I'm having an issue getting my signed module to behave like it has been signed. I received a code signing cert through Sectigo and used the github example. When I run the module signing tool, it outputs a signed version, and when I unzip the module it shows a "certificates.p7b" file that has all of the properties I would expect (like "Issued to Sync Automation").
I'm out of ideas, has anyone experienced this? Why would my "signed" module say it is self signed?
It would generally mean Sectigo is not trusted by java. All certificate authorities' root certificates are self-signed. What makes them "authorities" is that software vendors who control critical parts of the secure ecosystems (browser makers, in particular) choose to include those root certificates in their "trusted" stores.
Authorities come and go at various times, sometimes due to geopolitics, but mostly due to demonstrated incompetence or malice.