# Signing Project Packages

> UiPath CLI 25.10 introduces the ability to digitally sign automation project packages during the pack operation. Package signing provides authenticity verification and ensures that packages have not been tampered with after creation, enhancing security in your CI/CD pipeline.

## Signing Project Packages

UiPath CLI 25.10 introduces the ability to digitally sign automation project packages during the pack operation. Package signing provides authenticity verification and ensures that packages have not been tampered with after creation, enhancing security in your CI/CD pipeline.

When you sign a project package, the CLI:
1. Creates the `.nupkg` package file
2. Applies a digital signature using your certificate
3. Optionally timestamps the signature for long-term validity

### Supported certificate types

The CLI supports PKCS#12 (.pfx) certificate format.

:::important
The certificate must:
- Include a private key for signing
- Be valid (not expired)
- Have code signing capabilities
:::

### Parameters

The `package pack` command supports the following signing parameters:

| Parameter | Description | Required |
|-----------|-------------|----------|
| `--certificatePath` | Path to the certificate file (.pfx) | Yes (if signing) |
| `--certificatePassword` | Password for the certificate file | No |
| `--timestampServerUrl` | URL of the RFC 3161 timestamp server | No |

### Usage examples

#### Basic signing with certificate

```bash
# Windows
uipcli package pack "C:\Projects\MyRobot\project.json" `
  -o "C:\Packages" `
  --certificatePath "C:\Certificates\codesign.pfx" `
  --certificatePassword "YourPassword123"

# Linux/macOS
uipcli package pack "./MyRobot/project.json" \
  -o "./packages" \
  --certificatePath "./certificates/codesign.pfx" \
  --certificatePassword "YourPassword123"
```

## Signing with timestamp server

Adding a timestamp ensures the signature remains valid even after the certificate expires.

```bash
uipcli package pack "./MyRobot/project.json" \
  -o "./packages" \
  --certificatePath "./certificates/codesign.pfx" \
  --certificatePassword "YourPassword123" \
  --timestampServerUrl "http://timestamp.digicert.com"
```

## Signing with version and output type

```bash
uipcli package pack "./MyRobot/project.json" \
  -o "./packages" \
  -v "1.0.5" \
  --outputType "Process" \
  --certificatePath "./certificates/codesign.pfx" \
  --certificatePassword "YourPassword123" \
  --timestampServerUrl "http://timestamp.digicert.com"
```

## Signing with passwordless certificate

```bash
uipcli package pack "./MyRobot/project.json" \
  -o "./packages" \
  --certificatePath "./certificates/codesign.pfx"
```

## Signing with Orchestrator library dependencies

```bash
uipcli package pack "./MyRobot/project.json" \
  -o "./packages" \
  --libraryOrchestratorUrl "https://cloud.uipath.com/" \
  --libraryOrchestratorTenant "Default" \
  -A "myorg" \
  -I "becc663c-8f1e-409a-a75f-c00330d80bc8" \
  -S '********' \
  --libraryOrchestratorApplicationScope "OR.Folders OR.Execution" \
  --certificatePath "./certificates/codesign.pfx" \
  --certificatePassword "YourPassword123" \
  --timestampServerUrl "http://timestamp.digicert.com"
```

## Recommended timestamp servers

Using a timestamp server is recommended to ensure signatures remain valid after certificate expiration:

- `http://timestamp.digicert.com` - DigiCert
- `http://timestamp.comodoca.com` - Sectigo (Comodo)
- `http://timestamp.globalsign.com` - GlobalSign
- `http://timestamp.sectigo.com` - Sectigo

## Best practices

### Secure certificate storage

- Never commit certificates to version control
- Use secure storage solutions:
  - Azure Key Vault
  - AWS Secrets Manager
  - HashiCorp Vault
  - GitHub Secrets / Azure DevOps Secure Files
  - CI/CD platform secret management

### Environment variables

- Use environment variables or secrets management for passwords
- Avoid hardcoding sensitive information in scripts

### Timestamp usage

- Always use a timestamp server in production environments
- Timestamps ensure signature validity beyond certificate expiration

### Certificate management

- Use dedicated code signing certificates
- Rotate certificates before expiration
- Maintain certificate backups securely