How to: Implement a Signing Policy Using a Registry Value

New: 14 April 2006

You can use a registry value to manage an organization's policy for loading signed or unsigned packages.

This procedure describes how to add the BlockedSignatureStates DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTS registry key. The data value in BlockedSignatureStates determines whether a package should be blocked if it has an untrusted signature, has an invalid signature, or is unsigned. With regard to the status of signatures used to sign packages, the BlockedSignatureStates registry value uses the following definitions:

  • A valid signature is one that can be read successfully.
  • An invalid signature is one for which the decrypted checksum (the one-way hash of the package code encrypted by a private key) does not match the decrypted checksum that is calculated as part of the process of loading Integration Services packages.
  • A trusted signature is one that is created by using a digital certificate signed by a Trusted Root Certification Authority. This setting does not require the signer to be found in the user's list of Trusted Publishers.
  • An untrusted signature is one that cannot be verified as issued by a Trusted Root Certification Authority, or a signature that is not current.

The following table lists the valid values of the DWORD data and their associated policy.

Value Description


No administrative restriction.


Block invalid signatures.

This setting does not block unsigned packages.


Block invalid and untrusted signatures.

This setting does not block unsigned packages, but blocks self-generated signatures.


Block invalid and untrusted signatures and unsigned packages.

This setting also blocks self-generated signatures.

If the type of the BlockedSignatureStates registry value is DWORD, and the registry value is not 0, 1, 2, or 3, Integration Services treats the registry value as if it were 3. If BlockedSignatureStates is not set to DWORD, Integration Services treats the registry value as if it were DWORD with the value of 0.

The recommended setting for BlockedSignatureStates is 3. This setting provides the greatest protection against unsigned packages or signatures that are either not valid or untrusted. However, the recommended setting may not be appropriate in all circumstances. For more information about how to sign digital assets, see the topic, "Introduction to Code Signing," in the MSDN Library.

  1. On the Start menu, click Run.

  2. In the Run dialog box, type Regedit, and then click OK.

  3. Locate the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTS.

  4. Right-click MSDTS, point to New, and then click DWORD Value.

  5. Update the name of the new value to BlockedSignatureStates.

  6. Right-click BlockedSignatureStates and click Modify.

  7. In the Edit DWORD Value dialog box, type the value 0, 1, 2, or 3.

  8. Click OK.

  9. On the File menu, click Exit.

Community Additions