Hello,
I have a module that I've signed and installed on docker/linux multiple times but seems to be failing on windows due to a bad signature size. Is there a setting I can change to get around this or do I need a different cert?
I'm trying to install on Ignition 8.1.44 for this.
This looks like a problem with your signing process or certificate. Can't imagine anything else that would cause this. There's no setting for anything like this.
Any idea why it would work on Linux/OSX and not Windows? I'm just using the module signer off github with a p7b and tried jks and p12 key formats.
No idea... never seen that matter before.
I am also seeing this problem. Some logs and what I have tried.
INFO | jvm 2 | 2025/02/19 10:12:35 | I [g.ModuleManager ] [10:12:35.753]: Module cannot be verified. Module x.modl has been uninstalled.
INFO | jvm 2 | 2025/02/19 10:12:35 | E [g.ModuleManager ] [10:12:35.753]: Error running "install" operation for module "com.x.x".
INFO | jvm 2 | 2025/02/19 10:12:35 | com.inductiveautomation.ignition.gateway.modules.ModuleVerificationException: module verification failed
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.verifyModuleSignatures2(ModuleManagerImpl.java:1567)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.loadModule(ModuleManagerImpl.java:1265)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$2.call(ModuleManagerImpl.java:727)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.executeModuleOperation(ModuleManagerImpl.java:913)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.installModuleInternal(ModuleManagerImpl.java:700)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$InstallCommand.doExecute(ModuleManagerImpl.java:1915)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$AbstractModuleCommand.execute(ModuleManagerImpl.java:1864)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$Receiver.receiveCall(ModuleManagerImpl.java:1820)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.redundancy.QueueableMessageReceiver.receiveCall(QueueableMessageReceiver.java:47)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.redundancy.RedundancyManagerImpl.dispatchMessage(RedundancyManagerImpl.java:1044)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.redundancy.RedundancyManagerImpl$ExecuteTask.run(RedundancyManagerImpl.java:1112)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.common.execution.impl.BasicExecutionEngine$ThrowableCatchingRunnable.run(BasicExecutionEngine.java:550)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.lang.Thread.run(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | Caused by: java.io.IOException: signature verification failed
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.verifyModuleSignatures2(ModuleManagerImpl.java:1562)
INFO | jvm 2 | 2025/02/19 10:12:35 | ... 17 common frames omitted
INFO | jvm 2 | 2025/02/19 10:12:35 | Caused by: java.security.SignatureException: Bad signature length: got 256 but was expecting 384
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/sun.security.rsa.RSASignature.engineVerify(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.security.Signature$Delegate.engineVerify(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at java.base/java.security.Signature.verify(Unknown Source)
INFO | jvm 2 | 2025/02/19 10:12:35 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.verifyModuleSignatures2(ModuleManagerImpl.java:1558)
INFO | jvm 2 | 2025/02/19 10:12:35 | ... 17 common frames omitted
I tried using the java keytool -genkeypair command to generate a new key pair of size 3072 and now get a different error:
INFO | jvm 1 | 2025/02/19 10:39:52 | I [g.ModuleManager ] [10:39:52.547]: Module cannot be verified. Module x.modl has been uninstalled.
INFO | jvm 1 | 2025/02/19 10:39:52 | E [g.ModuleManager ] [10:39:52.547]: Error running "install" operation for module "com.x.x".
INFO | jvm 1 | 2025/02/19 10:39:52 | com.inductiveautomation.ignition.gateway.modules.ModuleVerificationException: module verification failed
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.verifyModuleSignatures2(ModuleManagerImpl.java:1567)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.loadModule(ModuleManagerImpl.java:1265)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$2.call(ModuleManagerImpl.java:727)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.executeModuleOperation(ModuleManagerImpl.java:913)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.installModuleInternal(ModuleManagerImpl.java:700)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$InstallCommand.doExecute(ModuleManagerImpl.java:1915)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$AbstractModuleCommand.execute(ModuleManagerImpl.java:1864)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl$Receiver.receiveCall(ModuleManagerImpl.java:1820)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.redundancy.QueueableMessageReceiver.receiveCall(QueueableMessageReceiver.java:47)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.redundancy.RedundancyManagerImpl.dispatchMessage(RedundancyManagerImpl.java:1044)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.redundancy.RedundancyManagerImpl$ExecuteTask.run(RedundancyManagerImpl.java:1112)
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.common.execution.impl.BasicExecutionEngine$ThrowableCatchingRunnable.run(BasicExecutionEngine.java:550)
INFO | jvm 1 | 2025/02/19 10:39:52 | at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
INFO | jvm 1 | 2025/02/19 10:39:52 | at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
INFO | jvm 1 | 2025/02/19 10:39:52 | at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
INFO | jvm 1 | 2025/02/19 10:39:52 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
INFO | jvm 1 | 2025/02/19 10:39:52 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
INFO | jvm 1 | 2025/02/19 10:39:52 | at java.base/java.lang.Thread.run(Unknown Source)
INFO | jvm 1 | 2025/02/19 10:39:52 | Caused by: java.io.IOException: signature verification failed
INFO | jvm 1 | 2025/02/19 10:39:52 | at com.inductiveautomation.ignition.gateway.modules.ModuleManagerImpl.verifyModuleSignatures2(ModuleManagerImpl.java:1559)
INFO | jvm 1 | 2025/02/19 10:39:52 | ... 17 common frames omitted
I suspect it is likely I am doing something wrong when generating this key.
Use a 2048-bit key.
edit: not sure why this would be necessary, just curious if it makes a difference. You'll have to share a lot more info about how you're creating a signing certificate and invoking the module signer I think.
I have made some progress that is worth noting for context. On my dockerized gateway it had the java wrapper option -Dignition.allowunsignedmodules=true because we use it for testing our unsigned module. When we uploaded our signed module it also worked and said the certificate was accepted so we assumed it was correctly signed. On my windows environment I did not include the -Dignition.allowunsignedmodules=true option and tried to upload that same signed module that worked on the dockerized gateway and got the module verification error.
I incorrectly assumed that having -Dignition.allowunsignedmodules=true option on the gateway would not affect the module verification logic when uploading a signed module but clearly that's not the case. This all points the the fact that the signed module was never correctly signed in the first place.
I just looked and can confirm this - module signatures are not verified when this flag is set.