I just installed a signed module that I wrote, I signed it with a self signed certificate.
The dialog in the Ignition “Install module” section tells me that the certificate is signed by a trusted authority. While I appreciate the confidence in my trust levels, this isn’t correct.
Is this just not implemented yet?
1 Like
It’s probably just implemented incorrectly, like the vendor/author name stuff.
If you can add some screenshots for context that will help with the bug report.
1 Like
Steps to reproduce: install a self signed module, look at the install window, or look at the license in the module list.
1 Like
I’m not really of the opinion that this specifically is broken because the alternative is that you have to buy a code signing cert from a public CA, and that’s not something I really believe should be a requirement either.
What’s really broken is our half-hearted implementation of module signing. The way it should work is there’s an area of the gateway where you can install trusted module signing certs or CAs, probably pre-seeded with IA, Sepasoft, and Cirrus Link certs, and then only modules signed by certs in this area are allowed to load unless unsigned modules are allowed by the corresponding system property.
1 Like
It's only broken because its in no way a trusted cert.
If it is a trusted cert, show the banner, cool. If it is not, don't show a banner saying that it is?
Yeah the messaging should probably change a bit, at least before you’ve installed the module. Once you’ve installed it you’ve implicitly, if not explicitly, trusted that signing certificate.