Skip to main content
Version: ACAP version 12

ACAP application signing tool

ACAP application signing

ACAP application signing is the process of adding a digital signature to your ACAP application to ensure that it hasn't been tampered with and that it has been built by your company. This provides an additional layer of security and trustworthiness for your application.

Why sign your application?

By signing your ACAP application, you can:

  • Ensure that the application hasn't been tampered with during distribution.
  • Verify that the application was built by your company.
  • Increase the security and trustworthiness of your application.

How TIP partner can sign their application

The ACAP application signing tool is managed by ACAP Service Portal, which is currently restricted to members of the Axis Technology Integration Partner program. If you're not a partner, you can apply for access to the ACAP Service Portal if you qualify for the program requirements.

Follow these steps to sign your ACAP application:

  1. Access the ACAP Service Portal. In the portal, developers can register applications, search for existing applications, upload ACAP packages for signing, and find their vendor ID. Make sure to sign in with an axis.com account.
  2. The manifest.json file must be valid against the manifest schema. See more details in the manifest schema section.
  3. On the portal main page, use the Filter items by name or description search bar to find the registered applications. The search bar allows you to locate applications without scrolling through the entire list.
  4. Click on your application to access its details page. To proceed with signing your ACAP package, locate and click the SIGN PACKAGE button.
  5. After clicking the SIGN PACKAGE button, a new window opens displaying the package upload interface. Click the UPLOAD A PACKAGE button to select your .eap file, or drag and drop the file directly into the upload area.
  6. After the .eap file has been successfully uploaded, the SIGN button is enabled. Click this button to sign your ACAP application.
  7. Once the signing process completes successfully, a green pop-up confirms success and the signed package is downloaded automatically.

ACAP applications are signed in the ACAP portal using SHA-512 and a 4096 bit RSA private key which is stored securely in a Thales Luna Network HSM 7 in the Axis datacenter in Lund.

ACAP Service Portal

The ACAP Service Portal allows Axis Technology Integration Partner Program vendors to manage information about their applications, including:

  • Name and description for applications.
  • Enable and setup the licensing service, such as trial or free licenses to users.
  • Manage all aspects around licenses such as generating codes, and track and modify license keys.
  • Configure compatibility between your application and Axis products.
  • Sign applications to ensure authenticity, and to prevent tampering.

Access the ACAP Service Portal

To get access to the ACAP Service Portal, you must partner with Axis through the Technology Integration Partner Program.

Your colleagues with Technology Integration Partner Program access have access to the ACAP Service Portal by default. You can find out who has access with my colleagues tool. Contact partner-services@axis.com to add or remove colleagues with access to the ACAP Service Portal.

Verifying the signature

Axis network devices are preloaded with the 4096 bit RSA public key in order to validate the ACAP signature prior to ACAP-installation. The public key is stored on the Axis network device on the Linux filesystem.

With AXIS OS 9.20 and later, the Axis device verifies the signature of a signed ACAP application on installation. Applications without a signature are still supported. The signature is fully backward compatible, i.e. a signed application can be installed on a device with an AXIS OS version earlier than 9.20, in which case the device doesn't verify the application.

History

With AXIS OS 11.2, an interface is added to VAPIX to control whether an Axis device only accepts signed ACAP applications or not, improving the device's security posture.

In AXIS OS 12.0, the default value has changed to only allow signed applications by default. For more information regarding the reasoning for this change, see the article on Axis For Developers. If developers want to install unsigned applications, they can do so by either using the VAPIX interface to allow unsigned applications or by manually toggling the Allow unsigned apps toggle through the web interface.

AXIS OSSigning requirement (default value)Change signing requirement
9.20 - 11.1Both signed and unsigned applications are allowed to be installed.Not possible to change.
11.2 - 11.11Both signed and unsigned applications are allowed to be installed.The VAPIX interface can be used to configure the device to only allow signed applications.
12.0 - 12.11By default, only signed applications are allowed to be installed.The VAPIX interface can be used to configure the device to allow both signed and unsigned applications.

Axis recommends that you allow unsigned applications to be installed during the development of your ACAP application.

Planned changes

In AXIS OS 13, the possibility to allow unsigned applications will be removed.