Signing an APP Package File

  • Article

Code signing is a common practice for many applications. It is the process of digitally signing a file to verify the author and that the file has not been tampered with since it was signed. The signature of the APP package file is verified during the publishing of the extension using the Publish-NAVApp cmdlet. For more technical information on signing, see Authenticode in the MSDN Library.

Note

If you want to publish an unsigned extension package in your on-premise environment, you need to explicitly state that by using the - SkipVerification parameter on the Publish-NAVApp cmdlet. An extension without a valid signature will not be published.

The signing of an APP package file must be performed on a computer that has Dynamics NAV 2018 or later (or the latest version of Dynamics 365 Business Central) installed. If you use a Docker image for your development environment, that environment will meet this requirement. You must also have the certificate that will be used for signing on the computer. The certificate must include code signing as the intended purpose. It is recommended that you use a certificate purchased from a third-party certificate authority.

Important

If you publish the extension as an app on AppSource, the APP package file must be signed using a certificate from a Certification Authority that has its root certificates in Microsoft Windows.

Steps for signing your .app file

  1. Prepare your computer for signing.
  2. Make sure that you sign the .app file on a computer that has Dynamics NAV 2018 or later (or the latest version of Dynamics 365 Business Central) installed.
  3. Copy the certificate that you purchased from a third-party certificate authority to a folder on the computer. Optionally, create your own certificate for local test or development purposes using the Self-signed certificate information. The file path for the sample command is C:\Certificates\MyCert.pfx.
  4. Install a signing tool such as SignTool or SignCode to the computer. The sample command will use SignTool.
  5. Copy your extensions .app file to the computer if it is not already on the computer. The file path for the sample command is C:\NAV\Proseware.app.
  6. Run the command to sign the .app file.
  7. The following example signs the Proseware.app file with a time stamp using the certificate in the password-protected MyCert.pfx file. The command is run on the computer that was prepared for the signing. Once the command has been run, the Proseware.app file has been modified with a signature. This file is then used when publishing the extension.
SignTool sign /f C:\Certificates\MyCert.pfx /p MyPassword /t https://timestamp.verisign.com/scripts/timestamp.dll “C:\NAV\Proseware.app”

Important

It is recommended to use a time stamp when signing the APP package file. A time stamp allows the signature to be verifiable even after the certificate used for the signature has expired. For more information, see Time Stamping Authenticode Signatures.

Self-signed certificate

For testing purposes and on-premise deployments, it is acceptable to create your own self-signed certificate using the New-SelfSignedCertificate cmdlet in PowerShell on Windows 10 or MakeCert.

The following example illustrates how to create a new self-signed certificate for code signing:

New-SelfSignedCertificate –Type CodeSigningCert –Subject “CN=ProsewareTest”

The following MakeCert command is used to create a new self-signed certificate for code signing:

Makecert –sk myNewKey –n “CN=Prosewaretest” –r –ss my

See Also

Getting Started with AL
Keyboard Shortcuts
AL Development Environment