Signing Packages with Certificates

A SQL Server 2005 Integration Services (SSIS) package can be signed with a certificate and configured to require the runtime to check the signature before loading the package. The properties of the package, CheckSignatureOnLoad and CertificateObject, indicate whether a certificate must be checked, and specify the certificate that was used to sign the package. The certificate used to sign the package must be enabled for code signing.

Integration Services provides a registry value that you can use to manage an organization's policy for loading signed and unsigned packages. The registry value can also manage untrusted signatures of signed packages. With regard to the status of signatures used to sign packages, the BlockedSignatureStates registry value uses the following definitions:

  • A valid signature is one that can be read successfully.
  • An invalid signature is one for which the decrypted checksum (the one-way hash of the package code encrypted by a private key) does not match the decrypted checksum that is calculated as part of the process of loading Integration Services packages.
  • A trusted signature is one that is created by using a digital certificate signed by a Trusted Root Certification Authority. This setting does not require the signer to be found in the user's list of Trusted Publishers.
  • An untrusted signature is one that cannot be verified as issued by a Trusted Root Certification Authority, or a signature that is not current.

To use the registry value to prevent packages from loading if the packages are unsigned, or have invalid or untrusted signatures, you must add the BlockedSignatureStates DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTS registry key and specify the value 0, 1, 2, or 3.

The following table lists the valid values of the DWORD data and their associated policies.

Value Description


No administrative restriction.


Block invalid signatures.

This setting does not block unsigned packages.


Block invalid and untrusted signatures.

This setting does not block unsigned packages, but blocks self-generated signatures.


Block invalid and untrusted signatures and unsigned packages.

This setting also blocks self-generated signatures.

If the type of the BlockedSignatureStates registry value is DWORD, and the registry value is not 0, 1, 2, or 3, Integration Services treats the registry value as if it were 3. If BlockedSignatureStates is not set to DWORD, Integration Services treats the registry value as if it were DWORD with the value 0.


The recommended setting for BlockedSignatureStates is 3. This setting provides the greatest protection against unsigned packages or signatures that are either not valid or untrusted. However, the recommended setting may not be appropriate in all circumstances. For more information about how to sign digital assets, see the topic, "Introduction to Code Signing," in the MSDN Library.

To sign a package

See Also


Integration Services Packages
Security Considerations for Integration Services

Help and Information

Getting SQL Server 2005 Assistance

Change History

Release History

12 December 2006

New content:
  • Added recommendation for the BlockedSignatureStates registry value.
  • Added link to more information about signing.

14 April 2006

New content:
  • Added information about the BlockedSignatureStates registry value.
  • Added link to How-to topic with procedure for implementing BlockedSignatureStates.