Code Signing

 CorDapps Corda Distributed Application. A Java (or any JVM targeting language) application built using the Corda build toolchain and CorDapp API to solve some problem that is best solved in a decentralized manner. are packaged as CPKs Corda Package. A signed ZIP/JAR library of Java code packaged to be portable with all of its dependencies and version information contained within it. , CPBs Corda Package Bundle. A signed ZIP/JAR collection of CPKs that forms a complete application suite and contains all the code that a virtual node must operate, minus the specific network details. , and CPIs Corda Package Installer. A signed ZIP/JAR combination of a CPB and a Group Policy File that defines not only the application code that a virtual node will run, but also the details of the MGM with which to register, and the details of network PKI requirements. . Each of these packages must be signed with a Code Signing certificate. The signatures are then verified when a CPI is installed. They are verified against the certificates uploaded to Corda using the REST API.

CPK signatures are also verified during backchain verification, which is why you must carefully consider which certificates to sign with and which certificates to upload to the cluster to establish trust.

CPK and CPB packages can be signed using the Corda Gradle plugin or the Corda CLI A command line tool that supports various Corda-related tasks, including Corda Package Installer (CPI) creation and Corda cluster management. , while CPI packages can only be signed with the Corda CLI. You can also “re-sign” a package; that is, replace the old signature with a new one. This is useful in case you need to replace a pre-production signature that was used for testing with a signature based on a production certificate.