App signing troubleshooting

When dealing with app signing issues, it’s important to follow a systematic approach to identify and resolve the problem. Below are common issues and their solutions.

Missing сertificates

Problem: The signature verification for Marketplace apps is failing.

Solution: Ensure that the Trust store contains the necessary trusted certificates. UPM lists the Trust store certificates on the Trusted Certificates admin page.

Expired certificates

Problem: The signing certificate has expired.

Solution: Download and deploy the latest Atlassian CA certificates bundle. Updating Atlassian Certificates Bundles.

Invalid Trust store permissions

Problem: The upmconfig folder has been set up with incorrect permissions.

Solution: Review the permissions of the upmconfig folder and adjust them to ensure they are appropriately set to read-only. For further guidance, check the UPM documentation: Configuring UPM app signature check.

Signature mismatch

Problem: The app signature does not match the expected signature.

Solution: Verify the signature using openssl.

# Extract public key from PEM certificate
openssl x509 -in certificate.crt -noout -pubkey > public_key.pem
# Verify Base64 encoded signature
openssl pkeyutl -verify -pubin -inkey public_key.pem -rawin -in app.jar -sigfile signature.txt.sig

Note that Base64 encoded signatures and certificates must be decoded first using:

base64 --decode -i base64.txt -o decoded_output

Additional tips

• Backup your Trust store: Ensure that you maintain a backup of your Trust store in a secure location.
• Documentation: Check the official documentation for guidance on signing your custom apps.
• Continuous Review: Regularly assess and delete unused or unnecessary certificates from your Trust Store.