How To: Protect the programming system
More security for the installation of CODESYS Development System and add-ons can be achieved by using signed packages. Signed packages can be created in the CODESYS Package Designer.
Compiled libraries and reloadable elements, such as the HTML5 control for visualization, also offer an attack surface for hackers and should be certificate-encrypted.
Signing Packages
When a package is created with the CODESYS Package Designer, it can be certificate-encrypted using a PKCS#12 file. See here: Package Designer Editor
Protecting and signing compiled libraries
You can protect libraries by means of source code protection, signing, and a license (dongle or soft container).
Source code protection
When a library is prepared in "compiled-library" format, the source code of the library POUs is no longer visible after the library is integrated into a project.
Signing
Note
In CODESYS V3 SP20 and higher, library projects *.compiled-library-v3 and *.compiled-library can be saved both with and without a certificate signature.
In CODESYS V3 SP15 and higher, a certificate is always used for the signing of library projects (*.compiled-library-v3). The signing can be enforced by means of a setting in the security screen. Then for generating a compiled library, you need a certificate suitable for code signing in your user profile.
Note
With compiler version 3.5.15.0 and higher, a better memory format is also used.
For library projects that must be compatible with CODESYS versions < 3.5.15.0 (*.compiled-library), only the less secure signing with a private key and an associated token is possible. These deprecated methods should only be used for reasons of compatibility. Settings are configured on the Signing tab of the Project Information dialog.
Requirement: You have a valid certificate for signing on your computer. For more information about certificate handling, see the following: How To: Handle certificates for the IDE and the PLC
Creating a library project.
Open the Userstab of the Security Screen view.
Use the
button to open the dialog for certificate selection.From the Available certificates... area, select a certificate for the digital signature and use the
button to move it to the upper window.After confirming the selection, the certificate is displayed in the table under Digital Signature.
In the Security Level section, select the Enforce signing of compiled libraries option
Click the File → Save Project as Compiled Library command to save the library project.
The library is automatically signed. If the signature check does not confirm the integrity, for example because the library has been manipulated, then the library cannot be used.
In CODESYS V3 SP15 and higher, library signing is always based on certificates. To perform this kind of signing, see the help page: Command: Save Project as Compiled Library. In contrast to deprecated signing by using the settings in the Project Information – Signing dialog, the entire library is signed with the certificate.
Tip
When using the command-line interface, you can use the option: --signaturethumbprint to sign a compiled library.
Licensing
You can protect libraries by using a license (dongle or soft container). License-protected libraries can be installed in the library repository. However, for use in the project, the valid license has to exist on the computer. Licenses are managed in the License Manager.
For more information, see the following: Licensing help