Third-Party Signature Verification¶
title:¶
Warning: This feature is available only in the FlexAI Community Edition. Third-party signature verification is not currently supported on FlexAI Cloud Edition.
Third-party signature verification allows FlexAI administrators to safely approve the installation of plugins not listed on the FlexAI Marketplace without completely disabling signature verification. This supports the following scenarios for example:
- FlexAI administrators can add a signature to a plugin sent by the developer once it has been approved.
- Plugin developers can add a signature to their plugin and publish it along with the public key for FlexAI administrators who cannot disable signature verification.
Both FlexAI administrators and plugin developers can add a signature to a plugin using a pre-generated key pair. Additionally, administrators can configure FlexAI to enforce signature verification using specific public keys during plugin installation.
Generating a Key Pair for Signing and Verification¶
Generate a new key pair for adding and verifying the plugin's signature with the following command:
After running this command, two files will be generated in the current directory:
- Private Key:
your_key_pair.private.pem - Public Key:
your_key_pair.public.pem
The private key is used to sign the plugin, and the public key is used to verify the plugin's signature.
Warning: Keep the private key secure. If it is compromised, an attacker could add a valid signature to any plugin, which would compromise FlexAI's security.
Adding a Signature to the Plugin and Veriyfing It¶
Add a signature to your plugin by running the following command. Note that you must specify the plugin file to sign and the private key:
After executing the command, a new plugin file will be generated in the same directory with signed added to its original filename: your_plugin_project.signed.difypkg
You can verify that the plugin has been correctly signed using this command. Here, you need to specify the signed plugin file and the public key:
Info: If you omit the public key argument, verification will use the FlexAI Marketplace public key. In that case, signature verification will fail for any plugin file not downloaded from the FlexAI Marketplace.
Enabling Third-Party Signature Verification¶
FlexAI administrators can enforce signature verification using pre-approved public keys before installing a plugin.
Placing the Public Key¶
Place the public key corresponding to the private key used for signing in a location that the plugin daemon can access.
For example, create a public_keys directory under docker/volumes/plugin_daemon and copy the public key file there:
mkdir docker/volumes/plugin_daemon/public_keys
cp your_key_pair.public.pem docker/volumes/plugin_daemon/public_keys
Environment Variable Configuration¶
In the plugin_daemon container, configure the following environment variables:
THIRD_PARTY_SIGNATURE_VERIFICATION_ENABLED- Enables third-party signature verification.
- Set this to
trueto enable the feature. THIRD_PARTY_SIGNATURE_VERIFICATION_PUBLIC_KEYS- Specifies the path(s) to the public key file(s) used for signature verification.
- You can list multiple public key files separated by commas.
Below is an example of a Docker Compose override file (docker-compose.override.yaml) configuring these variables:
services:
plugin_daemon:
environment:
FORCE_VERIFYING_SIGNATURE: true
THIRD_PARTY_SIGNATURE_VERIFICATION_ENABLED: true
THIRD_PARTY_SIGNATURE_VERIFICATION_PUBLIC_KEYS: /app/storage/public_keys/your_key_pair.public.pem
Info: Note that
docker/volumes/plugin_daemonis mounted to/app/storagein theplugin_daemoncontainer. Ensure that the path specified inTHIRD_PARTY_SIGNATURE_VERIFICATION_PUBLIC_KEYScorresponds to the path inside the container.
To apply these changes, restart the FlexAI service:
After restarting the service, the third-party signature verification feature will be enabled in the current Community Edition environment.
{/ Contributing Section DO NOT edit this section! It will be automatically generated by the script. /}