Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 19:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Introducing App signing: A key step to improve App security

Malathi Vangalapati
Malathi Vangalapati
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 15, 2024

 

Hello, Atlassian Community!

To boost the security of installed DC apps, we’re introducing a new feature that will restrict app installations to only those that are signed. This will help us to:

  • ensure that apps are either from Atlassian Marketplace or manually uploaded by trusted sources
  • prevent malicious actors from uploading harmful apps

The app signing feature will be gradually rolled out by mid 2025, and customers will be able to enable it when convenient during a 90-day grace period.

1. Requirements

This feature was developed with security in mind. It focuses on protecting installed apps while allowing flexibility for custom and private builds.

Requirement Description
Air-gapped instances support Air-gapped instances are able to install and verify apps offline.
Backward compatibility Signature check has been designed to be compatible with current instances that have unsigned apps already installed.
Custom plugins support Clients are able to install custom plugins.
Certificate management Streamlined certificate management for both Atlassian and customers.
Extensibility App signing is agnostic to apps’ type and can be extended to support additional features for further enhancements.

2. Implementation

:information_source: We’ve chosen the Ed25519 curve for app signing due to its high security 1 and compliance with FedRamp and FIPS 186-5 1 standards.

The Atlassian Marketplace and Universal Plugin Manager 1 (UPM) have been updated to sign and verify apps. UPM will support verification for Marketplace apps, custom apps, and private builds. The next diagram describes involved components.

 

20240915 Plugins Signing Architecture BG
2.1. Components
Component Description
Trust Store Trusted certificates are stored in the Trust Store. It is crucial for system operators with file system access to set folder permissions carefully to ensure security. The user running the product should only have read-only access. 
:information_source: UPM implements an ATST health check to verify that the Trust Store folder has the correct read-only permissions.
App Vendor (CI, CLI), App Vendor (private build) These components represent the mechanism responsible for uploading plugins from the plugin vendor side (may be manual).
Custom Apps Custom apps developed by customers and installed directly on their local instance. 
:information_source: Signature verification only occurs when installing apps through UPM, not through the file system.
Marketplace Atlassian Marketplace
Universal Plugin Manager UPM

3. Signature Verification

UPM offers support for 2 signature verification flows, enabling the verification of the following applications.

Types of apps Description
Marketplace apps These are public or private apps hosted on the Atlassian Marketplace.
Private builds Apps built by vendors and distributed directly to customers without being uploaded to the Marketplace. These are usually created for diagnostic purposes.
Custom apps Apps built by customers to extend the functionality of our products

3.1. Marketplace apps signature verification

Before this step, customers need to download the Atlassian certificate chain and save it in their Trust Store. Atlassian will provide the certificate bundle, which will be updated periodically.

Once the certificates are trusted, UPM uses them to verify the app’s certificate and signature before installation. The next diagram shows the steps involved.

 

20240829 MKT apps signature verification
At Atlassian Marketplace, we use temporary (ephemeral) keys to sign apps. This improves security because we don’t need to store a permanent signing key, reducing the risk if a key is ever compromised. This method is also used by new signing frameworks like Sigstore 1.
For air-gapped instances, you need to download both the app file and its signature file. Before installation, each app must have a matching signature uploaded to UPM. The app’s signing certificate is valid for one year from the time it’s downloaded.

Example of a signature file:

{
  "signature": "39sn...",
  "certificate": "LS0..."
}

:information_source: When app signing is turned on, the Upload Restrictions in UPM are turned off by default. This re-enables the Upload button, allowing administrators to install apps directly through UPM.

3.2. Private builds and custom apps signature verification

Both private builds and custom apps use the same verification process. In both cases, customers need to trust the signing certificate by saving it in their local Trust Store. 

 

 

20240829 Custom apps signature verification
This process is similar to the flow for Marketplace apps. The main difference is that the signing certificate is generated only once. Customers need to trust this certificate by saving it in their trust store. The signature file then only includes the app's signature.
{
  "signature": "pi99..."
}

4. Shared responsibility

While we’ve worked to minimize the impact, security is a shared responsibility between Atlassian, customers, and Marketplace partners. Your support in implementing these security measures is key to improving product security.

  Atlassian Marketplace Customers Marketplace partners
Marketplace apps      
Sign Apps :heavy_check_mark:    
Tooling & documentation :heavy_check_mark:    
Key management :heavy_check_mark:    
Certificate management :heavy_check_mark: :heavy_check_mark:  
Custom apps      
Sign Apps   :heavy_check_mark:  
Tooling & documentation :heavy_check_mark:    
Key management   :heavy_check_mark:  
Certificate management   :heavy_check_mark:  
Private builds      
Sign Apps     :heavy_check_mark:
Tooling & documentation :heavy_check_mark:    
Key management     :heavy_check_mark:
Certificate management   :heavy_check_mark: :heavy_check_mark:

Thanks for being part of this journey!

Comment
Watch
Like # people like this
914 views

1 comment

Comment

Log in or Sign up to comment
Reese
Reese
Contributor
October 16, 2024

Ugh

Like Judah likes this
Reply
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events