Turn off Code Signing

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read

    • Turn off Code Signing in your trusted non-production instance to identify the trusted instances linking to your production instance.

    Before you begin

    Roles required: security_admin, and either sn_kmf.crypto_manager or sn_kmf.admin

    About this task

    Code Signing jobs with signed update sets are used to turn on and off the Code Signing feature. There is no other method for this functionality. This process includes the following:
    • Create two Code Signing jobs in your trusted instance: one to turn on Code Signing and one to turn off Code Signing.
      Note:
      When turning off Code Signing, the system property is set to false, but the Code Signing trusted friends list is still available.
    • Put the Turn off Code Signing Property job into an update set.
    • Bring the job into production.
    • Use the job in production if the signature is verified to originate from a trusted instance.

    Procedure

    1. Navigate to All > System Definition > Scheduled Jobs.
    2. Search for "*Turn" in the name field.
      Important:
      Two jobs are listed in the table, Turn on Code Signing Property and Turn off Code Signing Property. Perform this procedure on each of these jobs.
    3. Select Turn off Code Signing Property.
      The Scheduled Script Execution form loads and contains information to turn off the Code Signing property. The jobs create update sets that contain the jobs and validated signatures through the Code Signing process.
    4. To execute the script immediately, sign the certificate, create the update set, and select Export signed job to production.
      You can also configure the script to run on a designated schedule.
    5. Navigate to System Update Sets > Local Update Sets.
    6. Open each of the Code Signing property update sets and select Export to XML.
    7. Log in to the production instance.
    8. Navigate to System Update Sets > Retrieved Update Sets.
    9. Select Import Update Set from XML and select the Code Signing property update set.
    10. Select Choose File and upload and commit the update sets.
    11. Select each of the update sets and select Execute Now.
    12. Navigate to KMF Signature Records > All and search for the KMF Signature Purpose of Circle of Trust.
      The trust relationship has moved the jobs over and when the jobs are used the signature verification process executes. If the jobs, signatures, and certificates are all part of the Circle of Trust, then Code Signing with Circle of Trust can be turned off.
    13. Navigate to System Properties > All.
    14. Search for com_snc_kmf_signature.validation.flag and ensure that the value is set to true.
    15. Verify that a new property com_snc_kmf_signature.validation.certificate is listed in the table.