...
Each Plugin has its own "trust store" where the PGP certificates for that plugin are stored. This is a file inside the IDP installation called which makes up part of installation and located at %{idp.home}/credentials/pluginid/truststore.asc.
This is a text file which should contain one or more contain multiple PGP PUBLIC KEY BLOCK
sections. (For example the one here). Having a separate trust store for each plugin ensures that trust cannot "leak" from one plugin to another,
...
- Locate the signing certificate(s) for the plugin.
- Verify them by a suitable out of band trust mechanism.
- Place them at the required location.
...
The person creating the plugin MAY embed the certificates into the package. If they have done this and the certificate is not found in the trust store then you will be promoted prompted whether you want to add this certificate to the trust store for this plugin.
Code Block |
---|
something like INFO [net.shibboleth.idp.installer.plugin.impl.PluginInstaller:274] - TrustStore does not contain signature 0X1483F262A4B3FF0 May I install this certificate: Certificate: 0X1483F262A4B3FF0 FingerPrint: 4af4d83eeddf43da3c06cb3101483f262a4b3ff0 Username: Rod Widdowson <rdw@steadingsoftware.com> TBD[Ny] |
(Need to add words about this being a silly thing to do)
...