Identify the Source of Packages with Digital Signatures
Updated: August 24, 2016
An Integration Services package can be signed with a digital certificate to identify its source. After a package has been signed with a digital certificate, you can have Integration Services check the digital signature before loading the package. To have Integration Services check the signature, you set an option in either SQL Server Data Tools (SSDT) or in the dtexec utility (dtexec.exe), or set an optional registry value.
Before you can sign a package with a digital certificate, you first have to obtain or create the certificate. After you have the certificate, you can then use this certificate to sign the package. For more information about how to obtain a certificate and sign a package with that certificate, see Sign a Package by Using a Digital Certificate.
Both SQL Server Data Tools (SSDT) and the dtexec utility have an option that configures Integration Services to check the digital signature of a signed package. Whether you use SQL Server Data Tools (SSDT) or the dtexec utility depends on whether you want to check all packages or just specific ones:
To check the digital signature of all packages before loading the packages at design time, set the Check digital signature when loading a package option in SQL Server Data Tools (SSDT). This option is a global setting for all packages in SQL Server Data Tools (SSDT).
To check the digital signature of an individual package, specify the /VerifyS[igned] option when you use the dtexec utility to run the package. For more information, see dtexec Utility.
Integration Services also supports an optional registry value, BlockedSignatureStates, that you can use to manage an organization's policy for loading signed and unsigned packages. The registry value can prevent packages from loading if the packages are unsigned, or have invalid or untrusted signatures. For more information about how to set this registry value, see Implement a Signing Policy by Setting a Registry Value.
NOTE: The optional BlockedSignatureStates registry value can specify a setting that is more restrictive than the digital signature option set in SQL Server Data Tools (SSDT) or at the dtexec command line. In this situation, the more restrictive registry setting overrides the other settings.