Signing Plugin always throws NullPointerException: pemObject must not be null

Answered

I followed the tutorial for Plugin Signing on https://plugins.jetbrains.com/docs/intellij/plugin-signing.html

but no matter what I do, I always get this error:

[gradle-intellij-plugin :com.ast.devmate.intellij.plugin:signPlugin] Error during Marketplace ZIP Signer CLI execution:
Exception in thread "main" java.lang.NullPointerException: pemObject must not be null
at org.jetbrains.zip.signer.signer.PrivateKeyUtils.loadKeyPair(PrivateKeyUtils.kt:62)
at org.jetbrains.zip.signer.signer.PrivateKeyUtils.loadKeyPair(PrivateKeyUtils.kt:48)
at org.jetbrains.zip.signer.signer.SignerInfoLoader.loadSignerInfoFromText(SignerInfoLoader.kt:30)
at org.jetbrains.zip.signer.ZipSigningTool.sign(ZipSigningTool.kt:58)
at org.jetbrains.zip.signer.ZipSigningTool.main(ZipSigningTool.kt:29)

I tried with values direct in the file, with environment values and with the CLI Tool

4
18 comments

I've found the issue (gradle-intellij-plugin 1.2.0). The docs recommend to use ENV vars but it doesn't support multi-line. I changed it to my key and cert location. 

certificateChain = new File(System.getenv("CERTIFICATE_CHAIN") ?: "./certs/chain.crt").getText('UTF-8')
1

I encounter the same issue that the original post. (tested with gradle-intellij-plugin 1.1.6 and 1.2.1, Windows 10).

There is already an issue on github : https://github.com/JetBrains/marketplace-zip-signer/issues/28

The temporary solution of Rhaalebos to store the location to the private key and cert in env vars worked

signPlugin {
password.set(System.getenv("PRIVATE_KEY_PASSWORD"))
certificateChain.set(File(System.getenv("CERTIFICATE_CHAIN") ?: "./.keys/chain.crt").readText(Charsets.UTF_8))
certificateChain.set(File(System.getenv("PRIVATE_KEY") ?: "./.keys/private.pem").readText(Charsets.UTF_8))
}
1

Got the same result with folowing the same steps on Windows

0

Please share your project sources/link and make sure you're using latest gradle-intellij-plugin (1.2.1)

0

I managed to sign it with the methods shown here (even though I tried that with the CLI Tool). So thanks for that.


However, when you want to download the plugin from the store I get this message:

Plugin Signature Checker

Plugin 'PluginName' signature can't be verified:

Zip integrity check failed. CHUNKED_SHA512S digest mismatch

 

Any Idea whats the problem?
How can I check that the signing worked without needing to upload it to the store

0

I got a new Error, it's pretty similar to the last, but still different:

Plugin Security Warning

Digital signature verification of the 'PluginName' plugin failed with the following message: Zip integrity check failed. CHUNKED_SHA512S digest mismatch

0

Could you please provide more details and a minimal reproducible example?

0

What details do you need?
I have create a minimal copy of the plugin and uploaded it. It will take a while to get reviewed though

0

Plugin signing still fails with this error with Gradle IntelliJ Plugin 1.3.0. Why is this not fixed?

 

0

I fix it by using local gradle properties.

define variable at gradle.properties:

CERTIFICATE_CHAIN=/Users/garen/chain.crt
PRIVATE_KEY=/Users/garen/private.pem
PRIVATE_KEY_PASSWORD=your_password
PUBLISH_TOKEN=your_token

modify build.kts:

tasks {
signPlugin {
val cc = project.property("CERTIFICATE_CHAIN") as String
val pk = project.property("PRIVATE_KEY") as String
val pkp = project.property("PRIVATE_KEY_PASSWORD") as String
certificateChain.set(File(cc).readText())
privateKey.set(File(pk).readText())
password.set(pkp)
}
publishPlugin {
val token = project.property("PUBLISH_TOKEN") as String
this.token.set(token)
}
}
0

hi guys i found the solution to our problem.

The hint was in the "signPlugin" example. 

In the example the priv key was displayed like this: 

-----BEGIN RSA PRIVATE KEY-----

But if you just create the private.pem file its in this format:

-----BEGIN ENCRYPTED PRIVATE KEY-----

The solution is to decrypt the priv key first (dont ask me why we need to give a priv_key_password aswell to the signPlugin gradle task):

openssl rsa -in inputfilename -out outputfilename

 

 

0

Any update about this ?

0

You can find the solution in the post above, or in this Repo: https://github.com/AskMeAgain/IntellijPluginTemplate. The readme gives you a complete explanation how it works and the create-secret.sh script does everything for you

0

Note that both the private key and certificate chain are multi-line values. It is necessary to transform them first using Base64 encoding before providing to the single-line field in Environment Variables panel.

0

In macOS use this command to generate the base64  string

base64 -b 0 -i /path/to/chain.crt -o /path/to/chain_base64.crt

base64 -b 0 -i /path/to/private.pem -o /path/to/private_base64.pem

0

The whole signing flow is described in the Plugin Signing article in IntelliJ SDK Docs: https://plugins.jetbrains.com/docs/intellij/plugin-signing.html

The documentation was already updated to address the issue described in this thread.

-1

Please sign in to leave a comment.