Sign a Module
An Ignition module must be signed before it can be installed on a system that is not in developer mode.
Modules can be signed using either a real code signing certificate obtained from a Certificate Authority or using a self-generated and self-signed certificate. What kind of certificate you use to sign your module depends on the level of assurance you want to offer your end users. If you're building a module for internal use within your company, using a self-signed certificate may not be an issue. If you're selling a module to other users of Ignition you should use a certificate obtained from a CA.
Signing Your Module
What you'll need:
- Code signing certificate.
- The full certificate chain, in the correct order, in p7b (PKCS7) format.
- The IA module signing tool.
If you need alternative module signing options, it is first recommended to build your project with Gradle since the ignition-module-tools repo included on the Create a Module page supports PKCS#12 and PKCS#11 keystores, as well as hardware keys, for module signing within the gradle-module-plugin.
- Refer to the
signModulecustom task (io.ia.sdk.modl) for PKCS#12 and PKCS#11 keystore guidance. - Refer to the SIGNING_VIA_HSM markdown file for general hardware key signing information, such as with a YubiKey.
Run the Signing Tool
Your certificate and its private key should be stored inside a Java keystore. You'll need this keystore file and the associated certificate chain to run the module signing tool. The certificate will be stored under an alias and be password protected.
Run the signing tool providing the following parameters:
java -jar module-signer.jar \
-keystore=<path-to-my-keystore>/keystore.jks \
-keystore-pwd=<password> \
-alias=<alias>\
-alias-pwd=<password> \
-chain=<pathToMyp7b>/cert.p7b \
-module-in=<path-to-my-module>/my-unsigned-module.modl \
-module-out=<path-to-my-module>/my-signed-module.modl