Enforce signature on all published robots on the global UiPath Orchestrator level

Help Orchestrator
,
1

For preventing corruption of the nuget packages, they can be signed when publishing from studio.

From a security perspective, it would be desirable if this feature could be implemented:

Enforce signature on all published robots on the global UiPath Orchestrator level

2 Likes
2

Hi @Privateer,
I’m not sure if this is exactly what you asking for but Studio already gives you possibility to sign every package you are publishing to Orchestrator:
image

More details on docs page:

2 Likes
3

Hi Pavel, correct, but here the developer has to think about it. We would like that there is a central setting that the signing is mandatory and does not have to be done separately for each process.

BR

Ronny

4

Please check this then:

NuGet offers two ways in which packages can be signed, either by an author or by a repository.

1 Like
5

Hey,
I don’t know if that what Ronny meant but I think Im seeing the same security back door
There isn’t a way to confirm that the packages are indeed signed with the proper certificate, on the server side - the orchestrator?

6

Hi @Roy_Kopit,
Welcome to the Community!

In your environment, you can decide what kind of packages will be available and from which feeds. Package signing is only one of many potential securities. You can for example create your own feed and force it to be used via Automation Ops and a set of rules by which you will secure your Studio etc.

7

But there is a way to enforce only signed packages to be accepted in orchestrator?
Maybe in the uipath.orchestrator.dll.config?

8

Please check this page:

9

Thank you, I checked the page but thats not answering my question.
My question is if there is an option to enforce the orchestrator to accept only packages signed by my own certificate.
I am not looking for other way to strengthen my package integrity, Im asking If the way I described is valid and if Im able to enforce it via the server configuration file?

10

I’m sorry, the wrong link was pasted by me. I wanted to paste this one:

Basicaly, there is no functionality in the orchestrator to restrict packages in the feed based on the signature. Enforcement of signature happens on the robot as the robot is the endpoint where every automation is being started.

11

Thanks a lot!
How can I assure that the robot only uses signed packages?
Where exactly is that setting?

12

Everything is in the document I sent you. This section: