Self-Sign Your Application

If it is not possible for you to send your application to GE Digital for cryptographic signing, you can obtain your own keys to self-sign the application.

Note: Self-signing production applications is not recommended for the following reasons:
  • All third-party signed keys are allowed when allow-third-party-apps is enabled. No mechanism exists to limit signed application verification to any particular third-party key. This allows Company A applications signed with a Company A key to pass verification in Company B’s environment, if Company B enables allow-third-party-apps.
  • Third-party applications are not subject to the same security verification and rigor that current GE Digital-signed Edge applications undergo when submitted to the current GE Digital application signing process.

Before you begin

To obtain your own signing keys, download the signing utility from https://github.build.ge.com/EdgeSecurity/edge-app-tools and run it as follows:
git clone https://github.build.ge.com/EdgeSecurity/edge-app-tools.git
cd edge-app-tools
chmod a+x ./signing-util
signing_util gen_key -n my_dev_key
This will create two files:
  • my_dev_key
  • my_dev_key.pub
It is imperative that my_dev_key be kept secret and not be shared outside your organization. The file my_dev_key.pub should be sent to [email protected]. The signing utility can be used to generate the requisite information to be sent via e-mail:
signing_util key_info -n my_dev_key
To request a signature for this key, please e-mail the following information to [email protected]

Key Owner: PLEASE INSERT YOUR NAME AND EMAIL ADDRESS HERE
Key Name: my_dev_key
Key Hash: 165a6e50b0c733aa9314fa154fe5f06f95342aad95c284ce7ccc90123f32a310218fb6d3349d347be5bc6a045e61cd735d2cbedbc858b75d1750781a84b7bc38

-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE5evAX2M4xplIhv0jKtnP8miqC3qxGzYC
WxO1BpEA/PDfhxrexbVE6en2+u5jfUTIUfx46b0qTCeBqd6XhyTFEzPH64ti3AfG
F/RgBI0qMLAuX8tJcEjki4PF1rzkyesW
-----END PUBLIC KEY-----

Requests to [email protected] will be processed between 9 a.m. and 5 p.m. (Pacific Standard Time) and may take up to five business days to complete.

In response to your request, you will receive an e-mail with an attachment called my_dev_key.pub.sig. This signature file is required for signing applications and must be saved in the same location as my_dev_key.pub.

Now that you have obtained your own keys, you can sign your application.

Procedure

  1. Write your application's docker-compose.yml file.
  2. Use validation utility: edge-app-compose -i docker-compose.yml
  3. Review the results and fix any validation errors.
  4. Sign it via: signing-util sign_app -p my_app.tgz -x my_app_signed.tgz -s /home/j/my_key -t
  5. Distribute my_app_signed.tgz to your customers.
  6. Inform your customers that they must set ‘allow-third-party-apps’ to ‘on’ via edge-manager in order to deploy their application.

What to do next

By default, self-signed applications will not work on Predix Edge OS deployments. Customers must configure their Predix Edge device(s) to accept third-party signatures.