Signature is not valid

[Thadir]

Current Behavior

I am curently using fcli version 2.6.0 (and I see that 2.7.1 is out). When I den do a

fcli tool sc-client install

Then I get a stack trace like:

java.lang.IllegalStateException: Signature is not valid: MISMATCH
        at com.fortify.cli.common.crypto.helper.SignatureHelper$SignatureStatus.throwIfNotValid(SignatureHelper.java:121)
        at com.fortify.cli.tool._common.helper.ToolInstaller.downloadAndExtract(ToolInstaller.java:222)
        at com.fortify.cli.tool._common.helper.ToolInstaller.install(ToolInstaller.java:203)
        at com.fortify.cli.tool._common.helper.ToolInstaller.install(ToolInstaller.java:125)
        at com.fortify.cli.tool._common.cli.cmd.AbstractToolInstallCommand.install(AbstractToolInstallCommand.java:114)
        at com.fortify.cli.tool._common.cli.cmd.AbstractToolInstallCommand.getJsonNode(AbstractToolInstallCommand.java:83)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.call(AbstractOutputCommand.java:33)
        at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.call(AbstractOutputCommand.java:22)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2118)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2538)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2530)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2492)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2350)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2494)
        at picocli.CommandLine.execute(CommandLine.java:2247)
        at com.fortify.cli.app.runner.DefaultFortifyCLIRunner.run(DefaultFortifyCLIRunner.java:55)
        at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:38)
        at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:32)
        at java.base@21.0.2/java.lang.invoke.LambdaForm$DMH/sa346b79c.invokeStaticInit(LambdaForm$DMH)

It seems that the version expects a spesific tool and when fcli tries to download when updated it will grab the latest and then validate vs a set version that causes that you need to keep fcli also to up todate that maybe not always the case or a situation that you want to be on the bleeding edge.

Expected Behavior

fcli tool sc-client install
Installs the sc client thats needed to work with the given version.

Steps To Reproduce

1. install older fcli (2.6.0)
2. run fcli tool sc-client install

Environment

No response

Anything else?

No response

[MikeTheSnowman]

Hey @Thadir . Please try running fcli tool definitions update, then re-run fcli tool sc-client install. Let us know if it still doesn't work.

[Thadir]

Sorry I just upgraded to the 2.7.1, but the stack trace should maybe give that hint when trowing the stack trace. Ill try to repoduce later when I have a chance.

[MikeTheSnowman]

Sorry I just upgraded to the 2.7.1, but the stack trace should maybe give that hint when trowing the stack trace. Ill try to repoduce later when I have a chance.

Hey @Thadir , no worries. The signature mismatch is usually because fcli doesn't have the latest signatures. Try my recommendation of running fcli tool definitions update, then re-run fcli tool sc-client install.

If my recommendation still doesn't resolve the issue, then let us know.

[MikeTheSnowman]

@Thadir did my recommendation resolve your issue?