Certificates & Package Signing
Robopack automatically signs all generated PowerShell installation scripts using a code signing certificate. This ensures that scripts deployed to your devices are verified and haven't been tampered with.
How it works
When Robopack generates an installation package, the PowerShell scripts inside it are signed with a certificate. By default, Robopack generates a self-signed root certificate for your organisation automatically — you don't need to do anything to get started.
Certificate types
| Type | Description |
|---|---|
| Generated (self-signed) | Robopack generates a self-signed certificate specific to your organisation. This is the default. |
| Uploaded (PFX) | You upload your own code signing certificate (PFX format with private key) for Robopack to use. |
Default generated certificate
Every Robopack organisation gets an automatically generated self-signed root certificate. This certificate:
- Is unique to your organisation
- Has a long validity period (typically 20 years)
- Includes your organisation name in the subject (e.g.
CN=Your Org, O=Robopack, L=Copenhagen, C=DK) - Is used for all package signing unless overridden
You can view the active certificate and any previously generated certificates in Settings > Certificates / Signing.
Generating a new certificate
To generate a new self-signed certificate:
- Go to Settings > Certificates / Signing
- Click Generate new certificate
- Enter a certificate name (e.g. your organisation name)
- Set the validity period in years (default: 20 years)
- Click Generate
The new certificate becomes the active signing certificate for all future packages.
Previously generated certificates remain listed under Available certificates for reference. Packages signed with older certificates remain valid until those certificates expire.
Uploading your own certificate
If your organisation requires packages to be signed with a specific certificate (e.g. an enterprise code signing certificate from a trusted CA), you can upload it:
- Go to Settings > Certificates / Signing
- Click Upload certificate
- Select your PFX file — this must include the private key
- Enter the certificate password
- Click Upload
The uploaded certificate will be used for signing all future packages.
Per-app certificate override
You can override the signing certificate for a specific app in Custom App Settings. This is useful if certain apps need to be signed with a different certificate than the organisation default.
Related
- Script Templates — scripts are signed using the certificate configured here
- Custom Packaging — custom apps are also signed using these certificates
- Tutorial: Configure Custom App Settings — override the certificate per app