App Signing Rollout Started: Time to Boost App Security

Hello, Atlassian Developer Community!

As we communicated in October 2024, in 2025 we’re rolling out app signing to significantly improve the security of app installations. This feature is designed to verify the integrity and origin of application files using a digital signature. In this way, only trusted applications can be installed on an instance. App signing affects only new app installations, already installed apps will not undergo verification.

When will app signing be available?

The change is being gradually rolled out across Atlassian Data Center (DC) products in their next releases. To activate app signing, you will need to upgrade to the following product versions:

• Jira Software and Jira Service Management 10.5 to be released in Mar 2025
• Confluence 9.4 to be released in Apr 2025
• Bitbucket 9.6 to be released in Mar 2025
• Bamboo 11.0 to be released in the first half of 2025
• Crowd 6.3 to be released in Mar 2025

Is app signing currently required as of now?

Currently, app signing is disabled by default. The grace period will last until the next major releases of Atlassian DC products in Q3 and Q4 of 2025, after which app signing will be enabled by default.

When app signing is enabled, admins are required to configure it correctly and set up their Trust store, otherwise, customers will not be able to install any application.

What changes for Marketplace partners?

This feature will enable better security and increase customer trust in what they install on their local instances.

To ensure backward compatibility, UPM only verifies the signature when installing new apps. Existing apps don’t undergo this verification process.

With app signing turned on, as Marketplace partners, you will need to ensure that your applications, especially private builds, are signed so that customers can verify that the specific build is from the correct vendor and hasn’t been tampered with.

Signing Marketplace apps

If you upload your apps to Atlassian Marketplace, we’ve got you covered. Once Marketplace validates and approves your app, Atlassian will sign and trust all your apps by default; no additional action is needed.

Signing private builds

You can either sign your applications and provide the signature and certificate to customers or give the app binary directly to the customers, allowing them to install the app through the file system without signature verification.

If you provide private builds to customers, here is how to secure them:

1. Create app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.
2. Share the certificate with the customer so that they can put it into their Trust store.
3. Share the signature and the signed application with the customer.

If you’re experiencing issues, check out app signing troubleshooting or leave us a comment here.

Thanks for being part of this journey!

Hey @CharafEddineSAIDI thanks for the update.

It’s good to see some concrete documentation for the private build signing.

What I would like to see additionally is customer-oriented documentation describing how to handle the signatures / certificates that we provide them together with private builds exchanged via our support system etc.
To goal would be that in the scope of a support ticket I can simply tell the customer “Here’s the snapshot along with corresponding signature & cert files, now check these Atlassian docs for install instructions”.

Hey @CharafEddineSAIDI thanks for the update.

Will there be a possibility for developer instances to disable this mechanism so that we don’t need to sign every artifact during development?

Can you clarify if this means you will not be adding the UPM signature to the trust store by default? So by default, starting end of 2025, customers will not be able to install any apps before doing this configuration?

I have one other request for clarification:

Is app signing still performed for non-public builds uploaded to the Marketplace, and can the resulting signatures be easily downloaded by the vendor?

I am wondering vendors could use this to supply customers with private builds without having to set up additional infrastructure.

Data Center tests (on Terraform) are executed in non-dev-mode and will require the Trust Store. If apps cannot enter private keys in the Trust Store, then they can only test published versions of their apps, which isn’t practically possible when one detects a performance issue.

Will the Data Center test framework (dcapt) allow easy access to the Trust Store, and/or run without app signing?

Just thinking out loud, but could this whole “Generating app signature and verification certificate using OpenSSL” procedure not be part of the build plugins for confluence-maven-plugin or jira-maven-plugin?

DCAPT will have have app signing disabled by default.

Hi all,

Thank you for your interest and feedback regarding this announcement.

What I would like to see additionally is customer-oriented documentation describing how to handle the signatures / certificates that we provide them together with private builds exchanged via our support system

UPM documentation has been updated to list the steps required to trust Atlassian certificates. We’ll update this documentation to also describe how to trust other certificates as the process is similar.

Will there be a possibility for developer instances to disable this mechanism so that we don’t need to sign every artifact during development?

App signing should be disabled during development. For detailed instructions on how to disable or enable app signing, please refer to the signature check configuration documentation.

Can you clarify if this means you will not be adding the UPM signature to the trust store by default? So by default, starting end of 2025, customers will not be able to install any apps before doing this configuration?

Customers have full control over their trust store. If app signing is enabled, they’ll need to trust Atlassian certificates to be able to install Marketplace hosted apps.
At the end of the grace period, app signing will be enabled by default. Customers will need to either explicitly disable app signing or configure their trust store.
Note that installing apps through the file system is not subject to signature check.

Is app signing still performed for non-public builds uploaded to the Marketplace, and can the resulting signatures be easily downloaded by the vendor?

The Marketplace generates signatures for all validated and approved apps.

Just thinking out loud, but could this whole “Generating app signature and verification certificate using OpenSSL” procedure not be part of the build plugins for confluence-maven-plugin or jira-maven-plugin?

AMPS 9.2 offers support for signature generation. This feature is intended for enabling app signing during integration tests if required. AMPS rely on the file system to read private keys used for tests. It’s recommended to keep any secrets in a secured Secret Management System. Note that only private builds need to be signed by marketplace partners. Marketplace hosted apps are signed by Atlassian and no further action is needed.