Knime Desktop keep saying my custom extension is not signed even if the jar is signed

Hi everyone,
I’m working currently on a custom node that is specialized in reading a proprietary binary file format. It works fine, but when I want to distribute the node using an update site, Knime desktop tells me that my extension is not signed, BUT I’m sure the jar file of my feature and my node is well signed (using jarsigner in maven build).

The certificate I used will expire in 6 month, but currently it is signed.

Can you tell me what I’m missing to have my extension correctly signed ?

Thanks for your help

Hi @gabrieldausque,

Did you re-generate the metadata of the repository after signing? This ensures it is up to date:
See this snippet from how we do it:

  <build>
 31         <plugins>
 32             <plugin>
 33                 <groupId>org.apache.maven.plugins</groupId>
 34                 <artifactId>maven-jarsigner-plugin</artifactId>
 35                 <executions>
 36                     <execution>
 37                         <id>sign</id>
 38                         <phase>prepare-package</phase>
 39                         <goals>
 40                             <goal>sign</goal>
 41                         </goals>
 42                     </execution>
 43                 </executions>
 44                 <configuration>
 45                     <tsa>http://time.certum.pl</tsa>
 47                     <alias>INSERT_YOUR_KEY</alias>
 48                     <archiveDirectory>${project.build.directory}/repository</archiveDirectory>
 49                 </configuration>
 50             </plugin>
 51             <plugin>
 52                 <groupId>org.apache.maven.plugins</groupId>
 53                 <artifactId>maven-antrun-plugin</artifactId>
 54                 <version>3.0.0</version>
 55                 <executions>
 56                     <execution>
 57                         <phase>prepare-package</phase>
 58                         <goals>
 59                             <goal>run</goal>
 60                         </goals>
 61                         <configuration>
 62                             <target>
 63                                 <delete file="${project.build.directory}/repository/artifacts.jar" />
 64                             </target>
 65                         </configuration>
 66                     </execution>
 67                 </executions>
 68             </plugin>
 69             <plugin>                                                                                                                                                                                            
 70                 <groupId>org.eclipse.tycho.extras</groupId>
 71                 <artifactId>tycho-p2-extras-plugin</artifactId>
 72                 <version>${tycho.version}</version>
 73                 <executions>
 74                     <execution>
 75                         <id>Re-generate artifacts.jar</id>
 76                         <phase>package</phase>
 77                         <goals>
 78                             <goal>publish-features-and-bundles</goal>
 79                         </goals>
 80                     </execution>
 81                 </executions>
 82                 <configuration>
 83                     <sourceLocation>${project.build.directory}/repository</sourceLocation>
 84                     <publishArtifacts>false</publishArtifacts>
 85                 </configuration>
 86             </plugin>
 87         </plugins>
 88     </build>

If that is ok, you need to look deeper into the error message that is shown. The plugin installation and signature verification functionality is directly provided by the OSGi / Eclipse platform, so you might also find additional sources for solutions if you search for plugin installation signature problems there.

best,
Gabriel

this solution doesn’t work at all. No error message is shown and that’s exactly my issue : only a warning with the feature and plugin jars when showing details. But when I check both of them, they are correctly signed.

After changing the code signing certificate I was using, I know have another issue :

An error occurred while collecting items to be installed session context was:(profile=KNIMEProfile, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=). Problems downloading artifact: org.eclipse.update.feature,mycompany.plugin.knime.sbdf.feature,0.0.5. Error reading signed content:C:\Users\gabriel.dausque\AppData\Local\Temp\signatureFile15581341076637620240.jar An error occurred while processing the signatures for the file: C:\Users\gabriel.dausque\AppData\Local\Temp\signatureFile15581341076637620240.jar

java.security.NoSuchAlgorithmException: An error occurred while processing the signatures for the file: C:\Users\gabriel.dausque\AppData\Local\Temp\signatureFile15581341076637620240.jar at org.eclipse.osgi.internal.signedcontent.SignedBundleHook.getSignedContent(SignedBundleHook.java:231) at org.eclipse.equinox.internal.p2.artifact.repository.SignatureVerifier.verifyContent(SignatureVerifier.java:84)

Caused by: java.security.NoSuchAlgorithmException: No algorithm found for 1.2.840.113549.1.1.11 at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.findEncryption(PKCS7Processor.java:95) at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.processSignerInfos(PKCS7Processor.java:364)

After some googling, it seems to be related to the signature algorithm obtained from a code signing certificate from Sectigo :

Here is the signature information obtained using jarsigner :

  • Signed by “CN=<MyCompany, O=MyCompany, ST=Paris, C=FR” Digest algorithm: SHA-256 Signature algorithm: SHA256withSHA256withRSA, 3072-bit key Timestamped by “CN=“Sectigo RSA Time Stamping Signer #2”, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB” on ven. févr. 18 08:05:18 UTC 2022 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA384withRSA, 4096-bit key

As Knime is an OSGI (Eclipse) application, it seems to be the same issues than this Eclipse bug :

https://bugs.eclipse.org/bugs/show_bug.cgi?id=572034

which is mark as closed (fix in Eclipse 4.2).

What is confusing is that I’m using Knime 4.4 and have tested the installation in Knime 4.5.1, which used Eclipse 4.19, so it may contains the fix …

I also tried to change the sign algorithm in the plugin maven (tried to force SHA256withRSA, also tried SHA1withRSA) but final signature algorithm still in form SHAXXXwithSHAXXXwithRSA not SHAXXXwithRSA.

From now I’m blocked because we need to sign the plugin. I’m looking for a way to correct the final signature :

  • What kind of certificate I need to obtain the right signature ?
  • Can we force jarsigner plugin to set the right signature (the sigalg arguments doesn’t seems to work)
  • Can we force “update” the Knime eclipse dependencies to be able to read the current certificate I have ?

Hi @gabrieldausque,

  • KNIME AP 4.5.1 is based on Eclipse 4.19.0, the fix for this issue is in 4.20. We are planning to update to 4.20 or later for the next AP release this summer, but you can’t really force update an existing AP installation as the version numbers for many eclipse dependencies are pinned in the KNIME features.
  • If I understand the bug report correctly, the issue is not the certificate itself, but the TSA server. You can try using http://time.certum.pl that is the one we use, and we don’t have problems with our signatures.

best,
Gabriel

Hello, sorry but the pb is the same as the one described when using a specific TSA Server : my certificate use the same signing algorithm as the example with the TSA Server. Pb seems really related to the way eclipse try to validate the certificate. We will wait for knime updating to eclipse 4.20 so.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.