Skip to main content Skip to complementary content
Qlik Resources
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Configuring a custom Job artifact signature

By default, Talend Studio signs Job artifacts using a signing key stored in a keystore issued by Talend, to prevent accidental or malicious modification of Job artifacts.

You can configure a custom signing key to sign Job artifacts.

Before you begin

  • You have a keystore containing a signing key, generated using a Java keytool or equivalent.

About this task

Talend Studio supports three signature modes:

  • Enable Default Signature: Job artifacts are signed using the default Talend-issued key.

    If the default certificate has not expired, signing proceeds automatically. If it has expired, you must configure a custom signature or deactivate signing.

  • Enable Custom Signature: Job artifacts are signed using your custom key.
  • No Signature: Job artifact signing is deactivated. Signature verification must also be deactivated on Talend JobServer, Talend Administration Center, and Talend Remote Engine.

Procedure

  1. Click Window > Preferences to open the Preferences dialog box.
  2. Click Talend > Security > Artifact signature to open the corresponding view.
  3. In the Signature Mode list, select Enable Custom Signature.

    Example

    Artifact signature preferences panel with Enable Custom Signature selected, showing the Key Path, Keystore Password, Key Password, Key Alias, Keystore Type, Digest Algorithm, and Signature Algorithm fields.
  4. In the Key store type list, select the format of your keystore.
    • For on-premises licenses, the JKS and PKCS12 formats are available.
    • For Cloud licenses, only JKS is available.
  5. In the Key Path field, specify the path to your keystore file.
  6. In the Keystore Password field, enter the keystore password.
  7. In the Key Password field, enter the key password.
  8. In the Key Alias field, specify the alias associated with your keystore entry.
  9. In the Advanced Settings area, configure the signing algorithms:
    1. In the Digest Algorithm list, select the digest algorithm that matches your signing configuration.
    2. In the Signature Algorithm list, select the algorithm that matches your key type.
    The same algorithms must be used on every Talend JobServer and Talend Administration Center that verifies these artifacts.
  10. Click Apply and Close to save your changes.

Results

Job artifacts are signed using your custom keystore when building Jobs. On Talend Cloud, the signature is verified on Talend Remote Engine and on on-premises Talend JobServer and Talend Administration Center.

What to do next

  • To configure Talend JobServer to verify signed Job artifacts, see Setting up Talend JobServer to verify custom Job artifact signatures.
  • To configure Talend Administration Center to verify signed Job artifacts, see Setting up Talend Administration Center to verify custom Job artifact signatures.
  • To configure a Talend Remote Engine, see Running trusted tasks with your custom signature (JKS only).
  • In a continuous integration environment, add the following parameters to your artifact build:
    • JKS:
      • -Dsigner.path: the path to your custom Java keystore
      • -Dsigner.keystore.password: the keystore password, either Maven-encrypted or in plain text
      • -Dsigner.key.password: the key password, either Maven-encrypted or in plain text
      • -Dsigner.key.alias: the alias name associated with your keystore
    • PKCS12:
      • -Dsigner.path: the path to your custom Java keystore
      • -Dsigner.keystore.password: the keystore password, either Maven-encrypted or in plain text
      • -Dsigner.key.password: the key password, either Maven-encrypted or in plain text
      • -Dsigner.key.alias: the alias name associated with your keystore
      • -Dsigner.disabled: activate or deactivate the entire signature mechanism
      • -Dsigner.keystore.type: the type of the signature. In this case, it is PKCS12
      • -Dsigner.digest.algorithm: the algorithm for the artifact content
      • -Dsigner.signature.algorithm: the algorithm for the signature

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here