Signing program objects

Any code that can run in a station, including program objects, program modules, provisioning robots, objects edited by the Batch Editor, and robots created by the Robot Editor must be signed so that each target station can verify that the code is trusted.

To sign code, you create a code-signing certificate in the Workbench User Key Store and sign it (or have it signed) using the private key of an intermediate or root CA certificate that resides in each station’s User Trust Store. Then, at the time you compile each program object, module and robot, you sign it with the code-signing certificate.

When the code runs in a platform/station, the system verifies that it is trusted by comparing the signature in the code with the trusted signature in the intermediate or root CA certificate in the station’s User Trust Store.

Additional features include signing a batch of code objects, signing the code contained in offline bogs, provisioning a job to install a code-signing certificate in the User Trust Store of multiple stations, signing legacy code when you recompile it, and signing code when migrating it from AX to N4.