UiPath Studio Guide

Signing Packages

Package signing is available with the purpose of ensuring the security and integrity of processes and libraries published from Studio.

NuGet offers two ways in which packages can be signed, either by an author or by a repository.

To enforce only UiPath signed packages to be downloaded, installed or ran, the EnforcedSignedExecution parameter in Nuget.config should be set to true. The parameter can be enabled during installation using command-line parameters or from the Nuget.config file after installation. Other trusted sources can be added, as explained further in this page.

For example, the following command installs Studio, a Robot as a Windows service, the local activities packages, and enforces the usage of signed packaged in your UiPath environment: UiPathStudio.msi ADDLOCAL=DesktopFeature,Studio,Robot,RegisterService,Packages ENFORCE_SIGNED_EXECUTION=1.

By default, UiPath packages are repository and author-signed. This means that such packages can be downloaded and installed using Manage Packages without having to perform any additional actions.

However, to add additional trusted authors, repositories, and/or owners, you need to perform the steps detailed below.

Adding Trusted Sources

To download, install and run packages signed with the a certain certificate, add the certificate as a trusted source. To do so, modify the nuget.config file in the installation folder, mainly the section <trustedSigners>.

Adding a Trusted Author

To add a trusted author, you need to open the NuGet.config file located at %ProgramFiles(x86)%\UiPath\Studio\NuGet.config. Then, provide the certificatefingerprint and hashAlgorithm. Check this page to get more information about the certificate fingerprint.

Set the allowUntrustedRoot to true or false:

  • allowUntrustedRoot = "true" - allows unsigned packages.
  • allowUntrustedRoot = "false" - packages must be author-signed.

The entry should be similar to the example below:

<trustedSigners>
<author name="UiPath">
<certificatefingerprint="1234512345123451234512345123123123123123123123123123112312312E5"hashAlgorithm="SHA256"allowUntrustedRoot="true"/>
</author>
<trustedSigners>

Adding a Trusted Repository

Adding a trusted repository is done roughly the same as adding an author, with the difference that the serviceIndex must also be added.

Below is an example of a trusted repository added to the NuGet.config file:

<trustedSigners>	
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
</repository>
</trustedSigners>

Adding Trusted Owners

A repository may have multiple author-signed packages. In this case, the <owners> tag can be used for allowing only packages signed by trusted authors to be installed.

Add the trusted authors between the <owners> tags, as in the example below:

<trustedSigners>
<repository name="UiPath Repository" serviceIndex="https://uipath.repository">
<certificate fingerprint="1234512345123451234512345123123123123123123123123123112312312E5" hashAlgorithm="SHA256" allowUntrustedRoot="true" />
<owners>Author1;Author2</owners> 
</repository>
</trustedSigners>

Signing a Package

In Studio, package signing can be done from the Publish window, for both processes and libraries.

Under the Certificate Signing section, add the certificate path on your local machine. Use the browse_button button to navigate to the path if needed.

Next, type in the Certificate Password and add an Optional Certificate Timestamper if needed. Click Publish. The resulting .nupkg file is signed with a certificate and a timestamper, if indicated.

Timestamps are a secure way of keeping track of the date and time when a package was signed. To learn more about timestamping in the context of NuGet package signing, check out this link.

If the certificate timestamper is invalid, an error message containing the project name is thrown in Studio after clicking the Publish button. A similar error message is also logged in the Output panel.

Note:

If signature verification is NOT enforced, processes created with Studio prior to v2019.4 are still executed, regardless if they are signed or not.

Use the Mass Update Command Line tool to sign multiple packages and then publish them to a location.



Signing Packages


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.