Unsigned Cordapps Get Loaded When devMode=false
Description
Build the yo cordapp from the [samples](https://github.com/corda/samples-kotlin/tree/master/Basic/yo-cordapp).
./gradlew clean deployNodes
Change the node.conf in the PartyA directory from `devMode=true` to `devMode=false` and run it
cd build/nodes/PartyA
sed -i 's/devMode=true/devMode=false/g' node.conf
java -jar corda.jar
You get the expected error:
> [ERROR] 09:55:25-0500 [main] internal.NodeStartupLogging. - Exception during node startup: Invalid Cordapps found, that couldn't be loaded: [Problem: Corresponding contracts are signed by blacklisted key(s) only (probably development key), in Cordapp file:/home/user/projects/samples-kotlin/Basic/yo-cordapp/build/nodes/PartyA/cordapps/workflows-0.1.jar],
Now modify the build.gradle in the workflows and contract module to set signing to false
```
cordapp {
targetPlatformVersion corda_platform_version
minimumPlatformVersion corda_platform_version
contract {
name "yo CorDapp"
vendor "Corda Open Source"
licence "Apache License, Version 2.0"
versionId 1
}
signing {
enabled false
}
}
```
Clean and build the project again
./gradlew clean deployNodes
Once again change the node.conf in the PartyA directory from `devMode=true` to `devMode=false` and run it
cd build/nodes/PartyA
sed -i 's/devMode=true/devMode=false/g' node.conf
java -jar corda.jar
Now the node loads the Cordapps without question:
> RPC admin connection address : localhost:10046
> Loaded 2 CorDapp(s) : Contract CorDapp: yo CorDapp version 1 by vendor Corda Open Source with licence Apache License, Version 2.0, Workflow CorDapp: yo Flows version 1 by vendor Corda Open Source with licence Apache License, Version 2.0
> Node for "PartyA" started up and registered in 23.32 sec
Corda wont start when a jar is signed with the dev key but it will start if the jar is not signed at all.
Whilst the official docs don't explicitly mention the behaviour of unsigned jars; judging by various blogs and sites that integrate Corda, the general expectation is that unsigned jars wont be loaded when `devMode=false`.
The logic for blacklisting the dev keys is because everyone has access to them and thus it is a security risk.
e.g. it allows a bad actor to modify a cordapp, sign it and issue states in their favour.
The same logic applies for unsigned jars.
The same security risk exists when the jar is signed and therefore they should also not be loaded when `devMode=false`.
Created by github action.