Signed module with trusted CA not work

Justin_Zhu · February 10, 2017, 3:42pm

Today I get an organization code signing certificate from Comodo. The certificate is a .pfx file. I export .jks file and .p7b file from that .pfx file. I check those files and they seem to be OK. The .p7b file shows correct certificate chain.
An example unsigned module is built from Igntion SDK example ComponentExample. Then I sign that module with module-signer tool.
I try to install that signed example module in Ignition 7.8.5 system and 7.9.0 system. Both systems show the same error.
When install the module at gateway web page, it shows following certificate information:

Module Certificate
This certificate has been signed by a trusted Certificate Authority.
Not Valid Until 13-5-9 8:00:00
Not Valid After 28-5-9 7:59:59
Subject Name COMODO RSA Code Signing CA
Issuer Name COMODO RSA Certification Authority
Thumbprint [ B6 9E 75 2B BE 88 B4 45 82 00 A7 C0 F4 F5 B3 CC E6 F3 5B 47 ]
This module’s certificate has been signed by a trusted Certificate Authority.

I expect the “Subject Name” is our company name and “Issuer Name” should be “COMODO RSA Code Signing CA”. After clicking the “Add Certificate and Install Module” button, Ignition log shows error message:

23:39:39 ModuleManager Error running “install” operation for module “com.inductiveautomation.ignition.examples.ce”.

com.inductiveautomation.ignition.gateway.modules.ModuleVerificationException: module verification failed
Caused by: java.io.IOException: signature verification failed

Any help is very preciated!
Thank you!

Kevin.Herron · February 10, 2017, 3:59pm

Your certificate chain (p7b) may have the certificates listed in the wrong (reverse, maybe?) order.

Justin_Zhu · February 11, 2017, 4:55am

I open the p7b file in Windows by double clicking it. Here are exported information list:

Issue To Issued By Date Purpose Friendly Name Status
COMODO RSA Certification Authority COMODO RSA Certification Authority 2038-01-19 R
COMODO RSA Code Signing CA COMODO RSA Certification Authority 2028-05-09 Code Signing R
Suzhou Coderise Automation Co., Ltd COMODO RSA Code Signing CA 2018-02-11 Code Signing R

I think it’s OK.
There must be something else wrong. Does it have something to do with Ignition developer account?

Justin_Zhu · February 11, 2017, 5:02am

BTW, do you think it's helpful that I send the both unsigned and signed .modl files to you?

Justin_Zhu · February 11, 2017, 5:24am

The file from COMODO is "coderise.pfx".
I use OpenSSL 1.0.2k to convert .pfx to .p7b file like this:

pfx -> pem
openssl pkcs12 -in coderise.pfx -out coderise.pem

pem -> p7b
openssl crl2pkcs7 -nocrl -certfile coderise.pem -out coderise.p7b

I also use keytool to convert .pfx to .jks file like this:
keytool -importkeystore -v -srckeystore coderise.pfx -srcstoretype pkcs12 -srcstorepass Password -destkeystore coderise.jks -deststoretype jks -deststorepass Password

Justin_Zhu · February 15, 2017, 9:03am

Thank you! You're correct.
The .p7b file has wrong certificates list order. I find this point by opening the .pem file in notepad. After the .p7b file is updated, module file can be signed and imported into Ignition.