Application Signing

Application Signing

To release an edge app in the production environment, you must first have the application package cryptographically signed.

By default, production Predix Edge enabled devices will reject any application that has not been signed by GE Digital. Updated applications must be re-signed prior to release.

GE Digital will sign any application that meets internal validation criteria designed to protect Predix Edge devices.
Note: Apps used with Predix Edge developer builds do not need to be signed.

Obtain a GE Signature For Your Application

To have your application signed, please e-mail [email protected] with the following information:
  • Application name.
  • Application version.
  • Author name.
  • Development Point of Contact E-Mail Address.
  • Development Point of Contact Telephone Number.
  • Attachment: Application tarball (or a link to download the application tarball).

If sending an application to GE Digital for cryptographic signing is not possible, see Self-Sign Your Application.

Validation and application signing is performed in Vancouver, BC, from 9 a.m. to 5 p.m. (Pacific Standard Time). Requests will be processed within one business day.

Responses will contain either a link to download the signed copy of your application, or a list of changes required to meet GE Digital’s internal validation criteria.

If you receive a link to download the signed copy of your application, no further action is required. The tarball provided at the link can be distributed to customers and deployed on production Predix Edge devices.

Self-Sign Your Application

If it is not possible for you to send your application to GE Digital for cryptographic signing, you can obtain your own keys to self-sign the application.

Note: Self-signing production applications is not recommended for the following reasons:
  • All third-party signed keys are allowed when allow-third-party-apps is enabled. No mechanism exists to limit signed application verification to any particular third-party key. This allows Company A applications signed with a Company A key to pass verification in Company B’s environment, if Company B enables allow-third-party-apps.
  • Third-party applications are not subject to the same security verification and rigor that current GE Digital-signed Edge applications undergo when submitted to the current GE Digital application signing process.

Before You Begin

To obtain your own signing keys, download the signing utility from https://github.build.ge.com/EdgeSecurity/edge-app-tools and run it as follows:
git clone https://github.build.ge.com/EdgeSecurity/edge-app-tools.git
cd edge-app-tools
chmod a+x ./signing-util
signing_util gen_key -n my_dev_key
This will create two files:
  • my_dev_key
  • my_dev_key.pub
It is imperative that my_dev_key be kept secret and not be shared outside your organization. The file my_dev_key.pub should be sent to [email protected] The signing utility can be used to generate the requisite information to be sent via e-mail:
signing_util key_info -n my_dev_key
To request a signature for this key, please e-mail the following information to [email protected]

Key Owner: PLEASE INSERT YOUR NAME AND EMAIL ADDRESS HERE
Key Name: my_dev_key
Key Hash: 165a6e50b0c733aa9314fa154fe5f06f95342aad95c284ce7ccc90123f32a310218fb6d3349d347be5bc6a045e61cd735d2cbedbc858b75d1750781a84b7bc38

-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE5evAX2M4xplIhv0jKtnP8miqC3qxGzYC
WxO1BpEA/PDfhxrexbVE6en2+u5jfUTIUfx46b0qTCeBqd6XhyTFEzPH64ti3AfG
F/RgBI0qMLAuX8tJcEjki4PF1rzkyesW
-----END PUBLIC KEY-----

Requests to [email protected] will be processed between 9 a.m. and 5 p.m. (Pacific Standard Time) and may take up to five business days to complete.

In response to your request, you will receive an e-mail with an attachment called my_dev_key.pub.sig. This signature file is required for signing applications and must be saved in the same location as my_dev_key.pub.

Now that you have obtained your own keys, you can sign your application.

Procedure

  1. Write your application's docker-compose.yml file.
  2. Use validation utility: edge-app-compose -i docker-compose.yml
  3. Review the results and fix any validation errors.
  4. Sign it via: signing-util sign_app -p my_app.tgz -x my_app_signed.tgz -s /home/j/my_key -t
  5. Distribute my_app_signed.tgz to your customers.
  6. Inform your customers that they must set ‘allow-third-party-apps’ to ‘on’ via edge-manager in order to deploy their application.

What To Do Next

By default, self-signed applications will not work on Predix Edge OS deployments. Customers must configure their Predix Edge device(s) to accept third-party signatures.