Turn on Code Signing

Rversion finale: Australia

Mis à jour 12 mars 2026

2 minutes de lecture

Turn on Code Signing in your trusted non-production instance to identify the trusted instances linking to your production instance.

Avant de commencer

Roles required: security_admin, and either sn_kmf.crypto_manager or sn_kmf.admin

As a customer administrator, you can access and install the Code Signing [com.glide.code_signing_enterprise] plugin from the ServiceNow Plugin portal. To learn more about the use cases of Code Signing, see Exploring Code Signing.

Pourquoi et quand exécuter cette tâche

Code Signing jobs with signed update sets are used to turn the Code Signing feature on or off. There’s no other method for this functionality. This process includes the following:

Create two Code Signing jobs in the trusted instance, one to turn on Code Signing and one to turn off Code Signing.
- The Turn On scheduled job starts the process of MID Server validation of signed code.
- The Turn Off scheduled job stops the MID Server validation of signed code.
By default, Code Signing applies to all MID servers. However, if you need to restrict Code Signing to a specific subset of MID servers, you can achieve this by using the ECC firewall.
Remarque :
When turning off Code Signing, the system property is marked to false, but the Code Signing trusted friends list is still available.
Put the Turn on Code Signing Property job into an update set.
Bring the job into production.
Use the Turn on Code Signing Property job in production if the signature is verified to originate from a trusted instance.

Procédure

In your trusted instance, navigate to All > System Definition > Scheduled Jobs.
Search for "*Turn" in the name field.
Select Turn on Code Signing Property.

The Scheduled Script Execution form load. This form contains information to enable the Code Signing property. The jobs create update sets that contain the jobs and validated signatures through the Code Signing process.
To execute the script immediately, sign the certificate, create the update set, and select Export signed job to production.
You can also configure the script to run on a designated schedule.
Navigate to System Update Sets > Local Update Sets.
Open each of the Code Signing property update sets and select Export to XML.
Log in to the production instance.
Navigate to System Update Sets > Retrieved Update Sets.
Select the Import Update Set from XML button, and select the Code Signing property update set.
Select Choose File and upload and commit the update sets.
Return to the scheduled jobs list by navigating to All > System Definition > Scheduled Jobs.
Open the Turn on Code Signing Property job record.
Select the Prerequisite Check button at the top of the form.
Select the Execute Now button after the prerequisite check is complete.
The Turn on Code Signing Property scheduled job starts the process of MID Server validation of signed code.
In the navigator, enter sn_kmf_record_signature.list to open the KMF Signature Records list, and filter for records where the KMF Signature Purpose is Circle of Trust.
The trust relationship has moved the jobs over and when the jobs are used the signature verification process executes. If the jobs, signatures, and certificates are all part of the Circle of Trust, then Code Signing with Circle of Trust can be turned on.
In the navigator, enter sys_properties.list to open the system properties list.
Search for com_snc_kmf_signature.validation.flag and ensure that the value is set to true.
Verify that a new property com_snc_kmf_signature.validation.certificate is listed in the table.

Figure 1. System Properties

Use the Circle of Trust job in production to verify the trust relationship. No direct job can be executed in production that attempts to sign code. See Configuring Code Signing for details on configuration options.