Skip to main content
Version: ACAP version 12

ACAP application signing

ACAP application signing is the process of digitally signing an ACAP application to ensure that it has not been tampered with and that it was produced by the identified software provider. This provides an additional layer of security and gives end users confidence that the application is authentic and has not been modified since it was signed.

ACAP applications can be signed via two different paths depending on your partnership status. TIP partners, members of the Axis Technology Integration Partner (TIP) program, use the ACAP Service Portal, for more details see Sign an ACAP application as a TIP partner. Developers outside of the TIP program, non-TIP partners, can sign their applications using the ACAP Signing Service, for more details see Sign an ACAP application as a non-TIP partner.

Why sign your application?

By signing your ACAP application, you can:

  • Ensure that the application has not been tampered with during distribution.
  • Establish the authenticity of the application by identifying its software provider.
  • Increase end users' confidence that they are installing a genuine ACAP application.

Sign an ACAP application as a TIP partner

TIP partners can sign ACAP applications through ACAP Service Portal. Before starting, ensure that you have a registered application in the portal and that you have an active axis.com account.

Follow these steps to sign your ACAP application:

  1. Access the ACAP Service Portal page. The portal allows you to register applications, search for existing applications, upload ACAP packages for signing, and find your vendorId. Log in using your axis.com account.
  2. Use the Filter items by name or description search bar to locate your registered application. If necessary, register a new application by clicking REGISTER.
  3. Open the application details page and retrieve the required values from the manifest.json examples in the Pre-requisite information to sign section: appId and vendor are available for both manifest schema v1 and v2, while vendorId is available only for manifest schema v2.
  4. Before uploading the .eap file for signing, update and build the ACAP using the manifest.json file with the retrieved values and ensure it complies with the manifest schema requirements. Note that the vendor and vendorId values in the ACAP application's manifest.json file are case-sensitive and must exactly match the values provided by the ACAP Service Portal for the application to be successfully validated.
  5. Click SIGN PACKAGE to proceed with signing your ACAP package. In the package upload window, upload your .eap file by clicking UPLOAD A PACKAGE or by dragging and dropping the file directly into the upload area.
  6. After the .eap file has been uploaded successfully, click the SIGN to sign your application.
  7. When the signing process completes successfully, a confirmation message is displayed, and the signed .eap package is downloaded automatically.

ACAP Service Portal

The ACAP Service Portal is available to members of the Axis Technology Integration Partner (TIP) Program. It allows TIP partners to manage their ACAP applications, including:

  • Register and manage applications.
  • Retrieve application information, including the appId, vendor, and vendorId required for signing.
  • Enable and configure the licensing service, including trial and free licenses to users.
  • Manage all aspects around licenses such as generating codes, and track and modify license keys.
  • Declare and restrict application compatibility with Axis devices based on verified support.
  • Sign ACAP applications to ensure authenticity, and to prevent tampering.

All colleagues who are members of the Technology Integration Partner Program have access to the ACAP Service Portal by default. To check who has access within your organization, use the My Colleagues tool. To add or remove users, contact partner-services@axis.com.

Sign an ACAP application as a non-TIP partner

Non-TIP partners can sign ACAP applications through the ACAP Signing Service using an axis.com account. Only ACAP applications using manifest schema v2.x are supported. Applications using manifest schema v1.x must be upgraded before they can be signed.

Follow these steps to sign your ACAP application:

  1. Access the ACAP Signing Service page and click PROCEED TO LOGIN to log in using your axis.com account.
  2. Read and accept the signing terms and conditions by selecting I have read and understood and clicking AGREE. Note that the signing terms appear each time you access the page.
  3. If prompted, allow the browser to access the local network. This is required to load your account-specific manifest information.
  4. On the welcome page, retrieve your unique vendor and vendorId values from the provided manifest.json example. Note that the vendor and vendorId values in the ACAP application's manifest.json file are case-sensitive and should be set to the exact values provided by ACAP Service Portal for the application to be successfully validated.
  5. Before uploading the .eap file for signing, update the application's manifest.json with the retrieved values, rebuild the ACAP application and ensure the manifest complies with the manifest schema requirements.
  6. Click CHOOSE YOUR EAP FILE TO SIGN, select the .eap file, and then click SIGN THE ACAP.
  7. When the signing process completes successfully, a confirmation message is displayed, and the signed .eap package is downloaded automatically.

ACAP Signing Service

The ACAP Signing Service is available to non-TIP partners who can sign ACAP applications using an axis.com account. It supports ACAP applications using manifest schema v2.x and provides the information required to prepare the application's manifest.json file before signing. The ACAP Signing Service does not store uploaded ACAP packages or signing history.

With the ACAP Signing Service, you can:

  • Review and accept signing terms and conditions.
  • Retrieve account-specific vendor and vendorId values required for the application's manifest.json file.
  • Upload ACAP packages (.eap files) for signing.
  • Sign ACAP applications without storing application or signing history.
  • Download the signed ACAP package.

Verifying the signature

ACAP applications are signed using SHA-512 and a 4096 bit RSA private key which is stored securely in a Thales Luna Network HSM 7 in the Axis datacenter.

Axis network devices are preloaded with the 4096 bit RSA public key in order to validate the ACAP signature prior to ACAP-installation. The public key is stored on the Axis network device on the Linux filesystem.

With AXIS OS 9.20 and later, the Axis device verifies the signature of a signed ACAP application on installation. Applications without a signature are still supported. The signature is fully backward compatible, i.e. a signed application can be installed on a device with an AXIS OS version earlier than 9.20, in which case the device doesn't verify the application.

History

With AXIS OS 11.2, an interface is added to VAPIX to control whether an Axis device only accepts signed ACAP applications or not, improving the device's security posture.

In AXIS OS 12.0, the default value has changed to only allow signed applications by default. For more information regarding the reasoning for this change, see the article on Axis For Developers. If developers want to install unsigned applications, they can do so by either using the VAPIX interface to allow unsigned applications or by manually toggling the Allow unsigned apps toggle through the web interface.

AXIS OSSigning requirement (default value)Change signing requirement
9.20 - 11.1Both signed and unsigned applications are allowed to be installed.Not possible to change.
11.2 - 11.11Both signed and unsigned applications are allowed to be installed.The VAPIX interface can be used to configure the device to only allow signed applications.
12.0 - 12.11By default, only signed applications are allowed to be installed.The VAPIX interface can be used to configure the device to allow both signed and unsigned applications.

Axis recommends that you allow unsigned applications to be installed during the development of your ACAP application.

Planned changes

In AXIS OS 13, the possibility to allow unsigned applications will be removed.