Digital Signing Requirements
Last updated
Last updated
Starting with SanteDB iCDR and dCDR version 2.1.80 (Paris) both the dCDR and iCDR require that all .NET assemblies which are registered for service use are digitally signed. There are two ways you can sign your .NET plugins for use in a release version of SanteDB.
The requirement of digital signatures on .NET code ensures that:
The plugin comes from a reputable company which has been validated by a third party source or by the SanteSuite community.
The plugin code has not been tampered with since the publisher compiled and signed the assembly.
Verifies the publisher of the plugin (opposed to a self-assertion by the publisher)
When set to Informational
log level you will see log entries indicating successful validation of the plugin:
When code is not digitally signed , any services provided by that assembly will not be loaded and an error log message will appear:
On Microsoft Windows operating systems you can validate digital signatures and publishers of a plugin by right clicking on the plugin in Windows Explorer and using the Digital Signatures
tab of the properties window.
By clicking Details
you can view the digital signature on the assembly code and validate the issuer and publisher of the digital signature.
You can use the chktrust
command on Linux and MacOS to perform the same verification steps for your assembly.
You can disable code validation by setting the allowUnsignedAssemblies
attribute on the ApplicationServiceContextConfigurationSection
as:
You should only use this setting for development and debugging environments (such as when referencing the SanteDB
Nuget package). If disabled, the host service will load and execute any assembly code contained in the configuration file.
If you're compiling a general purpose plugin or SanteDB distribution, or are writing other software which will need to be installed on Microsoft Windows, Linux, etc. it is recommended you use a registered Microsoft Authenticode SSL Provider . These certificates typically cost between $200 and $800 per year , however they are recognized by Microsoft Windows and other operating systems and are generally more portable than other options.
If you're only developing software for SanteDB and wish only to publish extensions and plugins for SanteDB, you may obtain a publishing certificate from the SanteSuite community. These community certificates are only trusted by SanteDB iCDR and dCDR software packages, which means they are less suited for general purpose software development.
In order to obtain a certificate from SanteSuite community you will need to become a SanteDB Software Publisher.
Finally, you can create your own self-signed code signing certificate. This is less ideal as it restricts the portability of your software extension. In order to use self-signed code certificates you will need to:
Generate a private key with extended use of codeSigning
(optionally sign it with your own CA's certificate).
Export the private key, certificate, and CA's certificate (forming an X509 chain) to a PKCS12 (.pfx
) file.
Import the CA's certificate into the trust store
On Windows this is done by placing the certificate in the Trusted Publishers
store on all machines which will use the plugin
On Mono (Linux, Docker, MacOS) you should use Mono's certificate tools to manage the certificates.
Once you have an appropriate code signing certificate you can use the Microsoft Windows SDK signtool or Mono's signcode command to sign your assembly. This must be done prior to loading or publishing/distributing the assembly.