How to: Implement a Signing Policy by Setting a Registry Value

You can use an optional registry value to manage an organization's policy for loading signed or unsigned packages. If you use this registry value, you must create this registry value on each computer on which Integration Services packages will run and on which you want to enforce the policy. After the registry value has been set, Integration Services will check or verify the signatures before loading packages.

This procedure in this topic describes how to add the optional BlockedSignatureStates DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\100\SSIS registry key. The data value in BlockedSignatureStates determines whether a package should be blocked if it has an untrusted signature, has an invalid signature, or is unsigned. With regard to the status of signatures used to sign packages, the BlockedSignatureStates registry value uses the following definitions:

  • A valid signature is one that can be read successfully.

  • An invalid signature is one for which the decrypted checksum (the one-way hash of the package code encrypted by a private key) does not match the decrypted checksum that is calculated as part of the process of loading Integration Services packages.

  • A trusted signature is one that is created by using a digital certificate signed by a Trusted Root Certification Authority. This setting does not require the signer to be found in the user's list of Trusted Publishers.

  • An untrusted signature is one that cannot be verified as issued by a Trusted Root Certification Authority, or a signature that is not current.

The following table lists the valid values of the DWORD data and their associated policy.




No administrative restriction.


Block invalid signatures.

This setting does not block unsigned packages.


Block invalid and untrusted signatures.

This setting does not block unsigned packages, but blocks self-generated signatures.


Block invalid and untrusted signatures and unsigned packages

This setting also blocks self-generated signatures.


The recommended setting for BlockedSignatureStates is 3. This setting provides the greatest protection against unsigned packages or signatures that are either not valid or untrusted. However, the recommended setting may not be appropriate in all circumstances. For more information about signing digital assets, see the topic, "Introduction to Code Signing," in the MSDN Library.

To implement a signing policy for packages

  1. On the Start menu, click Run.

  2. In the Run dialog box, type Regedit, and then click OK.

  3. Locate the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\100\SSIS.

  4. Right-click MSDTS, point to New, and then click DWORD Value.

  5. Update the name of the new value to BlockedSignatureStates.

  6. Right-click BlockedSignatureStates and click Modify.

  7. In the Edit DWORD Value dialog box, type the value 0, 1, 2, or 3.

  8. Click OK.

  9. On the File menu, click Exit.