Skip to main content Skip to complementary content

Running trusted tasks with your custom signature

Talend Studio signs Jobs before they are deployed to Talend Management Console using Java Jar signing (https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File).

Instead of using the default Talend Studio signing key, it is possible to use a custom KeyStore for signature creation and validation.

The META-INF folder of the zip file contains a .SF file with the SHA-256 digests of every file contained in the zip, as well as the digest of the manifest itself. The signing key itself is bundled with Talend Studio. This signs the .SF file and outputs the signature into a .RSA file in META-INF. The signature algorithm used is RSA-SHA256.

Before you begin

  • Your Talend Studio version is 8.0 R2022-06 and onwards.
  • Your Remote Engine is v2.12.0 and onwards.
  • You have generated a custom Java KeyStore using a third-party Java keytool.

Procedure

  1. Configure custom Java KeyStore (JKS) for Job artifact signature.
    • In Talend Studio, add your JKS key as explained in Configuring custom Java KeyStore for Job artifact signature.
    • In a continuous integration environment, add the following parameters to your build:
      • -Dsigner.path: the path to your custom Java KeyStore
      • -Dsigner.keystore.password: the KeyStore password, either Maven-encrypted or in plain text
      • -Dsigner.key.password: the key password, either Maven-encrypted or in plain text
      • -Dsigner.key.alias: the alias name associated with your KeyStore.
  2. Publish the signed artifact to Cloud.
  3. Enable your Remote Engine to verify the custom signature and set up the same JKS configuration there, as explained in Verifying artifact signature with a custom signing key.
  4. If not done yet, Creating a Job task for this artifact.
  5. Executing Job tasks on a Remote Engine or a cluster for which you enabled the verification of custom signature previously.

Results

The KeyStore is verified and the task runs successfully.
In the Last 5 runs tab of the task page, the successful task run appears.
If the verification fails, for example, signature of the artifact does not match the one used by your engine, the task run fails with a message reading like this:
In the Last 5 runs tab of the task page, the failed task run appears with a message explaining the reason for the fail.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!