Sign Releases using your Matrix42 Developer Identity
This is a step-by-step guide on how to digitally sign your Digital Workspace Platform Extension to ensure the latest security standards for all consumers of your Extension.
Prerequisites
- A valid Matrix42 Developer Identity.
- A Configuration Package which actual version is not yet uploaded to the Matrix42 DevOps Portal.
Signing your Configuration Package
To sign your Configuration Package all you need is the Matrix42 Command-Line Interface (CLI), the ZIP file containing your Extension data and the PFX file which resembles your Developer Identity:
> m42 sign path/to/extension.zip --identity path/to/identity.pfx
You will be prompted to enter the password of your Developer Identity.
After the signing is done the specified ZIP file will be approximately 2kb larger. (The digital signature is attached.)
You can read more about why you should sign your Extension here.
Verifying the signature of a Configuration Package
You can also use the Matrix42 CLI to verify if an Extension (ZIP) is digitally signed and also if the signature is still valid:
> m42 verify path/to/extension.zip
This command will either throw an error "No valid signature found." or will succeed with the message "Signature verified.".