Spotfire users may encounter challenges when signing custom extensions due to evolving security practices and the complexities of Spotfire Package Builder's code-signing capabilities. Code-signing certificates are essential for Spotfire extensions to ensure their security and integrity. Signing confirms the extension's authenticity and ensures it has not been tampered with, establishing trust within the Spotfire environment.

Choosing the Right Certificate

The type of certificate required depends on your role:

1. Individual Code-Signing Certificate: Best for individual developers or freelancers who are signing their own software.
2. Organization Code-Signing Certificate: Suitable for companies or organizations. This type adds an additional layer of trust by verifying the organization’s identity.

Steps to Sign a Custom Extension
1. Collect all extension files (DLLs, configuration files, etc.). Ensure extension assemblies MUST be signed with a strong name key using a strong name key file (.snk).
2. Open the Spotfire Package Builder tool.
3. Start a new package in Spotfire Package Builder.
4. Add the compiled assemblies, configuration files, and other necessary resources.
5. Sign the custom extension.

• Package Builder User Interface: The UI Package Builder supports .pfx files for code-signing. Note: As of June 2023, .pfx files are considered insecure due to the risk of private key exposure. While .pfx files are still technically supported, their use is strongly discouraged.
• Package Builder Console: For enhanced security, use the Package Builder Console. There are two options:
  • Install the certificate in the certificate store: Install the code-signing certificate directly into the certificate store on your build machine. Use the Spotfire Package Builder console with the "/localcert" parameter to reference the certificate.
  • Use a code-signing service: Opt for a code-signing service (e.g., DigiCert) that securely manages the private key, providing a more secure method for code-signing.

6. The Spotfire Package Builder will compile your signed package.
7. Deploy the signed package to your Spotfire environment via the Spotfire Deployment Area (Admin web page) or using the Package Builder.

Additional Considerations
Timestamping: It is strongly recommended to use a trusted timestamping authority to record the signing time. This ensures that the package remains valid even if the signing certificate expires, by proving the certificate was valid at the time of signing.

• For the Package Builder User Interface, you will use the "Timestamp Library URL" field.
• For the Package Builder console, the "/timestamp" parameter is used.

Certificate Expiration: A timestamped and signed package will remain valid even if the certificate expires. However, an unsigned or non-timestamped package may become invalid if the certificate expires.

CSG does not provide certificates: Cloud Software Group (CSG) does not issue code-signing certificates. It is the developer’s responsibility to obtain and manage their own certificate to establish authenticity and trust.

Doc: Extensions

• https://docs.tibco.com/pub/sfire_dev/area/doc/html/devdoc/topics/extensions.html

Doc: Spotfire Package Builder

• https://docs.tibco.com/pub/sfire_dev/area/doc/html/devdoc/topics/signing_the_code_for_the_spotfire_extension.html

Doc: Package Builder console parameter reference

• https://docs.tibco.com/pub/sfire_dev/area/doc/html/devdoc/topics/package_builder_console_parameter_reference.html