robot
2022.10
false
- Release Notes
- Getting Started
- UiPath Assistant
- Installation and Upgrade
- Robot Types
- Robot Components
- Licensing
- Connecting Robots to Orchestrator
- Processes and Activities
- About Automation Projects on the Robot
- About the Activities Feeds
- Background Process Automation
- Robot API
- Package Signature Verification
- Logging
- Robot JavaScript SDK
- Specific Scenarios
- Restarting Robot Components
- Windows Sessions
- Login Using Thales Luna Credential System
- Login Using NShield Key Storage Provider
- Redirecting Robots Through a Proxy Server
- Executing Tasks in a Minimized RDP Window
- Using Mapped Network Drives
- Stopping a Process
- Disable Stop Button
- Custom Package Folders and Network Paths
- CrowdStrike Integration
- Robot Citrix Apps Virtualization
- Troubleshooting
- Unresponsive Robot Over RDP
- Duplicate Execution Logs
- Frequently Encountered Robot Errors
- Increased Process Execution Duration
- Enforced Package Signature Verification
- Message Too Large to Process
- Errors When Running as Administrator
- NuGet Packages Not Accessible After Migration
- User Access Control Prompt and UI Automation Activities
- .NET required during installation
- Assembly Cannot Be Loaded From Network Or Azure File Share
- Activities cannot find .NET Runtime
Package Signature Verification
Robot User Guide
Last updated Oct 25, 2024
Package Signature Verification
Package Signature is a method through which NuGet Packages prove that they come from trusted sources. A package is signed by using a certificate
to validate the identity of a signer. When the deployment is set to check the Package Signature Verification, UiPath® validates against the information available in the
NuGet.config
file to find the requested certificate in order to ensure consumed packages are coming from an allowed author or repository.
For an in-depth overview of how Package Signature Verification works, make sure to read through the specifics in this section of the Microsoft guide about NuGet.config file.
accept
- Allows for unsigned packages to be installed.require
- For a package to be installed, its signing details have to match the ones from thetrustedSigners
section ofNuGet.config
.
To enforce the use of signed packages, the
signatureValidationMode
parameter in the Nuget.config
file must be set to require
. The file is located at %ProgramFiles%\UiPath\Studio
. You can do this in one of two ways:
-
During installation, by installing from the command line with the option
ENFORCE_SIGNED_EXECUTION=1
.For example, the following command installs Studio, a Robot as a Windows service, and enforces the usage of signed packaged in your UiPath environment:
UiPathStudio.msi ADDLOCAL=DesktopFeature,Studio,Robot,RegisterService ENFORCE_SIGNED_EXECUTION=1
UiPathStudio.msi ADDLOCAL=DesktopFeature,Studio,Robot,RegisterService ENFORCE_SIGNED_EXECUTION=1 -
After installation, by manually editing the
NuGet.config
file.If you set the parameter after installation, the changes take effect after you:
- Restart the Robot Service.
- Remove all existing .NuGet packages from
%ProgramFiles%\UiPath\Studio\Packages
and%userprofile%\.nuget\packages
. - Restart Studio/Assistant.
To download, install, and run packages signed with a certain certificate, add the required certificate as a trusted source.
For this, modify the
NuGet.config
file in the installation folder, in the <trustedSigners>
section.
Note: More information on how to add or remove activities feeds can be found in this document.
Open the
NuGet.config
file from the Install Folder and add the following values:
<config>
<add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
<author name="UiPath">
<certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false"/>
<certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</author>
<repository name="UiPathRepository" serviceIndex="https://gallery.uipath.com/api/v3/index.json">
<certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
<certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</repository>
</trustedSigners>
<config>
<add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
<author name="UiPath">
<certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false"/>
<certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</author>
<repository name="UiPathRepository" serviceIndex="https://gallery.uipath.com/api/v3/index.json">
<certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
<certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
</repository>
</trustedSigners>
To add a trusted author, you need to open the
NuGet.config
file located at %ProgramFiles%\UiPath\Studio\NuGet.config
. Then, provide the certificatefingerprint
and hashAlgorithm
as per the example above. Check this page to get more information about the certificate fingerprint.
Adding a trusted repository is done roughly the same as adding an author, with the difference that the
serviceIndex
must also be added.
Below is an example of a trusted repository added to the
NuGet.config
file:
<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners>
<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners>
A repository may have multiple author-signed packages. In this case, the
<owners>
tag can be used for allowing only packages signed by trusted authors to be installed.
Add the trusted authors between the
<owners>
tags, as in the example below:
<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners>
</repository>
</trustedSigners>
<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners>
</repository>
</trustedSigners>
Starting with the v2021.2 release, the following settings for Package Signature Verification are no longer populated in the
Nuget.config
file at install:
signatureValidationMode
parameter is no longer populated in theNuget.config
file at install- UiPath® is no longer populated in the
Nuget.config
file at install as both repository and author in thetrustedSigners
tag.
Impact:
- If Package Signature Verification is used, all trusted signers, including UiPath® , must be added manually in the
NuGet.config
file. - If Package Signature Verification is not used, the
trustedSigners
tag should not be present in theNuGet.config
file. - If the
NuGet.org
feed is used, it needs to be added for both accept and require modes as NuGet announces the whole repository as signed.
To resolve the above, you need to add UiPath® as a trusted signer.