not in the splashscreen.


the jme sdk is based on netbeans, and so the warnings and stuff is from the netbeans plugin system.

It would be possible to patch that out, but then for every update this needed to be repeated.
Adding a own certificate would kinda bypass the security as well, so

As jme is targeted at developers and not end customers, the current way is the simplest.

Thanks for your reply :slight_smile:

I would think that hard-coding a certificate in would still add to the security…but perhaps I don’t understand how signing works enough.

Would be kinda nice though if there was something implemented to check the files, even if it were just a MD5 check from a separate server (to ensure that the main server hadn’t been infected/compromised).

Well the mos save way would be to just build yourself from sources, but for most users the gain isnt worth the pain.