Platform Academy - July 15th, 2025 - Code Signing

Sharon_Barnes · ‎07-30-2025

Unlocking Platform Security with ServiceNow Code Signing

If you’ve ever worried about unauthorized scripts running in your ServiceNow mid server or want tighter control over what gets deployed to production, then you’re going to love what ServiceNow Vault now offers: code signing.

In this week’s stream, we were joined by Sandeep, the principal product manager for code signing, who walked us through both the concept and a demo of how it works.

Why Code Signing?
At its core, code signing ensures that the scripts or configuration changes you're deploying are both authentic (you know where they came from) and integral (they haven’t been tampered with). That’s critical when you're dealing with systems that can execute commands through mid-servers in secure environments.

How It Works
The model revolves around two instances:

Trusted Instance: Where you build and sign your update sets.
Protected Instance: Where code signing is enforced and validation happens before execution.

Using cryptographic keys, a “Circle of Trust” is established between the two. Any unauthorized or unsigned code trying to execute—especially on the mid server—is automatically blocked.

Demo Highlights
We watched a full example:

Creating and signing an app with business rules.
Exporting the signed update set.
Importing to the protected instance.
Enabling code signing and verifying its validity.
Running validations using ServiceNow’s built-in APIs.

Bonus Features

Integration with Flow Designer, JDBC, REST Messages, and Integration Hub.
Standalone Signing Tool for orgs with strict key management policies.
Compatibility with GitHub workflows via signed update sets.

Getting Started
Code Signing is part of the ServiceNow Vault suite—a premium set of platform security tools including data anonymization, encryption, and zero trust access controls.

If you're entitled to ServiceNow Vault, just head to the plugin manager to install the Code Signing Enterprise Plugin and start experimenting in your dev environment.

🔐 Take your platform security to the next level—with confidence.

Paul Curwen

Great session, but couple of queries:

1. Are Store Apps code signed by default? Without this, are they not a risk in Production completely by-passing the customers efforts to only promote signed code into Production?

2. Can any object be code signed as part of an update set - thinking Script Includes, Client Script, Business Rules, Ui Policies, Flows etc etc? Are there any exceptions to this?

3. If you have Code Signing in place I presume that if an urgent issue was found in Production then a direct hot fix (yes I know not best practice but in extreme circumstances) would not be doable and a full-stack deployment would have to be followed

I cannot find any answers to the above in DOCS

sandeepkoma

Please find the answers below

1) Store apps are not code signed by default. Only a very small number [around 30] store apps contain signatures by default as of Zurich. Customer needs to generate signature by manually running the script provided by SN.

2. Only records from tables that have signature configuration can be signed. We support around 40 tables OOB in Zurich.

3. Not required. From Australia release onward family releases/patches/hfixes will contain signatures for records at family layer. For store apps, customer will need to generate signatures.

Platform Academy - July 15th, 2025 - Code Signing

Ask the Experts: UI Builder

Platform Academy: Unlocking the Power of Controller Building in UI Builder

Crafting Clarity: Customizing Now Assist Analytics