About digitally signed add-ins
ArcGIS for Desktop add-ins can be digitally signed to improve security in cases where add-in files are published and shared among users. With digitally signed add-in files, you can confirm the source of the file and verify that the original file contents were not modified after the signature was applied. However, the presence of a digital signature on an add-in file does not signify that the add-in is free of program errors.
Once an add-in file has been digitally signed, modifying or removing any of its contents, regardless of type, will break the digital signature. Broken add-in file signatures are prominently indicated in the user interface when installing add-in files and when reviewing existing add-in files using the Add-In Manager.
Once an add-in file has been digitally signed, modifying or removing any of its contents, regardless of type, will break the digital signature. Broken add-in file signatures are prominently indicated in the user interface when installing add-in files and when reviewing existing add-in files using the Add-In Manager.
Every digital signature is linked to a standard ITU X.509 digital certificate, which is used to apply the signature during the signing process. Trustworthy signatures are those that are created using a digital certificate issued by a trusted certificate authority. The Windows operating system maintains a database of trusted certificates within the Trusted Root Certification Authorities store. You can examine the certificates registered within this store using the MMC Certificates Snap-in (as shown in the following screen shot) or from Internet Explorer>Tools>Internet Options>Content.
Installing add-in files with digital signatures
Although add-in files can be installed by simply copying them to an appropriate well known folder, doing so without first verifying the source and contents of the file is not recommended. Double-clicking an add-in file link from within a Web browser, an e-mail client, or Windows Explorer automatically opens the ESRI ArcGIS Add-In Installation Utility dialog box. See the following screen shot:
This dialog box displays pertinent add-in information, such as the name, date, author, version, and description of the add-in. If the add-in file is digitally signed, signature information is also displayed in this dialog box. If any of the presented information is unsatisfactory, the installation process can be cancelled by the user and the add-in file will not be installed.
Add-in files can be signed with more than one digital signature, depending on the internal policies of the authoring organization. Within the digital signature area of the ESRI ArcGIS Add-In Installation Utility dialog box, the signer, date stamp, and validity of the selected signature are displayed along with information on whether the associated certificate is from a trusted source. Detailed information on the selected signature’s certificate can be displayed by clicking the Show Certificate button.
A secure add-in file must have at least one digital signature that is both valid and trusted. An invalid signature indicates that the contents of the add-in file have been modified in some way since the signature was applied.
Managing the ArcGIS for Desktop add-in security policy
The Add-In Manager dialog box—accessible from the Customize menu in each desktop application—displays a list of all the add-in files that are currently installed on the user’s machine.
Along with other add-in file information, the digital signature status is displayed in the area indicated in the following screen shot:
The signature status is determined as shown in the following table:
Status
|
Description
|
None
|
The selected add-in file does not contain any digital signatures.
|
Un-trusted
|
The digital signature applied to the add-in file is not from a trusted source.
|
Invalid
|
The digital signature has been invalidated due to manipulation of the add-in file contents, or the certificate has expired.
|
Authenticated
|
The file is digitally signed with a signature that is both valid and from a trusted source.
|
On the Options tab of the Add-In Manager dialog box, users can view and change options concerning how add-in file security is handled. The options, ranging from most secure to least secure, are as follows:
- Load and use only ESRI published add-ins, do not load or execute any custom add-in files within this application.
- Load and use only add-in files that are digitally signed by a trusted certificate authority.
- Load all add-ins, regardless of whether or not they have digital signatures.
See the following screen shot:
Users without administrator privileges cannot modify these settings in a way that makes the system less secure than the settings an administrator has already established on the machine. Options that are not available to non-administrators are disabled on this tab.
Applying digital signatures to add-in files
The ESRISignAddIn utility, supplied in the ArcObjects software development kit (SDK), can be used to sign ArcGIS for Desktop add-ins. To use this utility, you must first have an ITU X.509 certificate containing both public and private encryption keys. Digital certificates can be issued by certificate authorities within an organization or by a public certificate authority such as VeriSign or Thawte. Once the input add-in file is selected, you will be prompted with a list of certificates with which you are authorized to sign. Once a valid certificate is selected, the add-in file is then signed and output, either overwriting the original file or with a new file name. The utility can also be used to view or remove existing digital signatures.
Technical details
Add-in files are compressed archives (zip) files containing various files and subfolders and conform to the ECMA Open Packaging Conventions. The digital signature format conforms to the WC3 XML Digital Signature Standard (XMLDsig). For additional information, see the following links:
- Standard ECMA-376 Office Open XML File Formats
- W3C XML Signature Syntax and Processing
- ITU X.509 Certificates