# Package Signature Verification

> **Package Signature** is a method through which NuGet Packages prove that they come from trusted sources. A package is signed by using a certificate to validate the identity of a signer. When the deployment is set to check the Package Signature Verification, UiPath validates against the information available in the `NuGet.config` file to find the requested certificate in order to ensure consumed packages are coming from an allowed author or repository.

**Package Signature** is a method through which NuGet Packages prove that they come from trusted sources. A package is signed by using a certificate to validate the identity of a signer. When the deployment is set to check the Package Signature Verification, UiPath validates against the information available in the `NuGet.config` file to find the requested certificate in order to ensure consumed packages are coming from an allowed author or repository.

For an in-depth overview of how Package Signature Verification works, make sure to read through the specifics in [this section](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#trustedsigners-section) of the Microsoft guide about [NuGet.config](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file) file.

## Configuring Package Signature Verification

### Validation modes

* `accept` - Allows for unsigned packages to be installed.
* `require` - For a package to be installed, its signing details have to match the ones from the `trustedSigners` section of `NuGet.config`.

### Enforcing the Use of Signed Packages

To enforce the use of signed packages, the `signatureValidationMode` parameter in the `Nuget.config` file must be set to `require`. The file is located at `%ProgramFiles%\UiPath\Studio`. You can do this in one of two ways:

* During installation, by installing from the [command line](https://docs.uipath.com/installation-and-upgrade/v2023.4/docs/studio-command-line-parameters) with the option `ENFORCE_SIGNED_EXECUTION=1`.

For example, the following command installs Studio, a Robot as a Windows service, and enforces the usage of signed packaged in your UiPath environment:

  ```
  UiPathStudio.msi ADDLOCAL=Studio,Robot,RegisterService ENFORCE_SIGNED_EXECUTION=1
  ```
* After installation, by manually editing the `NuGet.config` file. If you set the parameter after installation, the changes take effect after you:
  1. Restart the Robot Service.
  2. Remove all existing .NuGet packages from `%ProgramFiles%\UiPath\Studio\Packages` and `%userprofile%\.nuget\packages`.
  3. Restart Studio/Assistant.

## Adding Trusted Sources

To download, install, and run packages signed with a certain certificate, add the required certificate as a trusted source.

For this, modify the `NuGet.config` file in the installation folder, in the `<trustedSigners>` section.

:::note
More information on how to add or remove activities feeds can be found in [this document](https://docs.uipath.com/robot/standalone/2023.10/user-guide/about-the-activities-feeds#add-or-remove-activities-feeds).
:::

### Adding UiPath as a trusted signer

Open the `NuGet.config` file from the Install Folder and add the following values:

```
<config>
     <add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
   <author name="UiPath">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false"/>
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="A96ADDC7455443CF702A887BC153CF7844038E2E88081D676C57DDD90EC90245" hashAlgorithm="SHA256" allowUntrustedRoot="false" /> 
   </author>
   <repository name="UiPathRepository" serviceIndex="https://gallery.uipath.com/api/v3/index.json">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="A96ADDC7455443CF702A887BC153CF7844038E2E88081D676C57DDD90EC90245" hashAlgorithm="SHA256" allowUntrustedRoot="false" /> 
   </repository>
</trustedSigners>
```

### Adding a Trusted Author

To add a trusted author, you need to open the `NuGet.config` file located at `%ProgramFiles%\UiPath\Studio\NuGet.config`. Then, provide the `certificatefingerprint` and `hashAlgorithm` as per the example above. Check this [page](https://docs.microsoft.com/en-us/nuget/consume-packages/installing-signed-packages) to get more information about the certificate fingerprint.

### Adding a Trusted Repository

Adding a trusted repository is done roughly the same as adding an author, with the difference that the `serviceIndex` must also be added.

Below is an example of a trusted repository added to the `NuGet.config` file:

```
<trustedSigners>    
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners>
```

### Adding Trusted Owners

A repository may have multiple author-signed packages. In this case, the `<owners>` tag can be used for allowing only packages signed by trusted authors to be installed.

Add the trusted authors between the `<owners>` tags, as in the example below:

```
<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners> 
</repository>
</trustedSigners>
```

### V2021.2 Behavior

Starting with the v2021.2 release, the following settings for Package Signature Verification are no longer populated in the `Nuget.config` file at install:

* `signatureValidationMode` parameter is no longer populated in the `Nuget.config` file at install
* UiPath is no longer populated in the `Nuget.config` file at install as both repository and author in the `trustedSigners` tag.

#### Impact:

* If Package Signature Verification is used, all trusted signers, **including UiPath** , must be added manually in the `NuGet.config` file.
* If Package Signature Verification is not used, the `trustedSigners` tag should not be present in the `NuGet.config` file.
* If the `NuGet.org` feed is used, it needs to be added for both accept and require modes as NuGet announces the whole repository as signed.

To resolve the above, you need to [add UiPath as a trusted signer](https://docs.uipath.com/robot/standalone/2023.10/user-guide/package-signature-verification-1#package-signature-verification).