Signing the rollout packages

BMC Client Management enables you to digitally sign the rollout packages. Currently, this feature is implemented only for Windows.

To configure the signature certificate

1. Go to Global Settings > System Variables > Rollout.

2. Click Edit and update the following parameters.
   
   

   Parameter	Description
   Signature Certificates	The certificate used for signing. It is picked up from the master certificates repository. You must add this certificate on the master server. If there is no certificate on the master, you will not see any option in this list. By default, this field is empty. To add the certificate on the master: 1. Copy the certificate contents in bin/certs/other/myCert.crt. 2. Copy the unencrypted certificate key in bin/certs/other/myCert.key. 3. Restart the service. The certificate appears in the console and the you can configure the rollout signing with this certificate. Use a code signing certificate purchased from a trusted authority such as Digicert. Generate a custom authority, patch all windows devices to add this authority as a trusted one for code signing (using a GP rule for example), generate a certificate issued by this authority, and use it for signing.
   Hash Type	The hash type can have either sha256 or sha512 value. The default value is sha256.
   Timestamp URL	Specify the signing server URL to timestamp your signature certificate. By default, http://timestamp.digicert.com is used.
   Check Timestamp Server Certificate	If the signing server URL uses 'https' then select this option to check the server certificate. By default, it is not selected. If you select this option and the timestamp server URL uses https, the timestamp will fail.

3. Click OK.

When you generate the rollout package after configuring the signature certificate as explained above, the rollout server requests the master server to sign the certificate. The master server then signs the certificate using the hash type specified in the configuration.