Verifying artifact signature on Remote Engines
Talend Studio signs Jobs before they are deployed to Talend Management Console using Java Jar signing (Signed JAR File). You can enable Remote Engines for Job signature verification.
You can use a default signing key bundled with Talend Studio or your custom signing key for this verification.
The META-INF folder of the zip file contains a .SF file with the SHA-256 digests of every file contained in the zip, as well as the digest of the manifest itself. The signing key itself is bundled with Talend Studio. This signs the .SF file and outputs the signature into a .RSA file in META-INF. The signature algorithm used is RSA-SHA256.
Verifying artifact signature with a custom signing key
Enable Remote Engines to use your own signing keys to verify artifact signatures.
If you configure the engine to use a custom signing key, the Talend-provided keys are not used.
Before you begin
-
You must have set up your custom signing key on Talend Studio side for artifact signature verification.
For further information, see Configuring custom Java KeyStore for Job artifact signature.
- Your Remote Engine must be v2.12.0 and onwards.
- Your Talend Studio version must be R2022-06 and onwards.
- Only one KeyStore is allowed across a Remote Engine cluster.
- Only one KeyStore is allowed for the Remote Engines assigned to the source and the target environments of a promotion.
Procedure
Verifying artifact signature with a default signing key
Enable Remote Engines to use default signing keys to verify artifact signatures.
If you have configured the engine to use your custom signing keys, ignore this section.
Procedure
- If your engine is v2.12.0 and onwards, run this KARAF
command:
feature:uninstall talend-job-server-signature-verifier-disabler
This command uninstalls the Karaf talend-job-server-signature-verifier-disabler feature to enable Job signature validation.
- If you are using an older engine version, in the <RemoteEngineInstallationDirectory>/etc/org.talend.ipaas.rt.jobserver.client.cfg file, set the job.signature.verifying parameter to be true and save the file.