During installation of Eclipse (using Eclipse Installer) I get asked "Do you trust these certificates?", listing two certificates for Bouncy Castle (one signed by Sun, one by Oracle) and one certificate for Eclipse (signed by Sun). How can I validate these certificates?

I understand that this are code signing certificates for JCE (Java Cryptography Extension), i.e. certificates signed by Oracle for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. I also know that Bouncy Castle is in common use for providing algorithms related to encryption.

Two questions:

1. All certificates are signed by the same two CAs, but I cannot find a (public) list of "official" CA certificate fingerprints. How can I validate these?
   • JCE Code Signing CA, issued by and to Sun Microsystems Inc, valid to 2020-04-25, fingerprint 57:37:D1:E1:16:2F:F6:FE:26:B9:87:88:D2:86:DA:66:7F:98:54:3C
   • JCE Code Signing CA, issued by and to Oracle Corporation, valid to 2030-12-31, fingerprint F4:B9:C6:4A:52:AD:22:3C:E4:BF:BA:52:52:87:9C:9F:71:1D:4B:33
2. Why are those CAs not trusted by default, i.e. included in some trust store supplied with the JDK/JRE? The CAs are operated by Oracle (at least the CA certificates say so 😉), the JRE I'm using is provided by Oracle (openjdk 11.0.2), I see no reason the CAs should not be trusted (given they are indeed legit).

I believe that that answer is that you are somewhat forced to trust these certificates. In my install (eclipse 2022-12), when I highlight one of the certificates being asked to be trusted, it shows a list of the bundles that are associated with that certificate. I was certainly familiar with many of those bundles and think that if they were not installed, you probably would have a bad install or weird things might happen if weren't installed. The only thing you can do to make you feel better about the decision to trust them is to make sure you validated the sha-512 hash code against the eclipse installer that you downloaded from eclipse.org. I do that for almost everything I download and install from the internet. If you trust the installer, then as I said earlier, you should probably trust the resources it's asking you to install. I believe that the trust store being used comes from in the JRE that you selected (i.e. jdk-17\lib\security\cacerts). One of my certificates being asked to be trusted was an expired one and I was installing using JRE-17. And some of the bundles being asked to install were not signed.