Unsigned Cordapps Get Loaded When devMode=false

Description

Build the yo cordapp from the [samples](https://github.com/corda/samples-kotlin/tree/master/Basic/yo-cordapp).

./gradlew clean deployNodes

Change the node.conf in the PartyA directory from `devMode=true` to `devMode=false` and run it

cd build/nodes/PartyA
sed -i 's/devMode=true/devMode=false/g' node.conf
java -jar corda.jar

You get the expected error:

> [ERROR] 09:55:25-0500 [main] internal.NodeStartupLogging. - Exception during node startup: Invalid Cordapps found, that couldn't be loaded: [Problem: Corresponding contracts are signed by blacklisted key(s) only (probably development key), in Cordapp file:/home/user/projects/samples-kotlin/Basic/yo-cordapp/build/nodes/PartyA/cordapps/workflows-0.1.jar],

Now modify the build.gradle in the workflows and contract module to set signing to false

```
cordapp {
targetPlatformVersion corda_platform_version
minimumPlatformVersion corda_platform_version
contract {
name "yo CorDapp"
vendor "Corda Open Source"
licence "Apache License, Version 2.0"
versionId 1
}
signing {
enabled false
}
}
```
Clean and build the project again

./gradlew clean deployNodes

Once again change the node.conf in the PartyA directory from `devMode=true` to `devMode=false` and run it

cd build/nodes/PartyA
sed -i 's/devMode=true/devMode=false/g' node.conf
java -jar corda.jar

Now the node loads the Cordapps without question:

> RPC admin connection address : localhost:10046
> Loaded 2 CorDapp(s) : Contract CorDapp: yo CorDapp version 1 by vendor Corda Open Source with licence Apache License, Version 2.0, Workflow CorDapp: yo Flows version 1 by vendor Corda Open Source with licence Apache License, Version 2.0
> Node for "PartyA" started up and registered in 23.32 sec

Corda wont start when a jar is signed with the dev key but it will start if the jar is not signed at all.

Whilst the official docs don't explicitly mention the behaviour of unsigned jars; judging by various blogs and sites that integrate Corda, the general expectation is that unsigned jars wont be loaded when `devMode=false`.

The logic for blacklisting the dev keys is because everyone has access to them and thus it is a security risk.
e.g. it allows a bad actor to modify a cordapp, sign it and issue states in their favour.

The same logic applies for unsigned jars.
The same security risk exists when the jar is signed and therefore they should also not be loaded when `devMode=false`.

Created by github action.

Assignee

Unassigned

Reporter

Former user

Labels

Sprint

None

Epic Link

None

Priority

Medium

Engineering Teams

None

Fix versions

None

Affects versions

None

Ported to...

None

Story Points / Dev Days

None

Build cut

None

Squad

None