ACAP application signing
ACAP application signing is the process of digitally signing an ACAP application to ensure that it has not been tampered with and that it was produced by the identified software provider. This provides an additional layer of security and gives end users confidence that the application is authentic and has not been modified since it was signed.
ACAP applications can be signed via two different paths depending on your partnership status. TIP partners, members of the Axis Technology Integration Partner (TIP) program, use the ACAP Service Portal, for more details see Sign an ACAP application as a TIP partner. Developers outside of the TIP program, non-TIP partners, can sign their applications using the ACAP Signing Service, for more details see Sign an ACAP application as a non-TIP partner.
Why sign your application?
By signing your ACAP application, you can:
- Ensure that the application has not been tampered with during distribution.
- Establish the authenticity of the application by identifying its software provider.
- Increase end users' confidence that they are installing a genuine ACAP application.
Sign an ACAP application as a TIP partner
TIP partners can sign ACAP applications through ACAP Service Portal. Before starting, ensure that you have a registered application in the portal and that you have an active axis.com account.
Follow these steps to sign your ACAP application:
- Access the ACAP Service Portal page. The portal allows you to register applications, search for existing applications, upload ACAP packages for signing, and find your
vendorId. Log in using your axis.com account. - Use the Filter items by name or description search bar to locate your registered application. If necessary, register a new application by clicking REGISTER.
- Open the application details page and retrieve the required values from the
manifest.jsonexamples in the Pre-requisite information to sign section:appIdandvendorare available for both manifest schema v1 and v2, whilevendorIdis available only for manifest schema v2. - Before uploading the
.eapfile for signing, update and build the ACAP using themanifest.jsonfile with the retrieved values and ensure it complies with the manifest schema requirements. Note that thevendorandvendorIdvalues in the ACAP application'smanifest.jsonfile are case-sensitive and must exactly match the values provided by the ACAP Service Portal for the application to be successfully validated. - Click SIGN PACKAGE to proceed with signing your ACAP package. In the package upload window, upload your
.eapfile by clicking UPLOAD A PACKAGE or by dragging and dropping the file directly into the upload area. - After the
.eapfile has been uploaded successfully, click the SIGN to sign your application. - When the signing process completes successfully, a confirmation message is displayed, and the signed
.eappackage is downloaded automatically.
ACAP Service Portal
The ACAP Service Portal is available to members of the Axis Technology Integration Partner (TIP) Program. It allows TIP partners to manage their ACAP applications, including:
- Register and manage applications.
- Retrieve application information, including the
appId,vendor, andvendorIdrequired for signing. - Enable and configure the licensing service, including trial and free licenses to users.
- Manage all aspects around licenses such as generating codes, and track and modify license keys.
- Declare and restrict application compatibility with Axis devices based on verified support.
- Sign ACAP applications to ensure authenticity, and to prevent tampering.
All colleagues who are members of the Technology Integration Partner Program have access to the ACAP Service Portal by default. To check who has access within your organization, use the My Colleagues tool. To add or remove users, contact partner-services@axis.com.
Sign an ACAP application as a non-TIP partner
Non-TIP partners can sign ACAP applications through the ACAP Signing Service using an axis.com account. Only ACAP applications using manifest schema v2.x are supported. Applications using manifest schema v1.x must be upgraded before they can be signed.
Follow these steps to sign your ACAP application:
- Access the ACAP Signing Service page and click PROCEED TO LOGIN to log in using your axis.com account.
- Read and accept the signing terms and conditions by selecting I have read and understood and clicking AGREE. Note that the signing terms appear each time you access the page.
- If prompted, allow the browser to access the local network. This is required to load your account-specific manifest information.
- On the welcome page, retrieve your unique
vendorandvendorIdvalues from the providedmanifest.jsonexample. Note that thevendorandvendorIdvalues in the ACAP application'smanifest.jsonfile are case-sensitive and should be set to the exact values provided by ACAP Service Portal for the application to be successfully validated. - Before uploading the
.eapfile for signing, update the application'smanifest.jsonwith the retrieved values, rebuild the ACAP application and ensure the manifest complies with the manifest schema requirements. - Click CHOOSE YOUR EAP FILE TO SIGN, select the
.eapfile, and then click SIGN THE ACAP. - When the signing process completes successfully, a confirmation message is displayed, and the signed
.eappackage is downloaded automatically.
ACAP Signing Service
The ACAP Signing Service is available to non-TIP partners who can sign ACAP applications using an axis.com account. It supports ACAP applications using manifest schema v2.x and provides the information required to prepare the application's manifest.json file before signing. The ACAP Signing Service does not store uploaded ACAP packages or signing history.
With the ACAP Signing Service, you can:
- Review and accept signing terms and conditions.
- Retrieve account-specific
vendorandvendorIdvalues required for the application'smanifest.jsonfile. - Upload ACAP packages (
.eapfiles) for signing. - Sign ACAP applications without storing application or signing history.
- Download the signed ACAP package.
Verifying the signature
ACAP applications are signed using SHA-512 and a 4096 bit RSA private key which is stored securely in a Thales Luna Network HSM 7 in the Axis datacenter.
Axis network devices are preloaded with the 4096 bit RSA public key in order to validate the ACAP signature prior to ACAP-installation. The public key is stored on the Axis network device on the Linux filesystem.
With AXIS OS 9.20 and later, the Axis device verifies the signature of a signed ACAP application on installation. Applications without a signature are still supported. The signature is fully backward compatible, i.e. a signed application can be installed on a device with an AXIS OS version earlier than 9.20, in which case the device doesn't verify the application.
History
With AXIS OS 11.2, an interface is added to VAPIX to control whether an Axis device only accepts signed ACAP applications or not, improving the device's security posture.
In AXIS OS 12.0, the default value has changed to only allow signed applications by default. For more information regarding the reasoning for this change, see the article on Axis For Developers. If developers want to install unsigned applications, they can do so by either using the VAPIX interface to allow unsigned applications or by manually toggling the Allow unsigned apps toggle through the web interface.
| AXIS OS | Signing requirement (default value) | Change signing requirement |
|---|---|---|
| 9.20 - 11.1 | Both signed and unsigned applications are allowed to be installed. | Not possible to change. |
| 11.2 - 11.11 | Both signed and unsigned applications are allowed to be installed. | The VAPIX interface can be used to configure the device to only allow signed applications. |
| 12.0 - 12.11 | By default, only signed applications are allowed to be installed. | The VAPIX interface can be used to configure the device to allow both signed and unsigned applications. |
Axis recommends that you allow unsigned applications to be installed during the development of your ACAP application.
Planned changes
In AXIS OS 13, the possibility to allow unsigned applications will be removed.