ProGuide Digitally signed add ins and configurations - kataya/arcgis-pro-sdk GitHub Wiki

Language:      C#
Subject:       Framework
Contributor:   ArcGIS Pro SDK Team <[email protected]>
Organization:  Esri, http://www.esri.com
Date:          11/24/2020
ArcGIS Pro:    2.7
Visual Studio: 2017, 2019

ArcGIS Pro add-in, configurations, and plug-in archive files can be digitally signed to improve security in cases where they are published and shared among users. With digitally signed add-in/configuration/plug-in files, you can confirm the source of the file and verify that the original file contents were not modified after the signature was applied. However, the presence of a digital signature does not signify that the archive is free of program errors.

Once the archive has been digitally signed, modifying or removing any of its contents, regardless of type, breaks the digital signature. Broken file signatures are prominently indicated in the user interface when installing add-in/configuration/plug-in files, and when reviewing add-ins via the Pro Add-In Manager.

Every digital signature is linked to a standard ITU X.509 digital certificate that is used to apply the signature during the signing process. By default, signing with a digital certificate only ensures the installer that the content of the signed archive file didn't change since it was signed, but the installer can't be sure of the real identity of the publisher. To be sure of the publisher’s identity, the publisher must use a trusted digital certificate issued by a Commercial Certification Authority (such as VeriSign, Thawte, or Geotrust). These types of certificates provide a trustworthy signature. Signed add-in/configuration/plug-in archive files published by Esri fall into this category.

In this topic

Unless otherwise indicated, and to avoid unnecessary repetition, the term "add-in" shall be used in the remainder of the document to collectively refer to either add-in, configuration, or plug-in archive files.

Signed add-ins in the enterprise
Configure security policies for add-ins using the ArcGIS Pro installation program
Configure security policies for add-ins using ArcGIS Pro
Installing add-ins and with digital signatures
Applying digital signatures to an add-in

Signed add-ins in the enterprise

To keep an enterprise network secure from unauthorized use, system administrators have the ability to restrict files (executables, scripts, and so on) that can be deployed throughout the enterprise to include limiting the type of add-ins that are used in ArcGIS Pro. To configure Pro add-in security restrictions, ArcGIS Pro uses a set of Windows registry entries that can only be controlled by an administrator. The following restrictions can be enforced starting with the least secure option:

Load all add-ins regardless of whether they have digital signatures.
Only load and use add-ins that are digitally signed by a trusted certificate authority.
Only load and use add-ins that have been published by Esri.
Only load add-ins from the administrator folders and all add-ins published by Esri.
Do not load or execute add-ins in this application.
Load add-ins only from the administrator folders

Configure security policies for add-ins using the ArcGIS Pro Installation program

Organizations will sometimes need to deploy policies within their network to load only certain type of add-ins. This can be done by executing the ArcGIS Pro installation program with a command line switch. Note: You need admin rights to perform this task.

Refer to this link to run Pro installation program with the appropriate command line switches in order to configure the add-in deployment security policies.

Configure security policies for add-ins using ArcGIS Pro

The Add-In Manager dialog box—accessible from ArcGIS Pro, by clicking Project > Add-In Manager—displays a list of all the add-in files currently installed on the user’s machine (configurations and plug-ins are not shown).

Along with other add-in file information, the digital signature status displays in the area indicated in the following screen capture:

Add-in-manager

The signature status is determined as shown in the following table and applies to all add-ins, configuration, and plug-ins equally:

Status	Description
None	The selected add-in file does not contain any digital signatures.
Un-trusted	The digital signature applied to the add-in file is not from a trusted source.
Invalid	The digital signature has been invalidated due to manipulation of the add-in file contents, or the certificate has expired.
Authenticated	The file is digitally signed with a signature that is valid and from a trusted source.

On the Options tab of the Add-In Manager dialog box, users can view and change options concerning how add-in file security is handled. The options, ranging from most secure to least secure, are as follows:

Load only Esri provided add-ins (most secure)
Require add-ins to be digitally signed by a trusted publisher
Load all add-ins without restrictions (least secure)

Users without administrator privileges cannot modify these settings in a way that makes the system less secure than the settings an administrator has already established on the machine. Options that are not available to non-administrators are disabled on this tab.

Installing add-ins with digital signatures

Although add-ins can be installed by copying them to an appropriate well-known folder, doing so without first verifying the source and contents of the file is not recommended. Double-clicking an add-in file link (or configuration or plug-in) from within a web browser, an email client, or Windows Explorer automatically opens the Esri ArcGIS Add-in Installation Utility dialog box.

Add-Installation Utility

This dialog box displays pertinent add-in information, such as its name, date, author, version, and description. If the add-in file is digitally signed, signature information also displays in this dialog box. If any of the presented information is unsatisfactory, the installation process can be cancelled by the user and the add-in file will not be installed.

Add-in files can be signed with more than one digital signature, depending on the internal policies of the authoring organization. Within the digital signature area of the Esri ArcGIS Add-in Installation Utility dialog box, the signer, date stamp, and validity of the selected signature display with information on whether the associated certificate is from a trusted source. Detailed information on the selected signature’s certificate can be displayed by clicking the Show Certificate button.

A secure add-in file must have at least one digital signature that is valid and trusted. An invalid signature indicates that the contents of the file have been modified in some way since the signature was applied.

Applying digital signatures to an add-in

The utility, ArcGISSignAddIn.exe, is provided in the ArcGIS Pro installation folder and can be used to sign add-ins. To use this utility, you must have a Personal Information Exchange (.pfx) file that stores the ITU X.509 certificate containing both public and private encryption keys. To learn more about how to create a .pfx file, read Personal Information Exchange (.pfx) Files on MSDN. The utility can also be used to view or remove existing digital signatures. The steps below explain how ArcGISSignAddIn.exe can be integrated into your Visual Studio ArcGIS Pro add-in project to sign your add-in during the post build process (substitute configuration or plug-in for "add-ins"):

Step 1
Open your ArcGIS Pro add-in project in Visual Studio. Right-click the project context menu and choose Unload Project.

Step 2
Right-click the project context menu again and choose Edit Project. The .csproj or .vbproj file opens in the Visual Studio editor.

Step 3
Add the following lines of code to the bottom of the project file before the closing project tag </Project>.

Replace the path in the sample command below to your .pfx file on disk and use the password that has been assigned to the .pfx file.
Confirm that the path to ArcGIS Pro's bin folder matches your installation location.

Note: In the code snippet below, note that if you are signing an add-in the file passed to ArcGISSignAddIn.exe should be <Add-inName>.esriAddinX. If you are signing a configuration, the file passed to ArcGISSignAddIn.exe should be .proConfigX. If you are signing a plug-in, the file passed to ArcGISSignAddin.exe should be .esriPlugin.

  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
  ...
  <Import Project="C:\Program Files\ArcGIS\Pro\bin\Esri.ProApp.SDK.Desktop.targets" 
                                                                       Condition="... />
  <!-- To modify your build process, add your task inside one of the targets below and 
       uncomment it. Other similar extension points exist, see Microsoft.Common.targets.
  <Target Name="BeforeBuild">
  </Target>  
   -->
  <Target Name="AfterBuild" DependsOnTargets="PackageArcGISContents">
    <!--Replace the path in the sample command below to your pfx file on disk and use the 
        password that has been assigned to the pfx file.  Confirm that the path to ArcGIS 
        Pro bin folder matches your installation location.-->
    <Exec Command="&quot;C:\Program Files\ArcGIS\Pro\bin\ArcGISSignAddIn.exe&quot; $(TargetDir)$(TargetName).esriAddInX /c:D:\my.pfx /p:pw**** /s" />
  </Target>
</Project>

Step 4
Click the Save button to save the project file. Right-click the project in the Solution Explorer and select Reload Project. Your add-in will now be digitally signed whenever you build your project.