How to self-sign a module for Niagara 4.9

For security reasons from Niagara 4.9 you must use only signed modules, please read the following article for more details.

 

To find out what modules are not signed and cannot be installed on controllers you will need to go to Tools - Module Info. In this view, you can see all the info about the modules that the Workbench has access to.

Module Info 1

In this example, we have the ismaMosules-rt module that is not signed. If you double click on that module you can see more details.

Module Info 2

 

Step 1.

Create a certificate that will be used to sign the Jar file.

Open the Workbench Certificate Manager from Tools and press "New" to create a new certificate. You will need to fill the fields for Alias, Common Name, Organization, Country code and The certificate usage, this needs to be Code Signing. Please see the example below. 

Cert for signing

The next screen will ask you to enter the certificate password.

 

Step 2.

Open the Jar Signer Tool which is found in Tools menu. In this tool you will need to choose the jar file, the certificate to sign the jar file and enter the password for the certificate.

Jar Signer 1Jar Signer 2

 

Step 3.

Save the sign module. Remember that the Workbench will identify all the modules that are in the Modules folder.

Jar Signer 3

 

Step 4.

Export the certificate made at Step 1 and import it to the User Trust Store, within the Workbench Certificate Manager available from Tools on the top menu. Only if the certificate is added to the User Trust Store the modules will be recognized as signed with success.

Export CertImport Cert in UTS

 

Step 5.

Verify that the module appears as signed in the Module Info screen

Signed Jar

IMPORTANT: the same certificate needs to be added in the section "Platform - User Trust Store" of every host (controller, supervisor and even your own local host) where you plan to install and use the modules that were signed with it so that they can be recognized and run.

 

NOTE: The ismaModules Jar files are now signed by the manufacturer and you can find them HERE.