Signing a visualization mod using Package Builder

Spotfire visualization mods are visualizations created using web technologies such as JavaScript or TypeScript, that run in the provided framework within Spotfire clients. Mods can be created and uploaded to a Spotfire library by any user with sufficient privileges. When mods are developed for a particular Spotfire environment, they can be signed by the user account that loads the mod project into Spotfire. However, if you want your mods to be signed in all environments, and possible to distribute to more people, you should use a certificate created by a certificate authority (CA) to sign your mods. You can sign a mod project using the Spotfire Package Builder console by following the steps in this topic.

Before you begin

You must have a code signing certificate from a trusted CA.
You must have access to the source code for the mod project you want to sign. See GitHub for instructions on how to develop mods.
Use the Spotfire Package Builder console version 11.0 or later.

Procedure

Open a command prompt in your Package Builder folder.
Enter the needed information for the signing command.
In this example, a signed .mod file is built using the following settings and prerequisites:
- The target type is "mod".
- The manifest file for the mod project (specified with the argument /mod-manifest) is "D:\Mods\Examples\my-mod\src\mod-manifest.json".
- The target (the path and file name of the resulting signed .mod file) is "D:\Mods\Examples\signedmods\my-mod_signedmod.mod".
- The resulting .mod file is signed by the certificate "D:\Mods\Certificates\mycompanycertificate.pfx" with "password= mycompanypassword".
  In this example, the certificate + the private key is saved in a .pfx file.
Command line example:
```
.\Spotfire.Dxp.PackageBuilder-Console.exe /targettype:mod /mod-manifest:"D:\Mods\Examples\my-mod\src\mod-manifest.json" /target:"D:\Mods\Examples\signedmods\my-mod_signedmod.mod" /cert:"D:\Mods\Certificates\mycompanycertificate.pfx" /password:mycompanypassword
```
Note: Because file-based certificates are no longer regarded as secure, it is recommended to sign using a certificate and a private key that is installed in the Windows certificate store. There are different ways to identify the certificate, see Package Builder console parameter reference for details. In the following example, the identification is made using a ThumbprintId:
```
.\Spotfire.Dxp.PackageBuilder-Console.exe /targettype:mod /mod-manifest:"D:\Mods\Examples\my-mod\src\mod-manifest.json" /target:"D:\Mods\Examples\my-mod\my-mod_signedmod.mod" /localcert:"CurrentUser:TrustedPeople:FindByThumbprint:f3ef5f85dc02480d1a0c4a4949405a06d9d9b5ff"
```
This example assumes that you have imported the signing certificate to the Windows certificate store under "Trusted People" and that the root certificate has been imported to the Windows certificate store.
Run the command in the command prompt.

Results

The signed .mod file is found in the specified target location.

Example: Signing or re-signing a .mod file

You can also sign an existing .mod file (exported from the Spotfire client or built using Package Builder):

.\Spotfire.Dxp.PackageBuilder-Console.exe /targettype:mod /sign /target:"D:\Mods\Examples\signedmods\re-signedmod.mod" /localcert:"CurrentUser:TrustedPeople:FindByThumbprint:f3ef5f85dc02480d1a0c4a4949405a06d9d9b5ff"

Read more about trust in the Spotfire environment in the Spotfire Server – Installation and Administration Manual.