4.9 Jar signing??

[Right Control]

What's everyone think about this moving forward? I see there is a signing tool in 4.9, but also hear in 4.10 no self signed jars will be allowed. My head spins with all the jobs I've done with the Vykon Jars, AX community, and others. This seems like a massive pain in the a**. I'm not a certificate expert, is this that important that individual jars are signed? What is the push for this? Is it the IT world pushing security, and our device on their network needs to conform? What is the thought in 4.10 if we want to use the AX community jars? I understand they won't be providing signed jars. Companies with have to get a CA to sign these things? What is the most useable thing moving forward? Let's go back to AX please! LOL

[yorkisn]

It seems like a real PITA, the AX community module is in everthing I use. I have no idea how to compile these things either. There must ne someone on here from tridium that can help

[klrogers]

Various sites have some information on signing modules, try this for a starting poit:
https://know.innon.com/how-to-self-s...or-niagara-4.9

[yorkisn]

yup, did this but still get alarms in application director because they are still self signed...

[orion242]

This seems like a massive pain in the a**.

Its really only a hassle for AX com and any custom program objects. Most everything else will be signed by the developers assuming its maintained.

What is the push for this?

Boiled down, its to try and make sure no malware is running on the station.

Companies with have to get a CA to sign these things?

Yep. You need a legit code signing cert and run thought the tools they provided in WB to sign a module. That's another yearly fee and some minor verification.

Its not a huge headache, but it is a PITA. What boggles my mind is the AX community project wouldn't just do this since it is so popular. 4.10 sounds like you can drop it down to allow selfies yet, default will not. Its a matter of time and its just a fact of life.

[MaxBurn]

Perhaps an opportunity for someone to pull down AXcommunity, sign it and make that available for a fee? People are getting value for AXcommunity, I don't know why they wouldn't start charging for it. To me that says they really want it to go away. As a user I'd be concerned it would go away when there is no funding source, I'd think long and hard about including it in jobs because of that. How hard is it to pull that out of a station once you've used it somewhere? Is there even a way to find all the things referencing it?

yup, did this but still get alarms in application director because they are still self signed...

Did you do the last step?: Please note that the certificate needs to be added in the User Trust Strore of every controller in which you want to install the modules that were signed with it.
Also; Self signed isn't valid, even if you import that. Maybe it's just a self signed warning?

[Keith D]

Thought I would take this discussion over to the Niagara group but the posts are limited to 1000 characters, which this post exceeds.

I am soon to be undertaking a medium size upgrade to an AX 3.8 system.
The site has bought into a 5 year SMA on all Jaces and supervisor.

Now tell me if I have got this wrong, I have the axCommunity module used in a number of these AX Jaces and in the AX Supervisor, I can migrate them up to N4.9 (lets assume this went well)
I tell 4.9 to allow the use of self signed certificates and all should be ok I assume.
Now when 4.10 (or whatever flavour) of Niagara is next released and I upgrade my customers system, it will no longer function as it did before because the self signed modules are no longer allowed to run.
I have to explain to the customer that the 5 years they have paid for to keep the system current and up to date has broken their working system and now they need to pay (who exactly?) (and how much?) to
perform a signing exercise on these now errant modules just to keep their system up to date.

This is a bit of a hard one to swallow to be honest and I'd like to add this cost into the project at the start, so we can avoid this in the near future.
I know this isn't a pro forum and prices cant be discussed, but what's the ball park figure for this certificate signing by some sort of CA authority. And who do you contact to get it arranged?

Its not turning out to be the promised panacea of "just type n4mig xxxxxxxxxxxxxxx and out comes a ready to cook N4 station for you to install" is it really.
I'm off to read the documentation :-)

Keith

[yorkisn]

I feel your pain Keith. What flavor of N4 are you using? We are centraline and I see lots of their modules arn't signed yet (4.8). I'm sure there is a solution to this but I'm no programmer and don't understand the need for all this CA signing on a system that for the most part sits in a plant room turning on and off pumps etc. Too many people watching james bond and believing that you boiler can be compromised by a rouge agent LOL

[orion242]

Now when 4.10 (or whatever flavour) of Niagara is next released and I upgrade my customers system, it will no longer function as it did before because the self signed modules are no longer allowed to run.

By default, though they claim you can change it to allow selfies. How many versions past 4.10, probably none.

I have to explain to the customer that the 5 years they have paid for to keep the system current and up to date has broken their working system and now they need to pay (who exactly?) (and how much?) to
perform a signing exercise on these now errant modules just to keep their system up to date.

The more likely case would be your company gets a valid code signing cert, sign whatever you need once and use it for eternity or till you need updated modules and run through the process again.

Costs vary widely depending on the CA you go through. On the cheap end figure ~$100/yr to $500/yr from what I saw. EV certs are a good bit more and bigger hassle to get.

I know this isn't a pro forum and prices cant be discussed, but what's the ball park figure for this certificate signing by some sort of CA authority.

All their prices are public, so not sure why that would apply.

And who do you contact to get it arranged?

Digicert
comodo
Verisign
go daddy
etc, etc, etc

Just be aware its more than insert card number here and out pops a signed module.

1. You will need to create a CSR with the relevant fields filled out and send it in with your order.
2. They will take some amount of time to verify your company with state biz registrations, Dun & Bradstreet, BBB, etc. Prey that your info is correct there in every aspect and the dip$hits running the verification can figure out that a biz with the same/similar name in a totally different state, isn't the same as yours.
3. They will want to verify your phone # with a call back.
4. Wait a few days and you should have what you need to run trough the signing process in Niagara. Most likely will also have to convert the certs into whatever format Niagara wants, since Murphy says what you have won't the right format for Niagara.

[orion242]

https://comodosslstore.com/ssl-validation-process

Gonna fall under OV or EV for code singing depending on what you shoot for.

[Keith D]

Thank you Orion for that information. All very usefull.

[MaxBurn]

I'm having trouble understanding the necessity in these given implementations.

There's talk of this going on over in ALC land as well as addons require signing by default. At the moment that can still be turned off OR you can load a self signed cert in the server. The difference is there is no upstream validation in place yet. Does not matter if you have a valid public cert, it isn't going to interrogate the underlying root store. So right now all it certifies is you have server access so you can then load your addon through the front end web page because you've "proved" you have ownership of the server. The interesting part is there is talk of going a different direction and having ALC issue developer certs to dealers/branches directly. That cert could then be chained to the apps built in root store in the app and certify that you are an actual ALC developer. Then in theory there could be revocation, but they won't do that either as that requires callback to HQ which they are against even proposing.

• So in the niagara model all they are doing is raising the bar on creating malware. Any self respecting criminal can get a OV cert with a front company. Depending on the target and given the install base this may just be a cost of business, no big deal.
• The current (and even future) ALC model simply proves you can get server access. Proposed ALC developer chained cert is just a "convenience" as side loading won't be going away.

IMO this PITA isn't really raising the security of these platforms much. But if they change it a bit and not allow self signed, require developer certs, and have a revocation path, that's something that would be worthwhile.

[orion242]

Agree. It is a PITA that seems to have a marginal benefit. Most installs are simply not going to go through this hassle and just stop using unsigned crap when it comes down to that. Many don't upgrade now, this will likely increase that camp. This is going to be rather painful for some that have these sprinkled everywhere, including program objects. Not uncommon to take over a station and see someone decided to use a ton of these for little to no reason. I'm sure there are a wad of odd ball drivers that are no longer supported. So some customers might be choosing not to upgrade vs replacing a system just to upgrade the software.

Revocation is a problem in these systems. Some do not have a clear path to the internet and / or just don’t update their trust stores / revocation lists. That assumes they also actually check those lists if they have it. Can’t weed out bad actors if they have a valid cert that gets revoked. Even if you could, does the system then puke and stop when some dependent module stops processing? Nightmare without any good answers imo.

IMO selfies are worse than running without, especially when these end up in a PCs trust store. Now, you have the potential that any connection could be fake with little indication if that selfie cert gets misused.

Its nice its there if you need it. Most sites don’t and it would be nice to have the option of turning this crap off. Even with a legit cert, are you going to review the code in a thousand program objects during an upgrade, or just sign it all and move on?

[klrogers]

Signed axcommunity module for 4.9 available here:

https://niagaramodules.com/exchange/...mmunity-module

[MaxBurn]

That didn't take long.

So now this is the situation, assuming you trusted AX Community in the past you now have to additionally trust these niagaramodules guys, which of course require your email to get the file. Is it easy and or even possible to extract it and do a diff against the claimed source AXCommunity R243 file?

Trusting more people and lengthening the supply chain isn't a security improvement.

[orion242]

which of course require your email to get the file.

Prefect more $hitmail, just what I was looking for.

Is it easy and or even possible to extract it and do a diff against the claimed source AXCommunity R243 file?

Would think its possible but really haven't dove into how exactly signing works on a file. How much trust is there in something on github put together by a handful of random folks to start with?

[klrogers]

Prefect more $hitmail, just what I was looking for.

No verification on signup email

[orion242]

No verification on signup email

What link you clicking?

[MaxBurn]

They require the email to sign up but there is no follow through validation of the email so you can just make something up and as long as you don't need to reset you are all set.

[yorkisn]

It only signes xxx-rt not the other files...weird