What is the value of a current signature on an extension?

unsigned
signatures
signed
outdated
developer

#1

Continuing the discussion from Can't update Eneroth's Solid Tools:

Very interesting …
I just took another look at my installed extensions.

Your Eneroth Solid Tools now shows a good, not outdated signature. This is a change from yesterday.

Looking over my other extensions:

I see that one extension authored by Sketchup is unsigned (SketchUp Attribute Helper).

I have a number of @thomthom’s extensions. Only 1 has a current signature - the rest are signed, but the signature is outdated. And this is from a Trimble employee!

All of @tig’s extensions show outdated signatures on my system, and while @Fredo6’s LibFredo6 has a current signature, his BezierSpline has an outdated signature.

Given that all these extensions are ones I use regularly - and trust - what, if anything, can I conclude about the value of signed extensions?

If I restrict myself to choosing to use only extensions with a current signature, I’ll lose a lot of the functionality I rely on. I’m not willing to do that.

Maybe I should restrict myself to extensions with signatures, whether they are current or outdated? Nope. There are a couple of completely unsigned extensions that I rely on.

My conclusion? I think I’ll place my trust in the people who authored the extensions - regardless of signature status. I’ll worry only when I’m considering installing an extension from an unfamiliar author - in which case I’ll ask here first!


Does a being blessed with the "Sage" badge bestow any additional Discourse authority?
#2

There has been considerable discussion ‘behind the scenes’ between authors and Trimble.
They introduced the signing process against the advice of many… including me !
As I’ll explain later it is something of an illusion !
If you get an extension from the EW then you are assured that they have been vetted and meet some minimum coding standards.
An older extension’s RBZ might not be signed at all, or it might be signed for v2016, but not have a current signature [ they changed the signing system with v2017 ! ]

I am surprised that ‘none’ of my offerings at the SketchUcation PluginStore are reporting as ‘having an up to date signing’, I have published several updates to be compatible with v2017 ??
But I do know that some are only signed for v2016…
Many of the SketchUcation PluginStore’s authors’ downloads have been signed for v2017 compatibility, whilst more were previously signed for v2016.

By introducing and then changing the signing system Trimble put a burden on authors that far exceeded their assumptions.
Plugins which worked for years now report as unsigned, or if they have been signed previously they can still report as outdated !
It takes not inconsiderable effort by authors to get their RBZs signed.
If they use the EW they need to resubmit new versions for consideration - these are auto-signed if found compliant and meeting some minimum coding standards…
If authors use other outlets, like SketchUcation PluginStore, Smustard.com or an author’s own download site, they have to submit their RBZ to a special Trimble ‘portal’ where they must be a registered developer, and the RBZ is signed [assuming it is structured in a particular way !]
However, this method of signing has no checks on an RBZ file’s contents - they may or may not meet some basic coding standards !
The assurance of being ‘signed’ is somewhat illusory !

So… the best assurance of an RBS file being ‘kosher’ is actually to get it from a known and trusted author…
That is, either from an author who uses the EW to distribute their extensions, or from an author like myself or Fredo6, who are represented at the SketchUcation PluginStore, or from one of the other well known author groups like Smustard.com etc…

If you choose an extension loading policy that is ‘unrestricted’ all plugins will load.
Choosing a more limited policy is more restrictive, but offers little real comfort !
Currently limiting yourself up to date signed extensions offers no real protection.

Having introduced a signing system, then I suspect that in the long term Trimble plan to try and force all authors into using their EW, where they can enforce certain coding conventions and so on… and then stop non-signed code from loading at all…
However, this then presents all kinds of issues - like users who want to write or use their own scripts, and of course how developers might write and test their scripts prior to getting them signed… I suspect that there will be insurmountable difficulties, at least without a draconian regime, that we all hope will not come about !


#3

There is no such plan.
You suggested this before, which I have debunked - so I’m not sure why you keep repeating this?


#4

To update the signatures of my extensions I have to re-upload everything. I simply have not set aside time for that.
If you trust the source of the extensions (like any software) then it’s all fine.

The signature is just a means of indicating that the extension has not been tampered with since it was packaged by the author. Nothing more. And outdated signature just reflect that there was a different signature system initially.

I hope we’ll get a better way to update signatures in bulk eventually.


#5

Thom,

I just tried this with one of your extensions (CleanUp3). More specifically, I uninstalled it, quit SketchUp (SU), rebooted my computer, re-installed it, quit SU again, rebooted again, started SU: It is still showed as having an outdated signature!

I’m going to wait a day to be sure (since updating @Eneroth’s SolidTools didn’t clear the “outdated signature” message immediately, but the next day it showed as having a valid, non-outdated signature), but if it doesn’t clear tomorrow, I’ll be forced to say that this procedure doesn’t work.

If it (the outdated message) does vanish, then I’ll do the same for my other extensions showing an outdated signature - slowly - and (mostly) because I hate seeing things that appear to be warnings that don’t really matter!


#6

Did you read what ThomThom wrote? He said HE has to re-upload everything with the new signatures. Until he has time to do that, reinstalling his extensions isn’t going to change anything on your end. the outdated signature will not hurt anything as far as using the extension.


#7

I read it as that is the procedure he uses for extensions he uses, not that he authored. Admittedly, my mind skipped over “re-upload” and assumed he meant “re-install”.

And I just re-read it - and it could be interpreted either way if one (such as myself) isn’t paying close attention. If he meant it to say that, in order for us to see his extensions with a current signature, then he needs to re-upload the extensions he authored, then I understand completely why my efforts had no effect.

OTOH, as he is now a Trimble employee, I would hope that Trimble would WANT him to re-upload (on company time) extensions he authored to show that Trimble employees use and support their signature system.


#8

There should be no delayed effect of the signature. When you install/update you should see it right away (might have to restart SU).


#9

Heh - not a bad point. I could mention this in our next team meeting.


#10

You could also mention that it is an affront to the intelligence of all user that there are any Sketchup team plugins that are unsigned.


#11

The term “outdated” is causing confusion, as the signatures are not date based, but version based.

I’m trying to think of a better term …


#12

Wouldn’t is save a lot of time for a lot of people if the Warehouse automatically signed existing Extensions for each new version when it is released?


#13

The new signature for SU2017 wasn’t planned, but due to changes in the signing system we used from a third party beyond our control. New versions of SU should not require signatures to be updated for every release.


#14

Worth making a distinction between extension from SketchUp directly and from individuals, like me how happened to get hired. I have 50 released extensions, some getting close to ten years old. There’s a limit to how much time and effort I have time to invest in maintaining it all. Just because I got hired doesn’t mean the SU team have control or responsibility over them. They are still mine. And if the company where to pay me to update them then it enters an odd space in terms of ip etc…

I have had two accounts here on the forum, two different hats. This one was intended as representing me personally. The other under @tt_su was supposed to be the more official one. But it was hard to maintain a clear distinction because people kept mentioning the various nicks and I’d then respond under whatever was called to attention. Recently I noticed my title had been renamed to mention I was a team member so I kind of gave up with the dual-account thing.

But do please consider the different aspects of my own personal work and my position as a team member. Trimble have never bought or acquired any of my extensions - so none of them are under their responsibility. The ip belong to me.


#15

Maybe I’m drifting off topic but I think Trimble could really benefit if a small percentage of company time was dedicated for personal projects, as long as they are SketchUp related. In your case it could mean maintaining old extensions but for others it could mean modeling. I think the overall quality of SketchUp would improve if everyone working on it also gained more experience as users, e.g. with things like the wonky behavior of solid tools and with components.


#16

Thom,

I can, indeed, see the distinction you make. However, it doesn’t take away from my suggestion that people in your situation be allowed “on the clock” time to get current signatures on your extensions. It could be offered (by Trimble) with a simple disclaimer that your updating your extensions on Trimble’s time will not be construed as bestowing (on Trimble) any IP rights to the extensions.


#17

Thomthom I was only referring to the ones specifically named as Sketchup Team. They may all be signed by now, I haven’t checked, but it seemed ridiculous to introduce a signature system and not have your own extensions signed.
How can you expect others to get they plugins signed if you can’t do it.
My comments here are not directed at you but at The Team. It comes across as very unprofessional if the signature system is so unwieldy, as if it was released in the wild long before it was ready.


#18

We actually forgot about our non-shipped extensions when we released SU2017. :disappointed: I believe they are all fixed now. Let us know if we missed any.


#19

OK. How about the SketchUp (SU) Attribute Helper?

I un/reinstalled and it still shows unsigned.

Possible nitpick: Yes, on the Extension Warehouse (EW), it says it’s open source, hosted by SU, so it may not meet the strict definition of an extension provided by SU. Nonetheless, it’s author is listed as “SketchUp” in the Extension Manager hence should be signed, if for nothing else than to maintain the facade that Trimble supports and uses the extension signing system.


#20

…yeah, like Solar North Toolbar! Once upon a time, that functionality was in the base SketchUp, not even an extension, IIRC. Why they pulled it out always puzzled me.


Topic Hijacking is getting rampant!