ArcGIS Desktop add-ins can be digitally signed to improve security in cases where add-in files are published and shared among users. With digitally signed add-in files, you can confirm the source of the file and verify that the original file contents were not modified after the signature was applied. However, the presence of a digital signature on an add-in file does not signify that the add-in is free of program errors. Once an add-in file has been digitally signed, modifying or removing any of its contents, regardless of type, will break the digital signature. Broken add-in file signatures are prominently indicated in the user interface when installing add-in files and when reviewing existing add-in files using Add-In Manager. Every digital signature is linked to a standard ITU X.509 digital certificate, which is used to apply the signature during the signing process. Trustworthy signatures are those that are created using a digital certificate issued by a trusted certificate authority. The Windows operating system maintains a database of trusted certificates within the Trusted Root Certification Authorities store. You can examine the certificates registered within this store using the MMC Certificates Snap-in or from Internet Explorer in Tools > Internet Options > Content.
For more information about digital certificates, see Working with Certificates.
Installing add-in files with digital signatures
Although add-in files can be installed by copying them to an appropriate well-known folder, doing so without first verifying the source and contents of the file is not recommended. Double-clicking an add-in file link from within a web browser, an e-mail client, or Windows Explorer automatically opens the ESRI ArcGIS Add-In Installation Utility dialog box, illustrated below.
This dialog box displays pertinent add-in information, such as the name, date, author, version, and description of the add-in. If the add-in file is digitally signed, signature information is also displayed on this dialog box. If any of the presented information is unsatisfactory, the installation process can be cancelled by the user and the add-in file will not be installed.
Add-in files can be signed with more than one digital signature, depending on the internal policies of the authoring organization. Within the Digital Signature/s area of the ESRI ArcGIS Add-In Installation Utility dialog box, the signer, date stamp, and validity of the selected signature are displayed along with information on whether the associated certificate is from a trusted source. Detailed information on the selected signature's certificate can be displayed by clicking the Show Certificatebutton.
A secure add-in file must have at least one digital signature that is both valid and trusted. An invalid signature indicates that the contents of the add-in file have been modified in some way since the signature was applied.
Managing the ArcGIS Desktop add-in security policy
The Add-In Manager dialog box—accessible from the Customize menu in each desktop application—displays a list of all the add-in files that are currently installed on your machine.
Along with other add-in file information, the digital signature status is displayed in the area indicated in the following screen capture:
The signature status is determined as shown in the following table:
The selected add-in file does not contain any digital signatures.
The digital signature applied to the add-in file is not from a trusted source.
The digital signature has been invalidated due to manipulation of the add-in file contents, or the certificate has expired.
The file is digitally signed with a signature that is both valid and from a trusted source.
On the Options tab of the Add-In Manager dialog box, you can view and change options concerning how add-in file security is handled. The options, ranging from most secure to least secure, are as follows:
- Load and use only Esri published add-ins; that is, do not load or execute any custom add-in files within this application.
- Load and use only add-in files that are digitally signed by a trusted certificate authority.
- Load all add-ins, regardless of whether they have digital signatures.
Applying digital signatures to add-in files
The ESRISignAddIn.exe utility, supplied with the download of Python Add-In Wizard, can be used to sign ArcGIS Desktop add-ins.
To use this utility, you must copy it to the bin folder located within your ArcGIS installation location, and you must have an ITU X.509 certificate containing both public and private encryption keys. Digital certificates can be issued by certificate authorities within an organization or by a public certificate authority such as VeriSign or Thawte. Once the input add-in file is selected, you will be prompted with a list of certificates with which you are authorized to sign. Once a valid certificate is selected, the add-in file is then signed and output, either overwriting the original file or assigning a new file name. The utility can also be used to view or remove existing digital signatures.
Add-in files are compressed archives (.zip) files containing various files and subfolders and conform to the ECMA Open Packaging Conventions. The digital signature format conforms to the W3C XML Digital Signature Standard (XMLDsig).