# Self-signed cert for ZXP signing The `.zxp` package format requires a signature. We use a self-signed cert so there is no Certificate Authority cost; the trade-off is editors must enable `PlayerDebugMode` for the panel to load (the Windows `.exe` installer does this automatically). ## Files | File | What it is | Commit to git? | |------|------------|----------------| | `dragonflight-selfsigned.p12` | PKCS#12 keystore containing the signing cert + private key | **yes** | | `cert-passphrase.txt` | Passphrase for the `.p12` | **yes** | Both are auto-generated on the first `node build-zxp.mjs` run. They MUST be committed and reused across builds: Adobe's ZXP signature continuity rule means a re-signed package with a different cert fingerprint will not install over an existing version — editors would have to uninstall the panel first. ## Why is committing a private key OK here? - The panel is proprietary internal tooling, not a public distribution. - The cert chains to nothing — a leak lets an attacker sign a fake `net.wilddragon.dragonflight.panel` bundle, which would still require `PlayerDebugMode=1` to load and physical access to the editor's machine to install. Threat model: low. - The alternative (rotating the cert on every build or keeping it in a secrets manager) would break upgrade-in-place for every editor on every build. If you want a real codesigning cert later, drop a CA-issued `.p12` over the self-signed one with the same filename and update `cert-passphrase.txt`. The build script will reuse them. ## Regenerating Delete both files. Next `node build-zxp.mjs` run will create a fresh self-signed cert (valid for 25 years). Commit the new pair. **Heads up:** every editor with the old `.zxp` installed must uninstall first before the new one will install. The build script handles regeneration automatically — just delete both files and re-run `node build-zxp.mjs`. If you need to invoke Adobe's `ZXPSignCmd` directly (e.g. to inspect the generated cert), it ships inside `node_modules/zxp-provider/bin//` after `npm install`.