IBM Support

QRadar: Application installation displays a warning that the extension is not signed by IBM

Troubleshooting


Problem

When a user attempts to install an application, a confirmation message is displayed to users that the application is not signed by IBM. All code released by IBM is expected to be code signed to verify that the extension was created and complied by IBM. This technical note describes the error and what to do when you see a code signing error for an IBM application.

Symptom

When you attempt to install an application, a confirm dialogue is displayed to confirm whether you want to install an unsigned application. For example,
image-20221004183325-1
If you are seeing this error, the extension you are installing does not meet IBM's enhanced requirements for application signing. New alerts are in place to ensure extensions are signed by the developer and by IBM in QRadar 7.5.0 Update Package 3 and later.
  • All newly developed or updated apps complete installation checks to ensure that the app is signed by the original developer as well as the IBM App validation team.
  • Installing an app without valid code signatures means the user cannot be certain that the developer is IBM or an IBM Business Partner.
  • Apps that are signed by the developer and not by IBM indicates the app developer is an IBM partner, but IBM did not validate the application. Early access business partner applications or extensions distributed directly to users (outside of the IBM X-Force App Exchange) can generate this alert to administrators.
  • Applications on the X-Force App Exchange are signed with both types of certificates, and show up as SIGNED, VERIFIED, and VALIDATED in the Content Management Tool (CMT).

Cause

If the application was not recently updated by the developer, it can indicate that the application is not signed by IBM.

Environment

QRadar 7.5.3 Update Package 3 adds code signing requirements to all applications and content extensions.

Resolving The Problem

To fix this issue, ensure you are installing the latest version of the content from the IBM X-Force App Exchange.
  • If the content you download is not from the IBM App Exchange, then the extension does not include IBM signatures.  As the application or content extension does not come from an official IBM source, such as early access distribution or sideloading an application, an installation alert is generated to warn the administrator.
  • If content you download is from the IBM App Exchange and displays a code signing error, the application might need an update, experiencing an issue, or might be compromised. The installation alert displayed in QRadar 7.5.0 Update Pack 3 and later is intended to warn administrators before you install an extension. If you experience code signing issues on recently updated IBM applications, you can report the extension to the proper development team.

    Select one of the following options:
    • For IBM developed applications and content extensions

      Administrators who experience code signing errors on IBM applications or content extensions can report these issues to QRadar Support as a case. For more information, see QRadar: IBM application cases and support policies.

      image-20221007152041-1
      Example of the Support field for IBM developed applications.


      Before you open a case
      MD5 hashes are provided in the X-Force App Exchange for all extensions. It is a best practice to confirm the application download matches the posted MD5 SUM before you open a case with the QRadar Support team. If the file hash matches and you experience code signing error messages for an IBM app, open a case for QRadar Support to confirm the issue for the IBM application or content extension.

      1. Open a case with QRadar Support (requires an IBMid).
      2. Provide a summary of the issue.
        image-20221007124531-2
      3. Select your QRadar product.
      4. Select the application that generated the code signing error.
        image-20221007124357-1
        Note: If the code signing issue is with a rule or custom property extension, select Content Extension.
      5. In the Case Description field, provide a description of the issue and a link to the application or content extension.

        Important: Confirm your phone number and email is correct before you submit your case. If there is an alternate contact or you expect to be unavailable, you can add contact information in your case description for another team member.
         
      6. Complete the form and click Submit case.

        Results
        The case is submitted for review to the QRadar Support team.

    • For third-party applications and extensions from IBM Business Partners

      Administrators who experience code signing errors for applications or content extensions developed by IBM Business Partners can contact the developer directly. For information, see QRadar: Third-party applications and support policies.

      Before you begin
      MD5 hashes are provided in the X-Force App Exchange for all extensions. It is a best practice to confirm the application download matches the posted MD5 SUM before you open a case with the QRadar Support team. If the file hash matches and you experience code signing error messages, contact the application developer for assistance.

      1. Navigate to the IBM X-Force App Exchange.
      2. Locate your application from the search bar.
      3. Review the Support field in the application sidebar to contact the developer. For example,
        image-20221007130104-3
      4. Report the issue or open a case with the Third-party developer or IBM Business Partner designated in the Support field.

        Results
        The developer can confirm whether their app is properly code signed and reviewed by IBM to include the correct signatures. IBM Business Partners can submit an updated application or content extension to the X-Force App Exchange portal for validation. Optionally, IBM Business Partners can contact their Technology Assistance Program (TAP) development lead for assistance with code signing content for the X-Force App Exchange.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
07 October 2022

UID

ibm16827007