Subscribe

UiPath Robot

The UiPath Robot Guide

Package Signature Verification

About

Package Signature is a method through which NuGet Packages prove that they come from trusted sources. A package is signed by using a certificate to validate the identity of a signer. When the deployment is set to check the Package Signature Verification, UiPath validates against the information available in the NuGet.config file to find the requested certificate in order to ensure consumed packages are coming from an allowed author or repository.

For an in-depth overview of how Package Signature Verification works, make sure to read through the specifics in this section of the Microsoft guide about NuGet.config file.

Configuring Package Signature Verification

Validation modes

  • accept - Allows for unsigned packages to be installed.
  • require - For a package to be installed, its signing details have to match the ones from the trustedSigners section of NuGet.config.

Enforcing the Use of Signed Packages

To enforce the use of signed packages, the signatureValidationMode parameter in the Nuget.config file must be set to require. The file is located at %ProgramFiles%\UiPath\Studio. You can do this in one of two ways:

  • During installation, by installing from the command line with the option ENFORCE_SIGNED_EXECUTION=1.
    For example, the following command installs Studio, a Robot as a Windows service, the local activities packages, and enforces the usage of signed packaged in your UiPath environment: 
UiPathStudio.msi ADDLOCAL=DesktopFeature,Studio,Robot,RegisterService,Packages ENFORCE_SIGNED_EXECUTION=1
  • After installation, by manually editing the NuGet.config file.
    If you set the parameter after installation, the changes take effect after you:
    1. Restart the Robot Service.
    2. Remove all existing .NuGet packages from %ProgramFiles%\UiPath\Studio\Packages and %userprofile%\.nuget\packages.
    3. Restart Studio/Assistant.

Adding Trusted Sources

To download, install, and run packages signed with a certain certificate, add the required certificate as a trusted source.

For this, modify the NuGet.config file in the installation folder, in the <trustedSigners> section.

:information-source: More information on how to add or remove activities feeds can be found in this document.

Adding UiPath as a trusted signer

Open the NuGet.config file from the Install Folder and add the following values:

<config>
     <add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
   <author name="UiPath">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false"/>
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
   </author>
   <repository name="UiPathRepository" serviceIndex="https://gallery.uipath.com/api/v3/index.json">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
   </repository>
</trustedSigners>

Adding a Trusted Author

To add a trusted author, you need to open the NuGet.config file located at %ProgramFiles%\UiPath\Studio\NuGet.config. Then, provide the certificatefingerprint and hashAlgorithm as per the example above. Check this page to get more information about the certificate fingerprint.

Adding a Trusted Repository

Adding a trusted repository is done roughly the same as adding an author, with the difference that the serviceIndex must also be added.

Below is an example of a trusted repository added to the NuGet.config file: 

<trustedSigners>    
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners>

Adding Trusted Owners

A repository may have multiple author-signed packages. In this case, the <owners> tag can be used for allowing only packages signed by trusted authors to be installed.

Add the trusted authors between the <owners> tags, as in the example below:

<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners> 
</repository>
</trustedSigners>

v2021.2 Behavior

Starting with the v2021.2 release, the following settings for Package Signature Verification are no longer populated in the Nuget.config file at install:

  • signatureValidationMode parameter is no longer populated in the Nuget.config file at install
  • UiPath is no longer populated in the Nuget.config file at install as both repository and author in the trustedSigners tag.

Impact:

  • If Package Signature Verification is used, all trusted signers, including UiPath, must be added manually in the NuGet.config file.
  • If Package Signature Verification is not used, the trustedSigners tag should not be present in the NuGet.config file.
  • If the NuGet.org feed is used, it needs to be added for both accept and require modes as NuGet announces the whole repository as signed.

To resolve the above, you need to add UiPath as a trusted signer.

Updated about a year ago

Package Signature Verification

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.