Beta3 CPI signing

[Mika L]

Hello,

I’ve run into some major issues trying to get a dynamic network up and running. (I wish to create a setup where we could verify that we could use a dynamic “node” per customer) I have somehow managed to setup the combined worker with an mgm and a notary, but for the life of me I cannot seem to be able to create a CPI out of my CSDE based cordapp. CPI creation seems to always fail with a certificate error: “Error verifying CPB: Error validating code signer’s certificate path, X.509 name: null/xxx. Path does not chain with any of the trust anchors”.

Where is it looking for the trust anchors? Should I even need to sign the CPB using the cli tool? (same result whether I do it or not). I’m trying to use a certificate that is using my own root and intermediate ca and the chain should be ok. RootCA is trusted on os level and I’ve also added the CAs to java truststore. I’ve used the same CA:s to sign the other packages(mgm and notary) just fine. Even running jarsigner’s verify on the signed custom cordapp CPB says that the jar is verified.

What could I be missing here?

Kind regards,

Mika

 

Topic

[JB Beni]

Hi, I faced this issue and all i had to do was to import the graddle-pluging-default-key.pem into the corda cluster. In my case, i am using CSDE and by default corda plugin signs the .jars with graddle-pluging-default-key.pem. So, i have imported into corda cluster two certificates:

• The certificate that is signing the .jars. As said, by default is graddle-pluging-default-key.pem, but you can modify this if you provide into pluging DSL the signing options: gradle.build > cordapp > DSL
• The certificate that i have used to sign the CPI file

[Mika L]

I’ve tried almost every combination of certificates/chains I can think of. But yea my problem is with building the CPI so there’s actually no connection to the Corda cluster at that point (local corda is not even running anymore when I’m testing this). I also tried to change the signing options for the CPK/CPB plugin and it seems to result in the same outcome.. If  I change the keystore and key used for signing, it just does not work but as far as I can understand it is required to build the CPI for a dynamic cluster with a different group policy from the CSDE standard.

Or would it be possible just to provide that group policy file to CSDE instead of the CSDE static one?

CLI versions I’ve tried this with are Beta3(Hawk) and Beta4(Iguana).

At this point I’m wondering if it is too much to think that if I can sign a CPB just fine with a key and keystore – that CPB should be valid to make a CPI with the same keys?

 

[Mika L]

Hmm,

I’ve finally been able to pinpoint the library that was giving me problems. Apparently, including non-validating notary plugin in my cordapp was the reason CPI building was failing.

“com.r3.corda.notary.plugin.nonvalidating:notary-plugin-non-validating-client:$cordaNotaryPluginsVersion”

Version is Hawk-1.0.1. Without it, I was able build the CPI just fine, so more investigation:

Apparently that CPB is signed with “X.509, CN=R3 Ltd (Preview – not for production use), OU=Preview, O=R3 Ltd, L=London, C=GB” and that cert is not included in any instructions for creating a CPB or CPI and for some reason in the error message shows up as X.509 name: null.

For now, it’s this certificate: https://github.com/corda/CSDE-cordapp-template-kotlin/blob/release/corda-5-beta-3/config/beta-ca-root.pem (I say for now, cuz in the beta4 branch that file is no longer present, it’s replaced with what I suspect is a “production” CA certificate)

After importing it to the keystore I was finally able to build the CPI.

[Peter Li]

Hi both, 

The latest version of the Corda 5 beta is Iguana (this is the 4th version of the beta). download link is here: https://developer.r3.com/next-gen-corda/ 

With Iguana, you would need both digicert-ca.pem and gradle-plugin-default-key.pem to sign the CPI. This includes the mgm cpi, the notary cpi, and the App cpi. 

[Author]

Replies