qzind / tray

Signing using the example code in sign-message.java causes an Invalid Signature error when verifying with QZ Tray.

The cause is:
Certificate.isSignatureVerified() hashes the data: DigestUtils.sha256Hex(data)
sign-message.java doesn't: sig.update(data.getBytes())

So for sign-message.java, please can you change:
sig.update(data.getBytes());
to
sig.update(StringUtils.getBytesUtf8(DigestUtils.sha256Hex(data)));

Certificate.isSignatureVerified() hashes the data: DigestUtils.sha256Hex(data)
sign-message.java doesn't: sig.update(data.getBytes())

Correct, none of our signing examples hash the data because setSignaturePromise(...) does this automatically.

tray/js/qz-tray.js

Lines 246 to 255 in 3b1d953

    
           //make a hashing promise if not already one 
        
           var hashing = _qz.tools.hash(_qz.tools.stringify(signObj)); 
        
           if (!hashing.then) { 
        
               hashing = _qz.tools.promise(function(resolve) { 
        
                   resolve(hashing); 
        
               }); 
        
           } 
        
           hashing.then(function(hashed) { 
        
               return _qz.security.callSign(hashed);

Thanks Tres. It turned out that I was using a p12 with a correct certificate but the wrong private key. I corrected the p12 and signing and verifying worked as expected. Thanks again for your help.

Thanks for the update. :)

	//make a hashing promise if not already one
	var hashing = _qz.tools.hash(_qz.tools.stringify(signObj));
	if (!hashing.then) {
	hashing = _qz.tools.promise(function(resolve) {
	resolve(hashing);
	});
	}

	hashing.then(function(hashed) {
	return _qz.security.callSign(hashed);

Update signing examples to produce signatures that can be verified with QZ Tray