ChangelogDownloads
HomeGuidesChangelog
ChangelogDownloadsSupportMulti-service IoT Edge GatewaysEUROTECH
Changelog
SupportMulti-service IoT Edge GatewaysEUROTECH
Back to All

Eurotech’s 2025 bundle signing Keys and Security Policy Update

about 3 hours ago by Nicola Timeus

In May 2025, Eurotech has generated a new set of intermediate and leaf certificates from the Eurotech CA, by creating two new intermediate CAs, namely "Eurotech Root Software CA 2025" and "Eurotech Root Software ESF CA 2025" as well as refreshing the leaf keys used to sign artifacts.

Key Generation and Certificates Overview

The newly generated intermediate CAs and leaf certificates are outlined on the Eurotech documentation page: Eurotech Certificates. These certificates play a crucial role in signing, from May 2025 onwards, all the latest ESF software releases, encompassing both the core framework and its add-ons. The inclusion of a new intermediate CA necessitated a revision of the existing ESF security policy file to accommodate the execution of ESF add-ons that utilize the newly generated keys.

Required Customer Actions

For customers operating devices with the ESF framework in production mode, specific actions are required to ensure continued functionality and security compliance following the release of the new certificates:

1. Update the Security Policy File

To allow the execution of the ESF add-ons released after May 2025, customers need to modify their existing ESF security policy file. This involves adding a new policy snippet that grants permission to bundles signed by the newly generated certificates. The following XML snippet should be added:

<esf:policy>
    <esf:access>ALLOW</esf:access>
    <esf:conditions>
        <esf:condition>
            <esf:name>BundleSignerCondition</esf:name>
            <esf:value>"*;CN=EUROTECH S.p.A. Root Software ESF CA 2025,OU=www.eurotech.com,O=EUROTECH S.p.A.,L=Amaro,ST=Udine,C=IT;-"</esf:value>
        </esf:condition>
    </esf:conditions>
    <esf:permissions>
        <esf:permission>
            <esf:name>java.security.AllPermission</esf:name>
            <esf:values>
                <esf:value>*</esf:value>
                <esf:value>*</esf:value>
            </esf:values>
        </esf:permission>
    </esf:permissions>
    <esf:name>All permissions to bundles signed by keys countersigned by EUROTECH S.p.A. Root Software ESF CA 2025</esf:name>
</esf:policy>

2. Reload the Security Policy

Once the modification is made, customers must reload the policy as described in ESF documentation . This step is critical to ensure that the updated policy is actively enforced, allowing the execution of the latest ESF add-ons.

3. Install the ESF Add-on (Optional)

To streamline this update process, the Eurotech ESF team has developed an optional add-on that can be installed on the target ESF framework. This add-on, named com.eurotech.framework.policy.updater.manager.feature_2.0.0.dp, when deployed, automatically updates the security policy with the new requirements, eliminating the need for manual editing by the customer. Notably, the bundle containing this add-on is signed with the previous Eurotech key (prior to 2025), ensuring that it can run on any target environment in production mode without additional action from customers.

The com.eurotech.framework.policy.updater.manager.feature_2.0.0.dp add-on can be downloaded from the Add-ons section of ESF 7.6.0 download area at Eurotech website

4. Existing Bundles Remain Valid

Bundles signed by Eurotech prior to May 2025 continue to function properly within existing ESF installations. The newly implemented security measures do not affect the validity of these pre-existing bundles.

For further assistance, customers are encouraged to consult Eurotech’s technical support resources or the official documentation.