robot
2023.10
false
Robot User Guide
Last updated Sep 20, 2024

Package Signature Verification

Package Signature is a method through which NuGet Packages prove that they come from trusted sources. A package is signed by using a certificate to validate the identity of a signer. When the deployment is set to check the Package Signature Verification, UiPath® validates against the information available in the NuGet.config file to find the requested certificate in order to ensure consumed packages are coming from an allowed author or repository.

For an in-depth overview of how Package Signature Verification works, make sure to read through the specifics in this section of the Microsoft guide about NuGet.config file.

Configuring Package Signature Verification

Validation modes

  • accept - Allows for unsigned packages to be installed.
  • require - For a package to be installed, its signing details have to match the ones from the trustedSigners section of NuGet.config.

Enforcing the Use of Signed Packages

To enforce the use of signed packages, the signatureValidationMode parameter in the Nuget.config file must be set to require. The file is located at %ProgramFiles%\UiPath\Studio. You can do this in one of two ways:
  • During installation, by installing from the command line with the option ENFORCE_SIGNED_EXECUTION=1.

    For example, the following command installs Studio, a Robot as a Windows service, and enforces the usage of signed packaged in your UiPath® environment:

    UiPathStudio.msi ADDLOCAL=DesktopFeature,Studio,Robot,RegisterService ENFORCE_SIGNED_EXECUTION=1UiPathStudio.msi ADDLOCAL=DesktopFeature,Studio,Robot,RegisterService ENFORCE_SIGNED_EXECUTION=1
  • After installation, by manually editing the NuGet.config file.

    If you set the parameter after installation, the changes take effect after you:

    1. Restart the Robot Service.
    2. Remove all existing .NuGet packages from %ProgramFiles%\UiPath\Studio\Packages and %userprofile%\.nuget\packages.
    3. Restart Studio/Assistant.

Adding Trusted Sources

To download, install, and run packages signed with a certain certificate, add the required certificate as a trusted source.

For this, modify the NuGet.config file in the installation folder, in the <trustedSigners> section.
Note: More information on how to add or remove activities feeds can be found in this document.

Adding UiPath® as a trusted signer

Open the NuGet.config file from the Install Folder and add the following values:
<config>
     <add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
   <author name="UiPath">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false"/>
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
   </author>
   <repository name="UiPathRepository" serviceIndex="https://gallery.uipath.com/api/v3/index.json">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
   </repository>
</trustedSigners><config>
     <add key="signatureValidationMode" value="require" />
</config>
<trustedSigners>
   <author name="UiPath">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false"/>
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
   </author>
   <repository name="UiPathRepository" serviceIndex="https://gallery.uipath.com/api/v3/index.json">
      <certificate fingerprint="D179174EBC1E180D656BFB15BE369DEA8A17C178230FAC7771BF5446940C290C" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
      <certificate fingerprint="ABD1E1BB749DDC96B46A1DBD91B93A2D8B3B5572D1E20A52F6165ED96FC117E0" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
   </repository>
</trustedSigners>

Adding a Trusted Author

To add a trusted author, you need to open the NuGet.config file located at %ProgramFiles%\UiPath\Studio\NuGet.config. Then, provide the certificatefingerprint and hashAlgorithm as per the example above. Check this page to get more information about the certificate fingerprint.

Adding a Trusted Repository

Adding a trusted repository is done roughly the same as adding an author, with the difference that the serviceIndex must also be added.
Below is an example of a trusted repository added to the NuGet.config file:
<trustedSigners>    
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners><trustedSigners>    
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners>

Adding Trusted Owners

A repository may have multiple author-signed packages. In this case, the <owners> tag can be used for allowing only packages signed by trusted authors to be installed.
Add the trusted authors between the <owners> tags, as in the example below:
<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners> 
</repository>
</trustedSigners><trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners> 
</repository>
</trustedSigners>

V2021.2 Behavior

Starting with the v2021.2 release, the following settings for Package Signature Verification are no longer populated in the Nuget.config file at install:
  • signatureValidationMode parameter is no longer populated in the Nuget.config file at install
  • UiPath® is no longer populated in the Nuget.config file at install as both repository and author in the trustedSigners tag.

Impact:

  • If Package Signature Verification is used, all trusted signers, including UiPath® , must be added manually in the NuGet.config file.
  • If Package Signature Verification is not used, the trustedSigners tag should not be present in the NuGet.config file.
  • If the NuGet.org feed is used, it needs to be added for both accept and require modes as NuGet announces the whole repository as signed.

To resolve the above, you need to add UiPath® as a trusted signer.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.