Organizations that develop custom mods often need to deploy them securely within their internal environments. Spotfire requires all mods to be digitally signed to ensure authenticity and integrity.

Spotfire supports standard PKI certificate chains, including certificates issued by Intermediate CAs. However, proper trust configuration is required, especially in offline environments. Additionally, Spotfire enforces that the certificate used for signing must be an end-entity (leaf) code-signing certificate. 

All

1. Prerequisites

Mod Assets

Prepare your mod manifest and source files according to the Spotfire Mod Development documentation.

Internal CA Certificate

Obtain a code-signing certificate (.pfx) from your internal CA.

• The certificate can be issued by an Intermediate CA (this is standard and supported).
• The certificate used for signing must be a leaf/end-entity code-signing certificate.

⚠️ Self-signed certificates created in Spotfire Analyst are intended for local testing only and are not recommended for production deployments.

Spotfire Developer SDK

Download the Spotfire Developer SDK to access Spotfire.Dxp.PackageBuilder-Console.exe.

The SDK file (SPOT_sfire_dev_x.x.x_.zip) is available from the Spotfire Download site.

2. Sign the Mod Package

Open a command prompt in the Package Builder directory and execute the following command:

Spotfire.Dxp.PackageBuilder-Console.exe ^
/targettype:mod ^
/mod-manifest:"[Path_to_manifest.json]" ^
/target:"[Output_Path\mod_name.mod]" ^
/cert:"[Path_to_certificate.pfx]" ^
/password:"[Your_Password]"

Parameter Descriptions

• /targettype:mod
  Specifies the creation of a Spotfire mod package.
• /mod-manifest
  Points to the source mod-manifest.json file.
• /target
  Specifies the destination path for the signed .mod file used for deployment.
• /cert and /password
  Specify the path and credentials for the internal code-signing certificate.

After packaging, the .mod file already contains the digital signature, including:

• The public certificate
• The cryptographic signature generated using the private key

Validation does not require the private key after signing. The .pfx file is not required during runtime.

3. Extract the Leaf Code-Signing Certificate (.cer)

1. Open the .mod file in Spotfire Analyst.
2. Navigate to File → Manage Trust.
3. Click Trust signer.
4. Locate the mod and click the pen icon under Signer.
5. Select Download certificate.

This extracts the public portion of the code-signing certificate (.cer) that was used to sign the mod. The .cer file contains only the public certificate and does not include the private key.

You can also download the .cer file when you click View all trusted signers to open the My Account page on the server, where users with trust permissions can:

• View trusted signers and trusted items
• Download certificates
• Remove previously assigned trust decisions

4. Configure the Trust Chain

To ensure Spotfire can validate the complete certificate chain (Root CA → Intermediate CA → Code-Signing Certificate), all certificates must be deployed to the appropriate trust stores.

Required Trust Store Locations

• Root CA certificates → Trusted Root Certification Authorities
• Intermediate CA certificates → Intermediate Certification Authorities

Ensure these certificates are available on:

• Spotfire Server
• Node Managers
• Client machines (Analyst and Web Player)

5. Authorize Trusted Signers

To automatically trust mods for end users, an administrator should add the signer certificate to the appropriate Spotfire group.

1. Log in to the Spotfire Web Administration page.
2. Navigate to Groups and select the target group.
3. Open the Trusted Signers tab.
4. Add the imported signer certificate (.cer).

Mods signed with this certificate will now be automatically trusted for all users in that group.

6. Finalize Configuration

Restart the following services to ensure all trust configurations are applied globally:

• Spotfire Server
• Spotfire Node Manager services

Once restarted, signed mods should validate successfully across the environment.

This article explains how to package and digitally sign Spotfire custom visualization mods using an internal Certificate Authority (CA). It also clarifies the trust-chain requirements when using an internal Public Key Infrastructure (PKI).

Doc: Trusting Custom Content in Spotfire

• https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/trusting_custom_content_in_the_spotfire_environment.html

KB: How to Ensure Mod Trust Certificates are Valid

• https://support.tibco.com/external/article/137614/how-to-ensure-spotfire-mod-trust-certif.html

Doc: Signing a Visualization Mod using Package Builder

• https://docs.tibco.com/pub/sfire_dev/area/doc/html/devdoc/topics/signing_a_visualization_mod_using_package_builder.html

Doc: Exporting Code‑Signing Root Certificates

• https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/export-code-signing-root-certificate.html

Doc: Importing Code‑Signing Certificates

• https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/import-code-signing-certificate.html

Doc: Adding Trusted Signers to a Group

• https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/adding_trusted_signers_to_a_group.html

Community: Troubleshooting Certificate Verification Issues

• https://community.spotfire.com/articles/spotfire/troubleshooting-certificate-verification-issues-in-spotfire/

Community: Spotfire Mods – Working with Trust and Certificates

• https://community.spotfire.com/articles/spotfire/spotfire-mods-working-with-trust-and-certificates/