Signed backend plugin keeps throwing modified signature error

I created the basic quickstart backend plugin and signed it with a private api key using the steps outlined here: https://grafana.com/docs/grafana/latest/developers/plugins/sign-a-plugin/#sign-a-private-plugin . However the docker logs (I am running grafana in docker) keep saying the plugin signature has been modified and it is unable to load the plugin as a result. I have tried everything, but I cannot get this error to be fixed. Anyone have any ideas?

Hm. My gut feeling tells me that there are files in the plugin that aren’t included in the MANIFEST.txt. Only the files in the dist directory are included in the manifest. So if Grafana detects other files, it would throw an error like that.

I checked but all the files in the dist are all listed in the Manifest.txt. Here is the files list from manifest:

{
  "manifestVersion": "2.0.0",
  "signatureType": "private",
  "signedByOrg": "jeff18",
  "signedByOrgName": "jeff18",
  "rootUrls": [
    "https://example.com/grafana"
  ],
  "plugin": "conectifi-third-backend",
  "version": "1.0.0",
  "time": 1606775501632,
  "keyId": "7e4d0c6a708866e7",
  "files": {
    "gpx_third-backend_darwin_amd64": "3eca6d294ebed2235552cd5a46615ec4add5312542fe7a22d7e2f9414ec2b239",
    "gpx_third-backend_linux_amd64": "e8b93bf91109233f46ea3542ad350032a9b6bb961bd5a37440c58366fece1672",
    "gpx_third-backend_linux_arm": "3dc40560c44f1e308d666bcaff84565bbfe4b57ed51fbfa9857d628c0022debb",
    "gpx_third-backend_linux_arm64": "b764b8cc543fe89b7ac5aabd36b34a95ab664c1ac0eec7ff7d045e7ba6b0b234",
    "gpx_third-backend_windows_amd64.exe": "71ed89790519f2e502bd8adb18fd103329d0675d72fc7658558d39e2ad430d8d",
    "img\\logo.svg": "1defc6f7e585c67657bcfd8fddc599ee7dfa82f8674413f49fa274c2cd453ec6",
    "LICENSE": "e03ba41d7fab20700769fe4118bab50d800cb74f990353a05d2f5fff1c228363",
    "module.js": "51a42b2ac67c0200ede248eb162e4c5931f7856c56606f948a1c2979c5e0bddb",
    "module.js.LICENSE.txt": "0d8f66cd4afb566cb5b7e1540c68f43b939d3eba12ace290f18abc4f4cb53ed0",
    "module.js.map": "0dd62ea24ae9c802cfbe202d8c4d7606b2bea1d71f2d77d97c05755280f639f9",
    "plugin.json": "05fea1d3623b59f710a4128a4b5c9c1083721a4c608ccafe7af680067d357ab6",
    "README.md": "544bc207d260595f688f289c18afae4870460e2eff15c2c076d8eb4fe65e9496"
  }
}

And here are all the files in the dist

PS: also, I know the rooturl is just the example grafana in this, but I have tried with proper urls, just the url didn’t have any effect on the signature being modified or not so for testing I just didn’t bother to change it. Will once resolved.

Hi @jicaar, and thank you for your patience.

I think you might be seeing the same issue as this person. It seems that the double backslashes in img\\logo.svg might be to blame. Could you try edit the MANIFEST manually to img/logo.svg?

Thanks @marcusolsson.

That did resolve the “signature has been modified” error! Unfortunately now I am encountering an invalid signature error, but at least it is progress!

Does the organization set when the plugin is created have to be the same as the org that is signing the plugin (as is listed in the manifest file as “signedByOrg” and “signedByOrgName”)?

Figured out a solution. So the issue with with that img/logo.svg being \, but I couldn’t modify it in the manifest file by hand after the signature process since that would make it invalid. And resigning would make the \ appear again. So the simple fix is removing the img folder and moving the logo.svg to the /src folder with the other files. Made the change in the logo paths set in the src/plugin.json as well. Then when plugin is signed the manifest file just has logo.svg instead of img\logo.svg and it passes and is viewable from grafana dashboard.

Thanks for the help!

I’ve noticed the team about this issue, and we’ll release a fix for a future version of the toolkit, but I’m glad you got it working for now.

The first part of the plugin ID needs to be the same as the ID/slug of the org that owns/signs it.

I’m getting the same issue - though almost in reverse. I was signing on a mac, which added "img/... to the files list in the manifest, and then tried to use the plugin on windows - which then threw the error:

msg="The following files were not included in the signature" logger=plugins plugin=msupply-table files="[img\\...

signing the plugin on a windows machine added forward slashes as the directory separator again, so didn’t resolve the problem. In the end I gave up and move all files into the root dir and the plugin is now signed!

This used to work, but for others out there… not sure which version was ok sorry.

1 Like