Knime Error when installing custom signed plugins with Unknown Signature algorithm

Question

I am currently working on a custom knime plugin, that failed to be installed when signed (through maven-plugin-jarsigner) with the following exceptions:

An error occurred while collecting items to be installed session context was:(profile=KNIMEProfile, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=). Problems downloading artifact: org.eclipse.update.feature,mycompany.plugin.knime.sbdf.feature,0.0.5. Error reading signed content:C:\Users\gabriel.dausque\AppData\Local\Temp\signatureFile15581341076637620240.jar An error occurred while processing the signatures for the file: C:\Users\gabriel.dausque\AppData\Local\Temp\signatureFile15581341076637620240.jar

java.security.NoSuchAlgorithmException: An error occurred while processing the signatures for the file: C:\Users\gabriel.dausque\AppData\Local\Temp\signatureFile15581341076637620240.jar at org.eclipse.osgi.internal.signedcontent.SignedBundleHook.getSignedContent(SignedBundleHook.java:231) at org.eclipse.equinox.internal.p2.artifact.repository.SignatureVerifier.verifyContent(SignatureVerifier.java:84)

Caused by: java.security.NoSuchAlgorithmException: No algorithm found for 1.2.840.113549.1.1.11 at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.findEncryption(PKCS7Processor.java:95) at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.processSignerInfos(PKCS7Processor.java:364)

After some googling, it seems to be related to the signature algorithm obtained from a code signing certificate from Sectigo :

Here is the signature information obtained using jarsigner :

• Signed by "CN=<MyCompany, O=MyCompany, ST=Paris, C=FR" Digest algorithm: SHA-256 Signature algorithm: SHA256withSHA256withRSA, 3072-bit key Timestamped by "CN="Sectigo RSA Time Stamping Signer #2", O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB" on ven. févr. 18 08:05:18 UTC 2022 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA384withRSA, 4096-bit key

As Knime is an OSGI (Eclipse) application, it seems to be the same issues than this Eclipse bug :

https://bugs.eclipse.org/bugs/show_bug.cgi?id=572034

which is mark as closed (fix in Eclipse 4.2).

What is confusing is that I'm using Knime 4.4 and have tested the installation in Knime 4.5.1, which used Eclipse 4.19, so it may contains the fix ....

I also tried to change the sign algorithm in the plugin maven (tried to force SHA256withRSA, also tried SHA1withRSA) but final signature algorithm still in form SHAXXXwithSHAXXXwithRSA not SHAXXXwithRSA.

From now I'm blocked because we need to sign the plugin. I'm looking for a way to correct the final signature :

• What kind of certificate do I need to obtain the right signature?
• Can we force jarsigner plugin to set the right signature (the sigalg arguments doesn't seem to work)
• Can we force "update" the Knime eclipse dependencies to be able to read the current certificate I have?