@badger101 That’s a quite common pattern for free and open source nodes. We developers who create such nodes in our spare time with limited resources usually don’t want to spend much money on expensive certificates to sign the nodes. So if you know the source (URL, HTTPS, reliable vendor), you can safely install such nodes.
You might see a warning regarding missing signing/certificates. You can safely ignore this. Most community developers of free and open source products do not sign their products to avoid large costs for acquiring certificates.
The Spellchecker Nodes are developed by @qqilihq who also develops the Palladian Nodes and the Selenium Nodes. So I would consider them safe
Thank you so much for the explanation. Really appreciate it. I was busy these last 2 days creating tools to address my previous concern, which now is not a concern anymore based from what you just wrote.
I’m deciding now whether I should keep these to myself, or to publish them on the hub as an alternative:
Thanks for the great explanation, @danielesser and thanks for rising that question @badger101. Here’s some additional 5 cents about that topic (from the maker of the Spellchecker nodes perspective):
We (NodePit and Selenium Nodes) currently do not sign the jars (no matter if it’s for free or for paid nodes). Signing them gives little objective security benefits but it’s a big hassle on top of the plenty of big hassles one faces in the Eclipse/KNIME development ecosystem (and which we rather invest in building great software).
Why no security benefits? As seen above, most users do not really know what “signing” exactly means. Facts: It will not protect you from bad/malevolent software. There is no external entity involved which “validates”, “authenticates” or “reviews” the “signed” software at all. At the end, the main reason for signing the software would just be about getting rid of that annoying dialog (which is definitely frightening).
So. Should you “trust” the Spellchecker nodes? This question I cannot answer
Should you make your decision based on that unsigned content dialog? I think no.
By the way: For any questions about these nodes, don’t hesitate to get in touch!