Yeah, the thing is, I was expecting Eclipse to work like a web browser (or even an SSH client), which basically allows the user to, like you said, add the untrusted certificate to a store of trusted certificates. If one has to do that manually with the command-line, that's not user-friendly at all.
Not to mention adding it to the JVM store is arguably not an entirely correct technical solution: it would make the certificate trusted for all Java apps, not just that Eclipse instance (some users might find that too much of a broad scope - I would).
Purchasing a certificate from a certificate authority wouldn't be the way to go either, as I hear this is fairly expensive, and all the Eclipse projects I'm working on are open-source projects, with volunteer contributors.
Seems there was already some discussion about this in bugzilla:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=440430https://bugs.eclipse.org/bugs/show_bug.cgi?id=340345Since a few users complained about the possibility of Man-In-Middle-Attacks, my best solution is to ask users to use HTTPS for the update-site URL. (the update site is hosted on Github, so I don't need to get my own certificate for that). However, I did this in the past and some users reported either performance problems, or other strange failures when trying to update/install using HTTPS (especially users from China)