Signing custom or third-party features and plug-ins for install and update

Eclipse plug-ins can be created and used to extend Notes® client functionality. Features and plug-ins are provisioned with the client software.

About this task

To simplify installation or deployment, sign your features and plug-ins.

CAUTION: The Notes installer requires that all features and plug-ins in the install kit be signed and timestamped.

Sign new features and plug-ins in preparation for install and update using a code signing certificate obtained from a certification authority. When signed and properly resident in the install kit, the features can be installed if the code signing certificate is included in the kit keystore. If the code signing certificate is not a trusted file, you can modify the install signature verification policy to allow for installing signed but untrusted content.

Note: Features and plug-ins being installed as part of Notes install or upgrade must be signed. Features and plug-ins being deployed to an existing Notes install, for example using a widget, should be signed by a trusted certifier.

Administrative trust defaults can be pushed to clients using Domino® policy settings in the Administrative trust defaults section on the security policy document's Keys and Certificates tab. Use this policy option to specify your specific administrative trust defaults for use during either Notes install or upgrade or client plug-in deployment to an existing Notes installation.

Note: Time stamping certificates can be added to signed plug-ins to ensure the long-term validity of plug-in signatures. You can use security policy settings to ignore the expiration dates of time stamping certificates that are valid at the time of plug-in signing. With this approach, users are not hindered during use or installation of signed plug-ins when time stamping certificates expire. See the related topics for information on creating a security policy settings document.

Signing your custom or third-party features and plug-ins accomplishes the following:

When you install new custom or third-party features and plug-ins for Notes installation, you can add your own certificates to a keystore so that the signed features are trusted during install and update from the install kit. You can sign features and plug-ins either using the JarSigner tool included in the Java™ Development Kit (JDK) or a third-party tool, such as the Plugin Development Environment (PDE) in Eclipse. Certificates can be obtained from many of the well known certificate authorities (CA).

Features are checked for trust during install and update provisioning. If Notes is already installed, features are checked during runtime provisioning.

If you are signing features and plug-ins that you'll deploy to users in some way other than in the Notes install kit, consider the following:
For more information, see Pushing certifier and trust settings using policy or a client install kit.

Signing and adding new features to the kit

About this task

Use this procedure to sign the new custom or third-party feature and plug-in JAR files and add the feature to the Notes install kit.

This procedure assumes that you have built or the obtained JAR files for new custom or third-party features and plug-ins for use in an Eclipse update site. Use the JRE's JarSigner tool, Eclipse, or other third-party tool. See the Lotus® Expeditor wiki for information about creating valid features and plug-ins.


1. Set the JAVA_HOME directory environment variable, on the machine(s) on which you'll be installing Notes, to point to the JDK folder under which the keytool resides. In the following sample command line, the needed bin\keytool would be resident in the indicated JAVA_HOME variable's directory.

2. Create a keystore, and generate the public/private key pair EclipseFeaturesAlias as well as a self-signed certificate associated with the private key of the pair. A sample command line is shown:
3. Display the certificate/key pair. A sample command line is shown:
4. For the feature you'll be adding to the install kit, sign its updatesite JAR files (in the features folder and in the plugins folder) using the self-signed certificate/key pair. Sample command lines for signing JAR files in the features folder and plugins folder are shown:
5. Update the install manifest (deploy\install.xml) in the Notes install kit. A snippet is shown (see Customizing the Notes install manifest for new or third-party Eclipse features for description of installfeature settings).
6. Add the signed feature to the Notes install kit.
7. Export a trust certificate that can authenticate your public key. A sample command line is shown:
8. Add the exported trust certificate to the Notes install kit keystore to enable trust for your public key at install. A sample command line is shown:
9. List the entries in the Notes install kit keystore. A sample command line is shown:
Related concepts
Using Domino policy to set or verify trust for client plug-ins
Using Eclipse preferences to verify trust
Managing client plug-in deployment
Client feature deployment
Customizing Notes using plugin_customization.ini

Related tasks
Customizing a Notes install kit to set certifier and trust defaults
Creating a security policy settings document
Adding and removing components from the Notes install kit using UpdateSiteMgr
Deploying client plug-ins with widgets and the widget catalog

Related information
How to add a certificate to the Lotus Notes 8 installation media kit file using keytool.exe
Signing custom or third party features and plug-ins properly so that the Notes user is not prompted to specify trust during installation