Using Digital Signatures with Packages
An Integration Services package can be signed with a digital certificate to identify its source. After a package has been signed with a digital certificate, you can have Integration Services check the digital signature before loading the package. To have Integration Services check the signature, you set an option in either Business Intelligence Development Studio or in the dtexec utility (dtexec.exe), or set an optional registry value.
Before you can sign a package with a digital certificate, you first have to obtain or create the certificate. After you have the certificate, you can then use this certificate to sign the package. For more information about how to obtain a certificate and sign a package with that certificate, see How to: Sign a Package by Using a Digital Certificate.
Both Business Intelligence Development Studio and the dtexec utility have an option that configures Integration Services to check the digital signature of a signed package. Whether you use Business Intelligence Development Studio or the dtexec utility depends on whether you want to check all packages or just specific ones:
To check the digital signature of all packages before loading the packages at design time, set the Check digital signature when loading a package option in Business Intelligence Development Studio. This option is a global setting for all packages in Business Intelligence Development Studio. For more information, see General Page.
To check the digital signature of an individual package, specify the /VerifyS[igned] option when you use the dtexec utility to run the package. For more information, see dtexec Utility (SSIS Tool).
Integration Services also supports an optional registry value, BlockedSignatureStates, that you can use to manage an organization's policy for loading signed and unsigned packages. The registry value can prevent packages from loading if the packages are unsigned, or have invalid or untrusted signatures. For more information about how to set this registry value, see How to: Implement a Signing Policy by Setting a Registry Value.
The optional BlockedSignatureStates registry value can specify a setting that is more restrictive than the digital signature option set in Business Intelligence Development Studio or at the dtexec command line. In this situation, the more restrictive registry setting overrides the other settings.