openvsx icon indicating copy to clipboard operation
openvsx copied to clipboard

Published 20 hours ago verified publisher icon eclipse

Extension signing job not triggered in self-hosted OpenVSX

Open ErikaMolnar opened this issue 4 months ago • 3 comments

I'm running a self-hosted OpenVSX instance on Kubernetes with extension data stored in a persistent volume. I'm trying to enable extension signing via:

ovsx: integrity: key-pair: create

org: jobrunr: job-scheduler: enabled: true background-job-server: enabled: true worker-count: 2 dashboard: enabled: false database: type: sql miscellaneous: allow-anonymous-data-usage: false

Important: Mirror mode is explicitly disabled and cannot be enabled in our environment for security reasons, same as in issue #1156. That issue seems to describe the same root problem, but it does not have a solution, so I’m opening this new issue to provide more context and hopefully help resolve it.

What I observe:

  • No log messages indicating signature generation (e.g., from ExtensionVersionSignatureJobRequestHandler) appear.
  • No entries are written into the signature_key_pair database table.
  • No .sigzip files are created in the persistent volume where extensions are stored.
  • No signature-related jobs appear in the job_request table.
  • Some extensions return the message Integrity service is enabled, but ... did not have an active key pair.

What I already tried:

  • Set key-pair: create and renew
  • Restarted backend pod
  • Republished extensions after enabling signing
  • Confirmed .sigzip files are not created
  • Verified extensions exist in the persistent volume
  • Verified the signature_key_pair table is empty
  • Inspected job_request table — no relevant jobs present
  • Dropped and restored the database prior to republishing
  • Verified extensions show up correctly in the UI and VS Code

My questions:

  • Can you clarify under what conditions the signing job is actually triggered?
  • Is there a requirement to clean the persistent volume in addition to the database pv?
  • Are there known cases where the signing is skipped or blocked silently?
  • Would switching to key-pair: renew would be faster to make this work assuming this will always try to generate signatures?

Thank you!

ErikaMolnar avatar Jun 03 '25 08:06 ErikaMolnar