Signed module in quarantine unless allowunsignedmodules=true

shoe · October 4, 2025, 4:53am

Running Maker Edition 8.1. In developer mode (allowunsignedmodules=true). We have a newly developed OPC Driver module that is signed. it loads correctly and is recognized as signed - no problems. — Then I edit the ignition.conf file and take it OUT of developer mode (allowunsignedmodules=false). Restart the gateway and the module is now in quarantine with reason “This module is unsigned and developer mode is disabled” Just a moment ago it said the module was signed and allowed me to view the certificate. Is there something else I need to do besides signing the module to allow it to run in non-developer mode?

Also, noticed that all the standard modules have a version with suffix (b2024102210) while our module has a version suffix of (b0) Not sure what this means but it is a difference.

Thank you

David_Stone · October 4, 2025, 5:02am

In your pom.xml declare the version number <version>1.3.2.20250815</version> and it should give you Version 1.3.2(b20250815)

David_Stone · October 4, 2025, 5:25am

Also, you should be able to just uninstall and reinstall the driver and it should install normally.
The quarantine issue will only affect a developer, never an end user.

shoe · October 4, 2025, 6:16pm

Thanks for the response. So I just tried the following:

uninstall (delete because it is in quarantine) the driver
re-install our signed driver
It does not warn me that the driver is not signed, it says install successful. However our driver does not appear in the list of loaded modules. I also look at Status > Modules and our driver does not appear
I look at the logs and see the following entries

ModuleManager	04Oct2025 11:21:26	Cannot start up module "com.sulzerconsulting.ignition.opcuadriver", it doesn't exist.
ModuleManager	04Oct2025 11:21:26	Moving module XBOS UA Device to quarantine because module is unsigned and developer. mode not enabled.
ModuleManager	04Oct2025 11:21:26	Installing module: "com.sulzerconsulting.ignition.opcuadriver"

Our module works fine if allowunsignedmodules=true. We can load either a signed or unsigned module. We can browse tags. However, we cannot get the module working at all if allowunsignedmodules=false

Note: our certificate is on a hardware dongle, not in a java keystore. I signed the module using jarsigner rather than module-signer.jar because of the keystore issue. I examined the code of module-signer.jar and duplicated all the steps - and the gateway says the module is signed (most of the time) I can look into moving our certificate into a java keystore and using module-signer.jar although I do not look forward to dealing with this again.

Kevin.Herron · October 4, 2025, 6:23pm

If you can upload your module here or to Dropbox or something I can take a look later today to see why it’s not loading or if something is wrong with the signing.

shoe · October 4, 2025, 8:17pm

I appreciate your offer to look at the module. I sent a link to your email at inductive automation

Kevin.Herron · October 4, 2025, 8:27pm

Well, as I suspected when you said:

whatever you've done hasn't actually duplicated the steps. You're going to need to get your module signed with the module signer JAR I think.

Your signature.properties file looks like this:

Signature-Version: 1.0
Created-By: 17.0.12 (Azul Systems, Inc.)
SHA-256-Digest-Manifest: S4iP3kCtTZjeOFDO34JxP/aVQHh+ZGKeMoylqry2WKE=
SHA-256-Digest-Manifest-Main-Attributes: cm4zQM0iY4KzoslmDj1JocccHxHBtOT
 vQd1B555BXZ0=

Name: jackson-dataformat-xml-2.19.0.jar
SHA-256-Digest: kEtWzI7yj/NHXK1mXNUMJ154uysiJNFJgGiePRrf8gA=

Name: jackson-annotations-2.19.0.jar
SHA-256-Digest: WHcfejt+N3BSsBYsgz33AzKztUab8K+nNWTop4RurE4=

Name: module.xml
SHA-256-Digest: RRHbiU4GOhVrZOVHcig3wyYCd+kcVpPdbsExpVUkWHM=

Name: stax2-api-4.2.2.jar
SHA-256-Digest: tFaH4uIZSvbP3QHNvPO+Etas6JY20ZwpIhmYW7PgA60=

Name: xbosua-driver-device-1.2.0.0.jar
SHA-256-Digest: zJ/blwopvHfX3YVGZI7dbwZktT7/amADmk+PgrU3KWc=

Name: jackson-core-2.19.0.jar
SHA-256-Digest: THhI9R2R53nrFbGrG+W4/HLF2B8YImn2O9JwERsc2nQ=

Name: jackson-databind-2.19.0.jar
SHA-256-Digest: aybNLPplWwMYBXNbQ3Gvu8D/xqcHKQk7ui8wjP5ZFt4=

Name: woodstox-core-7.1.0.jar
SHA-256-Digest: asbvn0vF3CsEpWGG1gFgVAGHPhvRi72+aaKVfvTvnQo=

Name: xbosua-milo-common-1.2.0.0.jar
SHA-256-Digest: QjuQhDplTi8WUrgebMM9za5qn0AZNsssOCk8V0heZzo=

It needs to look something like this:

#Fri Aug 01 22:12:49 UTC 2025
/msd-gateway-2.0.0-SNAPSHOT.jar=fv3BU6tVPFYyaPC5nbJCmaaw9skKzvXhJFzxyXIbhhW9XPBP+GyEeqUKdgCXu/OzNL+d4puEuZ8i22LJHVpoEMGkqr4R8atlfEf7ejusn5dTGwVu9lBS0FJsCu/Z7gdmhXVVW4AZlvOQ4mDBZOsDCmQcmYFZhtK/OGOJ2zkwnz1l0QJxCkdonQjTNUp0fDamgeVtXdU2sCPFnm1dzFYXQILwceKuFEffNKyv+eH9t+/hWccSbFawjjzVRs9eSjhYU8YEVQImVmkkseZEIZF7exfHmFHcJM24jKBcm1J42xscp1A+kmEzIjp77cLziN0d0ioiDj8iVcKjfsTbdcyyZA\=\=
/module.xml=P7+29bFnvANC70vwOMXQojyG/eJ69c7T9Rm7nOtUYrNOzGE28M6/0ymcfmI9C+TzcS+2ydwrw042XUll6XP/IkMJSJFu4Llehsw+T7S84EayMAhX9THnwGaJnqDRSGfH486CT/IkFGqwD5x8zeofDgusXDjC2BSu/qKDF+DcgVCqluPBY58V4i0aEruDG9NUH7bEn8KEDIwPtUPrw2QSbXBGSh0aD713H8SZbHX5S2bZHV3DxdrldDlgyKx6EPwA+PQ8gcjC6WSgy7bCTJfcDWK5J9UrjzfPba7863Q1uJxaivP9f1HnmFb5Ty1ckC3ZHjQqQaw8GzIc2hLX0/+XLA\=\=
/modbus-2.0.0.jar=Yla3moheBLcIDBfqq0WTfKIXAewmGtfEX8vYKkL9aczxAg7WvRC6NponK39fYSsVd2Ndiv16qtgaOl5Mc9SsuEvTzu6AQuj/k9Hi1ZlH4pJw++idRfb56LDo7n08c8puN+Rq9n3SDnIIouaAlGlHVnzUleMPjmr9UtuUDo1xx+qgtf/Hr0JQ2Uel8fqbfo2IPFCXFVSKnTDyKcMFpuObgZHSKPQnV3XFbVoQXIWiIsGHFee6yFHMqqoUG38Aa1/iHs03+UHja1g1PNNj+DHok9UtuV7aexbDCfMHRbU1uSm/rrydWGKAQSLM3OXlGCI0fgis7EAxmP+ZAMDy0RQotA\=\=
/modbus-tcp-2.0.0.jar=O8ObXLfJPvFOAjSrzjJIwpZegcw1K6CPjHEEEqVa2mm/7i3P15OYcpnqk0kqg53x/RzHaAfieHCTzAa9rdxUaSlvx8//nl7h3Day7JQIL8AuKruKLrn8dJwPrlxPOZmpSesGH2GI5efTRWXh4tRUWMpcIwvY+f+tjSGVBJfMNBp4KjQ+bFEsQkFcL/U2m9Cmn3ixg6geAKpqTG2SG/TimFIH6zDRzU8zA+kyDSwy9nz7A/ktrMIqfRdae+k+cbDyFhZjlbAfS1gv0pAC1d9FawdWHL8OLyQVrBZRVy8pchah3qwtDZxhEem3EfPEOUQzKIxFQm44vdejMerTznUbVw\=\=
/byteops-0.1.1.jar=W6vOkMSnF1aChiyN1m1U/7sILL/n+uE/nRnvZoBONoDRIS2cu4grya2zsJsIl1tMNDH04/qe9WVlPY7QALbPWdFLR0C2WOS1jLOBfby/prNPqrwvl2FJ1nYdBxtpyeYCPzxQZnecXKLWtUHXGt2WOcfnj8oCGnf3XyhgR2ZXWT4cVCTF+QwueWNNCDKx+Z79lIvdM0JBrXBCi1vJAkJCR9sKAXa0UuM9Vnji2sSSaf6A6VSHPAljn52IwiHsBlUfLDlCHQXJq/fSaCAyctpxszN2vc411ZWNtBVcZPnn6QORm2zI+qCwH6CR83Gu/fBdt9sQ4x3+cyoMKIFuWdB88Q\=\=

shoe · October 4, 2025, 9:40pm

Ok, thank you for your time! I will try to move our certificates into a java keystore

Kevin.Herron · October 4, 2025, 10:30pm

FWIW, there is no requirement that the cert you use to sign your modules is issued by a public CA. It gives you a slightly elevated appearance the one time the module is installed. That’s about it. It can even be self signed.

Hoping to rework module signing into something meaningful for the 2027 major release of Ignition.

pturmel · October 5, 2025, 1:23am

The module signer can use a PKCS11 compatible hardware dongle for signing. I use a Yubikey and a Nitrokey to do this.

shoe · October 6, 2025, 11:12pm

I looked at the following page for info on interfacing with a hardware dongle: module-signing

I did not see options for using the dongle but then I looked closer at the source code for module-signer and was able to figure it out. Everything is working now.

The options that allow module-signer to interface with a hardware dongle should be added to the online documentation. More and more people are forced to use hardware dongles to store their certificates. Thanks!

pturmel · October 6, 2025, 11:22pm

I suppose you can blame me for that. I wrote the patch that added PKCS11 support to the module signer, but didn't write any docs for it....