Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

App Signing rollout started: Time to boost App security

Malathi Vangalapati
Malathi Vangalapati
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 27, 2025

 

Hello, Atlassian Community,

As we communicated in October 2024, in 2025 we’re rolling out app signing to significantly improve the security of app installations. This feature is designed to verify the integrity and origin of application files using a digital signature. In this way, only trusted applications can be installed on an instance. App signing affects only new app installations, previously installed apps will not undergo verification.

When will app signing be available?

The change is being gradually rolled out across Atlassian Data Center (DC) products in their next releases. To activate app signing, you will need to upgrade to the following product versions:

  • Jira Software and Jira Service Management 10.5 to be released in Mar 2025

  • Confluence 9.4 to be released in Apr 2025

  • Bitbucket 9.6 to be released in Mar 2025

  • Bamboo 11.0 to be released in the first half of 2025

  • Crowd 6.3 to be released in Mar 2025

Is app signing currently required?

Currently, app signing is disabled by default. The grace period will last until the next major releases of Atlassian DC products in Q3 and Q4 of 2025, after which app signing will be enabled by default.

When app signing is enabled, admins are required to configure it correctly and set up their Trust store, otherwise, customers will not be able to install any application.

What changes for the customers?

As a customer, use the grace period to adapt your processes. The steps you need to take differ depending on whether you install applications from the Marketplace or build your custom applications. In either case, the first step is to set up a Trust store and enable app signing. You will have full control over the Trust store, therefore, you can revoke or remove untrusted certificates. UPM will list all trusted certificates and notify admins about nearly expired ones.

You can also install the app via the file system without using the app signing feature.

Install signed apps from Marketplace

  1. Enable app signing. For details, see Configuring UPM app signature check.

  2. Download and install Certificate Authority (CA) from Atlassian. For details, see Updating Atlassian Certificate Bundles.

  3. Enjoy the safe app installations from Marketplace.

Install custom apps

If you use custom application builds, you can sign and secure your apps:

  1. Enable app signing. For details, see Configuring UPM app signature check.

  2. Create app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.

  3. Put your new certificate in your Trust store similarly to Updating Atlassian Certificate Bundles.

  4. Install the signed application.

If you’re experiencing issues, check out app signing troubleshooting or leave us a comment here.

Thanks for being part of this journey!

Comment
Watch
Like # people like this
262 views

3 comments

Comment

Log in or Sign up to comment
Metin Savignano
Metin Savignano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 28, 2025

I suppose I’m missing something, sorry. As I understand it, the procedure described in step 2 results in a separate signature file in PEM format, doesn’t it? How would it be incorporated in the jar file for its verification?

Like Ulrich Kuhnhardt _IzymesCo_ likes this
Reply
Ulrich Kuhnhardt _IzymesCo_
Ulrich Kuhnhardt _IzymesCo_
Atlassian Partner
March 3, 2025

Can you please post a link or explanation on how MP vendors are supposed to create, sign and release apps with Certificate Authority (CA) from Atlassian to MP?

Like Roland Traier-Kiss _Midori_ likes this
Reply
Charaf-Eddine SAIDI
Charaf-Eddine SAIDI
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 4, 2025

Hi all, thanks for your questions.

As I understand it, the procedure described in step 2 results in a separate signature file in PEM format, doesn’t it? How would it be incorporated in the jar file for its verification?

The signature file is not part of the JAR file. When app signing is enabled, UPM provides a dedicated field on upload to specify the signature. See Install an app from a file documentation.

Can you please post a link or explanation on how MP vendors are supposed to create, sign and release apps with Certificate Authority (CA) from Atlassian to MP?

Marketplace partners can sign their private builds by following the steps described in Generating app signature and verification certificate using OpenSSL documentation. All apps published to the marketplace are signed by Atlassian, and no additional action is needed.

Like
Reply
Metin Savignano
Metin Savignano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 13, 2025

Maybe I miss some point, but this appears overly complicated to me.

We have always been signing our apps during the build using the jar signer plugin. Doing so adds the signature as well as the certificate chain to the jar file. This means that the jar file has everything needed for a signature verification of the file. If Atlassian supported this standard, the admin could just upload the app as always and still have it checked.

There would be no need to handle separate signature files and/or manually install certificate bundles to accomplish the task.

Did Atlassian consider this approach? Am I overlooking any reason to implement it differently?

Like istvan_verhas likes this
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events