Plugin Signature Verification Failed When Installing Custom Plugin in Dify

[jaguarliuu]

Self Checks

• [x] This is only for bug report, if you would like to ask a question, please head to Discussions.
• [x] I have searched for existing issues search for existing issues, including closed ones.
• [x] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [x] [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• [x] Please do not modify this template :) and fill in all the required fields.

Dify version

1.0.0

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

When attempting to install a custom plugin from my private Git repository in Dify, I encountered the following error:

{
    "code": "invalid_param",
    "message": "PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature",
    "status": 400
}

plugin repo: https://github.com/Eumenides1/rookie-weather

How can I resolve this issue?

✔️ Expected Behavior

No response

❌ Actual Behavior

No response

[dosubot[bot]]

To resolve the "PluginDaemonBadRequestError" due to a bad plugin signature when installing a custom plugin from your private Git repository in Dify, you can try the following steps:

1. Modify the Author Field: Ensure that the author field in both the manifest.yaml file in the plugin project and the .yaml file under the /provider path is set to your GitHub ID. This is crucial for the plugin's unique identifier to be valid.

2. Retype the Plugin Packaging Command: After making the changes, retype the plugin packaging command to create a new plugin package.

3. Install the New Plugin Package: Use the newly created plugin package for installation.

Additionally, if you still encounter issues, you can add the following line to the end of your .env configuration file to disable signature verification:

FORCE_VERIFYING_SIGNATURE=false

This will allow you to install plugins that are not listed on the Dify Marketplace. However, be aware that this may pose security risks, so it is recommended to first test the plugin in a sandbox environment before deploying it to a production environment ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[jaguarliuu]

modify github id fix signature bug, but plugin new release has new error

{
    "code": "invalid_param",
    "message": "PluginDaemonBadRequestError: plugin_unique_identifier is not valid",
    "status": 400
}

how can I fix

[dosubot[bot]]

To fix the "PluginDaemonBadRequestError: plugin_unique_identifier is not valid" error, modify the author field in both the manifest.yaml file in the plugin project and the .yaml file under the /provider path to your GitHub ID. Then, retype the plugin packaging command and install the new plugin package ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[jaguarliuu]

for modify github username to github id，new error { "code": "invalid_param", "message": "PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature", "status": 400 } how to fix

[dosubot[bot]]

To fix the "PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature" error after modifying the GitHub username to GitHub ID, you can add the following line to the end of your .env configuration file:

FORCE_VERIFYING_SIGNATURE=false

This will disable the signature verification, allowing you to install plugins that are not verified on the Dify Marketplace. However, be cautious as this may pose security risks. It is recommended to use this setting in a test or sandbox environment first before deploying to production ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[jaguarliuu]

After adding FORCE_VERIFYING_SIGNATURE=false to the Dify configuration, the issue was resolved. However, if others use my plugin, they will still encounter the same problem, which is not fundamentally resolved. What is the root cause of the problem?

[dosubot[bot]]

The root cause of the "PluginDaemonBadRequestError" related to plugin signature verification is that the plugin you want to install has a bad signature, and plugin verification has been enabled. This issue arises because the signature of the plugin does not match the expected signature, which is calculated using specific data and a secret key.

To resolve this issue fundamentally, you need to ensure that the plugin is properly signed with a valid signature. This involves using the correct secret key and ensuring that all the data used in the signature calculation (such as filename, mimetype, tenant_id, user_id, timestamp, and nonce) is accurate and consistent with what is expected by the verification process.

If you want others to use your plugin without encountering this issue, you should distribute the plugin with a valid signature that can be verified by others. This means ensuring that the signature is correctly generated and matches the expected criteria used by Dify's verification process ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[jaguarliuu]

https://github.com/langgenius/dify-docs/blob/main/zh_CN/plugins/publish-plugins/broken-reference package plugin doc 404；I don't know Which parameters affect the generation of signatures, and which configurations need to be modified and verified to resolve the issue permanently?

[dosubot[bot]]

The parameters that affect the generation of plugin signatures in Dify are related to the PLUGIN_DAEMON_KEY and FORCE_VERIFYING_SIGNATURE. To resolve the signature verification issue permanently, ensure that the PLUGIN_DAEMON_KEY is correctly configured and consistent across all relevant components. Additionally, verify that FORCE_VERIFYING_SIGNATURE is set to the desired value (true or false) based on whether you want to enforce signature verification.

Here are the relevant configurations:

PLUGIN_DAEMON_KEY: ${PLUGIN_DAEMON_KEY:-lYkiYYT6owG+71oLerGzA7GXCgOT++6ovaezWAjpCjf+Sjc3ZtU+qUEi}
FORCE_VERIFYING_SIGNATURE: ${FORCE_VERIFYING_SIGNATURE:-true}

Make sure these configurations are correctly set in your docker/docker-compose.yaml file and any other configuration files that might override these settings ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[jaguarliuu]

I can't find what is PLUGIN_DAEMON_KEY ，how to get it

[dosubot[bot]]

To find or obtain the PLUGIN_DAEMON_KEY for Dify, you can refer to the docker/docker-compose.yaml file. The key is set with a default value as follows:

PLUGIN_DAEMON_KEY: ${PLUGIN_DAEMON_KEY:-lYkiYYT6owG+71oLerGzA7GXCgOT++6ovaezWAjpCjf+Sjc3ZtU+qUEi}

This means that if the PLUGIN_DAEMON_KEY environment variable is not set, it will default to lYkiYYT6owG+71oLerGzA7GXCgOT++6ovaezWAjpCjf+Sjc3ZtU+qUEi. You can use this default value or set your own by defining the PLUGIN_DAEMON_KEY environment variable ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[jaguarliuu]

I want to know， github id is a number or github username？ if is a number how can i get it

[junjiem]

@jaguarliuu https://docs.dify.ai/zh-hans/learn-more/faq/plugins

[shaojun]

To fix the "PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature" error after modifying the GitHub username to GitHub ID, you can add the following line to the end of your .env configuration file:

FORCE_VERIFYING_SIGNATURE=false

This will disable the signature verification, allowing you to install plugins that are not verified on the Dify Marketplace. However, be cautious as this may pose security risks. It is recommended to use this setting in a test or sandbox environment first before deploying to production [1][2].

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

i assume the .env is the file under dify/docker/.env, correct? not the one in tools folder. I'm using local develop and build .difypkg via CLI. and i noticed the .env already has a line with that key, so i just updated it to false:

then I did a docker compose restart, but still seeing this error:

Upload failed

PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature

[shaojun]

To fix the "PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature" error after modifying the GitHub username to GitHub ID, you can add the following line to the end of your .env configuration file:

FORCE_VERIFYING_SIGNATURE=false

This will disable the signature verification, allowing you to install plugins that are not verified on the Dify Marketplace. However, be cautious as this may pose security risks. It is recommended to use this setting in a test or sandbox environment first before deploying to production [1][2]. To continue talking to Dosu, mention @dosu. Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other

i assume the .env is the file under dify/docker/.env, correct? not the one in tools folder. I'm using local develop and build .difypkg via CLI. and i noticed the .env already has a line with that key, so i just updated it to false:

then I did a docker compose restart, but still seeing this error:

Upload failed

PluginDaemonBadRequestError: plugin verification has been enabled, and the plugin you want to install has a bad signature

figured it out, should using below to reload the .env file rather than docker compose restart:

docker compose down
docker compose up -d

[dosubot[bot]]

Hi, @jaguarliuu. I'm Dosu, and I'm helping the Dify team manage their backlog. I'm marking this issue as stale.

Issue Summary:

• You faced a "PluginDaemonBadRequestError" when installing a custom plugin due to signature verification issues.
• Attempts to modify the GitHub ID and disable signature verification were not ideal for broader use.
• I suggested modifying the author field and disabling signature verification.
• Shaojun confirmed that using docker compose down and docker compose up -d successfully reloaded the .env file, resolving the issue.

Next Steps:

• Please confirm if this issue is still relevant to the latest version of the Dify repository by commenting here.
• If no updates are provided, the issue will be automatically closed in 15 days.

Thank you for your understanding and contribution!