Signing Packages |
|
A package is signed to ensure that the authorship and integrity of the package(s) loaded into the Process Platform environment.
For each file in the application, an entry (XML node) is created containing the hash and name of the file along with its relative path. A timestamp is added to this node. The whole XML is signed and a signature containing the certificate chain of the signing certificate is placed in it. The certificate chain has a sequence of certificates in which each certificate is issued by its subsequent Certificate Authorities (CA). The last certificate is a self-signed CA certificate (root certificate). The certificate chain is present in the .PFX file which is used to sign the package(s).
The timestamp helps to identify the release date of the package. The certificate chain helps in identifying who signed it and to trace who issued the certificates.
After a package is signed, it can be assured that the package is in fact from the entity that it is supposed to be from and the certificate is used for signing packages.
Packages can be signed in any of the following ways:
- Sign the package using the User Interface (UI) tool
- Executing a batch file on the command prompt
- Using Java command
For the procedure to sign packages, refer to the Process Platform Package Signer guide available in the installation folder or the Process Platform section of the Knowledge Center.