eclipseintellij-idea

How to safely install IntelliJ IDEA keymap for Eclipse?

I would like to safely install IntelliJ IDEA keymap for Eclipse.

In Eclipse (Spring Tool Suite), I go to Help -> Marketplace. I search for IntelliJ and install IntelliJ IDEA keymap for Eclipse. After accepting licenses. I have to answer this question:

Do you trust unsigned content of unknown origin?

enter image description here

I don't want to trust unsigned content from unknown origin.

How can I safely install IntelliJ IDEA keymap for Eclipse?

Solution

  • In general, if you want install something and if you can't or don't want to check for yourself that what you want to install doesn't contain malware, you have to trust someone. By signing, the author/vendor authenticates themselves to you, which prevents others from being able to impersonate them or that something can be changed unnoticed during the download (man-in-the-middle attack). Since the update site is HTTPS and not HTTP, the main risk is that the plugin contains malware. To my knowledge, this has only happened once before, more than seven years ago: see blog post by 0x10F8 who found the malware and the press release by the Eclipse Foundation.

    Unfortunately, in your case, the plugin that you are installing is not signed. So let look into what you want to install: The update site is https://raw.githubusercontent.com/IntelliJIdeaKeymap4Eclipse/IntelliJIdeaKeymap4Eclipse-update-site/main which refers to this GitHub project. The JAR files contains beside XML files and one META-INF/MANIFEST.MF file which are safe one class file that might contain malware: in plugins/com.github.intellijideakeymap4eclipse.plugin_0.1.4.202102272024.jar the file com/github/intellijideakeymap4eclipse/Activator.class. So let's decompile this class file:

    package com.github.intellijideakeymap4eclipse;

import org.eclipse.ui.plugin.AbstractUIPlugin;
import org.osgi.framework.BundleContext;

public class Activator extends AbstractUIPlugin {
   public static final String PLUGIN_ID = "com.github.intellijideakeymap4eclipse.plugin";
   private static Activator plugin;

   public void start(BundleContext context) throws Exception {
      super.start(context);
      plugin = this;
   }

   public void stop(BundleContext context) throws Exception {
      plugin = null;
      super.stop(context);
   }

   public static Activator getDefault() {
      return plugin;
   }
}

    This file is unnecessary, but not malware and the same as the provided source code by the same GitHub account.

    In conclusion, the plugin does not currently contain any malware, at least as long as neither the update site nor its content changes. Therefore, it is currently safe to install this plugin, even if it is not signed. You could ask the author/vendor of the plugin to sign the plugin to make it easier to be more secure in the future.