Error - Failed to verify signature. Signature might have been tampered with.

[RezowanTalukder]

ZXPSignCmd certificate varification failed

Certificate is created successfully and zxp package as well. but while i try to verify it shows this error. Error - Failed to verify signature. Signature might have been tampered with.

Can anyone help me out from where this error coming?

[ErinFinnegan]

Hi there!

So, a .gitignore and other invisible files can sometimes cause this problem. Once signed, the zxp isn't supposed to be edited, which would cause a failure. Sometimes a nodejs module can cause problems.

You can try a different timestamp server to see if it makes a difference. Also, read this thread and see if it's helpful.

🤔 I'm not sure signing on an M1 will work (we're working on getting a new build, as well as other installation methods). Are you using a Mac with Apple Silicon?

[mason-smith]

🤔 I'm not sure signing on an M1 will work (we're working on getting a new build, as well as other installation methods). Are you using a Mac with Apple Silicon?

@ErinFinnegan - Wanted to add some insight, hope it is helpful. I previously built my plug-in on an Intel Mac. It worked for all Intel Mac and Windows users, but consistently failed for users with M1 chips with the error "ERROR Signature verification failed". I then built the plugin on Mac with Apple Silicon and so far have not seen any issues. Hope that's useful somehow!

[ErinFinnegan]

Lately signing on different operating systems definitely yields different results. 😖 There's a Windows bug blocking self-signing for some people...

[mason-smith]

Dang, sounds like a rough task :/

Is there a public thread / channel I can follow to stay up to date RE cross-platform signing issues? Or I can just check release notes :p

[ErinFinnegan]

Most of the conversation is in the CEP issues: https://github.com/Adobe-CEP/CEP-Resources/issues?q=signature

You could sign up for the monthly~ish Creative Cloud Developer newsletter (currently written and sent primarily by me). When there's a new ZXPSignCmd build I do mention it in the newsletter.

When I do get release notes with a build I've been posting them in the ZXPSign repo: https://github.com/Adobe-CEP/CEP-Resources/blob/master/ZXPSignCMD/4.1.2/ReleaseNotes.md

It's a bit tricky, in that the larger ZXPSign is used internally by teams at Adobe, but the tiny ZXPSignCmd portion used by third parties is not well understood.

The newer UXP APIs that are slated to slowly replace CEP over time do away with the signing process, thankfully.

[ErinFinnegan]

OK, so, this has come up a couple of times, here's an update:

The issue

• A developer has reported an issue in Photoshop & AI (Illustrator) when they tried to download an asset from their server with Https.get using self-signed certificate authorization. However the same plugin has found to be working fine with ID (InDesign).
  • We found below errors when pswidget is using self-signed certificate authorization in Https.get to download an asset. Node doesn't allow the self-signed certificate authorized connections. It is recommended to use a proper SSL Cert from a trusted source. Although for development we could use a few flags for node to bypass these checks(Try: rejectUnauthorize = false; Check https://stackoverflow.com/questions/45088006/nodejs-error-self-signed-certificate-in-certificate-cha... )

            In apiManager.js
            Error: self signed certificate
            at TLSSocket.onConnectSecure (node:_tls_wrap:1531)
            at TLSSocket.emit (node:events:378)
            at TLSSocket._finishInit (node:_tls_wrap:945)
            at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:719)

• ID on the other hand is pointing to web version of this plugin embedded inside an iframe, which is a totally different flow.

Conclusion:

• Please use a trusted certificate in production & try rejectUnauthorize = false for development purposes to bypass this problem.

[EarlyVision]

Possible solution... had this issue and the problem was a little hidden file in the node-modules. I was doing that on Windows, so an easy way to identify the hidden file is to rung the dir command as follows: dir /A:H /B /s this will point you to the problematic file, once I got rid of it (was not a critical one, otherwise make unhidden), issue solved.