Introducing App Signing: A Key Step to Improve App Security

Hello, Atlassian Developer Community!

Earlier this year in March 2024, we asked for your feedback on RFC-39 regarding app signing to improve the security of our Data Center apps. Based on your input and feedback from our customers, we’ve made some updates, and we’re excited to announce the improved feature.

1. Overview and context

To boost the security of installed DC apps, we’re introducing a new feature that will restrict app installations to only those that are signed. This will help us to:

• ensure that apps are either from Atlassian Marketplace or manually uploaded by trusted sources
• prevent malicious actors from uploading harmful apps

The app signing feature will be gradually rolled out by April 2025, and customers will be able to enable it when convenient during a 90-day grace period.

2. Requirements

This feature was developed with security in mind. It focuses on protecting installed apps while allowing flexibility for custom and private builds.

3. Implementation

We’ve chosen the Ed25519 curve for app signing due to its high security and compliance with FedRamp and FIPS 186-5 standards.

The Atlassian Marketplace and Universal Plugin Manager (UPM) have been updated to sign and verify apps. UPM will support verification for Marketplace apps, custom apps, and private builds. The next diagram describes involved components.

20240915 Plugins Signing Architecture BG3600×2318 509 KB

3.1. Components

Component	Description
Trust Store	Trusted certificates are stored in the Trust Store. It is crucial for system operators with file system access to set folder permissions carefully to ensure security. The user running the product should only have read-only access. UPM implements an ATST health check to verify that the Trust Store folder has the correct read-only permissions.
App Vendor (CI, CLI), App Vendor (private build)	These components represent the mechanism responsible for uploading plugins from the plugin vendor side (may be manual).
Custom Apps	Custom apps developed by customers and installed directly on their local instance. Signature verification only occurs when installing apps through UPM, not through the file system.
Marketplace	Atlassian Marketplace
Universal Plugin Manager	UPM

4. Signature Verification

UPM offers support for 2 signature verification flows, enabling the verification of the following applications.

4.1. Marketplace apps signature verification

Before this step, customers need to download the Atlassian certificate chain and save it in their Trust Store. Atlassian will provide the certificate bundle, which will be updated periodically.

Once the certificates are trusted, UPM uses them to verify the app’s certificate and signature before installation. The next diagram shows the steps involved.

20240829 MKT apps signature verification1920×2605 100 KB

At Atlassian Marketplace, we use temporary (ephemeral) keys to sign apps. This improves security because we don’t need to store a permanent signing key, reducing the risk if a key is ever compromised. This method is also used by new signing frameworks like Sigstore.

For air-gapped instances, you need to download both the app file and its signature file. Before installation, each app must have a matching signature uploaded to UPM. The app’s signing certificate is valid for one year from the time it’s downloaded.

Example of a signature file:

{
  "signature": "39sn...",
  "certificate": "LS0..."
}

When app signing is turned on, the Upload Restrictions in UPM are turned off by default. This re-enables the Upload button, allowing administrators to install apps directly through UPM.

4.2. Private builds and custom apps signature verification

Both private builds and custom apps use the same verification process. In both cases, customers need to trust the signing certificate by saving it in their local Trust Store.

20240829 Custom apps signature verification3006×3659 425 KB

This process is similar to the flow for Marketplace apps. The main difference is that the signing certificate is generated only once. Customers need to trust this certificate by saving it in their Trust Store. The signature file then only includes the app’s signature.

{
  "signature": "pi99..."
}

5. Shared responsibility

While we’ve worked to minimize the impact, security is a shared responsibility between Atlassian, customers, and Marketplace partners. Your support in implementing these security measures is key to improving product security.

	Atlassian Marketplace	Customers	Marketplace partners
Marketplace apps
Sign Apps
Tooling & documentation
Key management
Certificate management
Custom apps
Sign Apps
Tooling & documentation
Key management
Certificate management
Private builds
Sign Apps
Tooling & documentation
Key management
Certificate management

Thanks for being part of this journey!

Hi,

this sounds good to me, but I have some questions:

• Are vendor certificates part of Atlassian’s PKI?
• How does certificate revocation work in this scheme?
• How will this interact with upload restrictions in UPM other than signed bundles being allowed under upload restrictions? Will it still be possible to circumvent both signature requirements and upload restrictions for our development instances (or do we need to start rolling out signing of our internal development builds)?

Thanks,
Tobi

1. Is there any case where an installed app will stop working after a period of time due to certificate expiry?
2. I’m hoping there will be upcoming documentation of the necessary steps for each case (marketplace, partner, custom, air gapped instance)

A couple of questions:

1. If a customer upgrades their instance to require signed apps, and already has some custom apps installed (obviously without signature), what will be the behaviour? Will the product fail to start, will the apps all fail? Will there be some “warning” in intermediate versions?
2. Am I understanding correctly that the process for customer who wish to upload a custom app, would be to manually add vendor certificate to trust store (from experience, some customers will struggle to do this correctly), restart the product, then upload the signed app?

Would also be interested in answers to each of Tobi and Matt’s questions above.

Great news Simple question: If I am a Marketplace Partner (aka App vendor) and upload to the Atlassian Marketplace. Only official public versions of the app.
Will Atlassian handle everything? I will not need to sign anything myself, correct?

Will code signing also apply to internal Confidence libraries?

Will it be possible to install the drivers for DBs or mail.jar in the lib/ directory, or to replace inner libraries of Confluence for debug and compatibility purpose?

Hi @tobitheo, thanks for your comment.

Vendors certificates are not part of Atlassian’s PKI. Only Marketplace hosted applications require a valid Atlassian certificate path.

Customers have full control over their Trust Store, therefore, they can revoke/remove untrusted certificates. UPM will list all trusted certificates and notify admins about nearly expired ones.

You will still be able to disable app signing and/or UPM upload restrictions for development.

Hi @MattDoar
To ensure backward compatibility, UPM only verifies the signature when installing new apps. Existing apps do not undergo this verification process.

Hi @richard.white
To ensure backward compatibility, UPM only verifies the signature when installing new apps. Existing apps do not undergo this verification process.
Enabling App signing feature requires setting up a certificates Trust Store. Customers are required to update the Atlassian certificates periodically. No restart is needed when adding new certificates to the Trust Store.

Hi @clouless
That’s correct, Atlassian Marketplace is signing all apps hosted on the Marketplace.

Hi @aragot
To ensure backward compatibility, UPM only verifies the signature when installing new apps. Installations via the File System are not subject to signature checks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.