CA Signed Module Says Self Signed

Hey everyone,

I'm having an issue getting my signed module to behave like it has been signed. I received a code signing cert through Sectigo and used the github example. When I run the module signing tool, it outputs a signed version, and when I unzip the module it shows a "certificates.p7b" file that has all of the properties I would expect (like "Issued to Sync Automation").

I'm out of ideas, has anyone experienced this? Why would my "signed" module say it is self signed?

It would generally mean Sectigo is not trusted by java. All certificate authorities' root certificates are self-signed. What makes them "authorities" is that software vendors who control critical parts of the secure ecosystems (browser makers, in particular) choose to include those root certificates in their "trusted" stores.

Authorities come and go at various times, sometimes due to geopolitics, but mostly due to demonstrated incompetence or malice.


Is the full chain including the Sectigo root included?

It doesn't really matter, module signing is a partially implemented idea that never gained any traction. It's basically meaningless, regardless of the type of certificate you have.

I'm not 100% sure what you mean by full chain, but this is what I see in the p7b that is included when I unzip the module
Screenshot 2023-02-07 184830