Developers: get ready for AF Plugin signature requirement
It is a best practice that AF Plugins you provide to the AF Server be digitally signed. In addition, all your AF Plugins’ dependent DLL’s must have a digital signature. Before signing an existing plugin or dependent DLL that is already deployed without a signature, the version of the plugin should be incremented to ensure the client will download the update. If you are unfamiliar with how to apply an Authenticode signature, reference this article from DigiCert: https://knowledge.digicert.com/solution/SO17631.html.
With the release of AFClient 2018 SP3 Patch 2, all AF Plugins must be digitally signed.
Why are digital signatures a best practice?
Digitally signing your plugin increases the users’ confidence that it is from a trusted provider. Additionally, it supports application whitelisting strategies. For more information on application whitelisting, see these resources:
- KB00994 - Whitelisting with AppLocker: https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00994
- KB01892 Whitelisting with Windows Defender Application Control (Device Guard): https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB01892
- NIST SP 800-167, Guide to Application Whitelisting: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-167.pdf
Further evidence of digital signatures being a best practice is seen with compliance regimes such as NERC CIP. As of July 2020, mechanisms such as digital signatures for verification of software integrity and authenticity are mandatory and enforceable under NERC CIP standards.
OSIsoft strives to provide digital signatures for all PI System software.
What is the impact if I don’t digitally sign my AF Plugins?
After installing AFClient 2018 SP3 Patch 2 unsigned AF Plugins will be unable to load on upgraded systems. We are providing this notice to our development community so that you can assess the readiness of your AF Plugins so that they can continue to add value to your PI System going forward.
What if I have questions?
Please contact OSIsoft Technical Support if you have questions.