Skip to main content Skip to complementary content

Verifying artifact signature on Remote Engines

Talend Studio signs Jobs before they are deployed to Talend Management Console using Java Jar signing (Signed JAR File). You can enable Remote Engines for Job signature verification.

You can use a default signing key bundled with Talend Studio or your custom signing key for this verification.

The META-INF folder of the zip file contains a .SF file with the SHA-256 digests of every file contained in the zip, as well as the digest of the manifest itself. The signing key itself is bundled with Talend Studio. This signs the .SF file and outputs the signature into a .RSA file in META-INF. The signature algorithm used is RSA-SHA256.

Verifying artifact signature with a custom signing key

Enable Remote Engines to use your own signing keys to verify artifact signatures.

If you configure the engine to use a custom signing key, the Talend-provided keys are not used.

Before you begin

  • You must have set up your custom signing key on Talend Studio side for artifact signature verification.

    For further information, see Configuring custom Java KeyStore for Job artifact signature.

  • Your Remote Engine must be v2.12.0 and onwards.
  • Your Talend Studio version must be R2022-06 and onwards.
  • Only one KeyStore is allowed across a Remote Engine cluster.
  • Only one KeyStore is allowed for the Remote Engines assigned to the source and the target environments of a promotion.

Procedure

  1. If not done yet, run this KARAF command:
    feature:uninstall talend-job-server-signature-verifier-disabler

    This command uninstalls the Karaf talend-job-server-signature-verifier-disabler feature to enable Job signature validation.

  2. Copy-paste the JKS (Java KeyStore) file on the machine where your Remote Engine is installed.
  3. In the <RemoteEngineInstallationDirectory>/etc/org.talend.remote.jobserver.server.cfg file, add these two properties:
    org.talend.remote.jobserver.commons.config.JobServerConfiguration.SIGNATURE_CHECK_KEYSTORE=<path_to_jks_file_on_Remote_Engine>
                                org.talend.remote.jobserver.commons.config.JobServerConfiguration.SIGNATURE_CHECK_STORE_PASSWORD=<password_for_jks_file>
  4. Save the file.

Verifying artifact signature with a default signing key

Enable Remote Engines to use default signing keys to verify artifact signatures.

If you have configured the engine to use your custom signing keys, ignore this section.

Procedure

Do the following depending on the version of your engine:
  • If your engine is v2.12.0 and onwards, run this KARAF command:
    feature:uninstall talend-job-server-signature-verifier-disabler

    This command uninstalls the Karaf talend-job-server-signature-verifier-disabler feature to enable Job signature validation.

  • If you are using an older engine version, in the <RemoteEngineInstallationDirectory>/etc/org.talend.ipaas.rt.jobserver.client.cfg file, set the job.signature.verifying parameter to be true and save the file.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!