Digital signatures for Descriptors are based on the XML Signature specification and shall follow the structure and requirements defined in ISO/IEC 29500-2:2021, Clause 13.

A Descriptor shall have at least one digital signature.

The signing scope of each Descriptor signature shall include the following:

• the Manifest,
• all Information Model files,
• all attachment files,
• .rels files,
• all Embedded Descriptors,
• and all Common Services files.

The links to the external references, if any, in a Descriptor shall be included in the signature of the Descriptor. Content of external references shall not be included in this signature and should be digitally signed separately from the Descriptor signature.

There are two exceptions for including Common Services files into the scope of a digital signature:

• [Content_Types].xml describing the used file name extensions is not included;
• The relationship file of the digital signature origin file (e.g., “/package/services/digital-signature/_rels/origin.psdsor.rels” ) listing the contained digital signatures is not included. This allows adding a signature to the Descriptor without invalidating the existing ones.

Each Descriptor signature shall contain an X.509 certificate, which can be used for signature authentication.

The certificate can be associated with the identity of an individual, an engineering tool, a host, or an organization.

The certificate shall either be signed by a certificate authority or be self-signed.

If the certificate is not self-signed, the intermediate certificate chain shall be included in the X.509 Data element. The root certificate should be included (see 7.8.2), and the signing certificate shall be included.

Descriptors shall only use cryptographic mechanisms from OfflineEngineering security Profiles defined in OPC 10000-84.

Descriptor signatures shall be validated as specified in ISO/IEC 29500-2:2021.

According to ISO/IEC 29500-2:2021, each digital signature shall contain, in the SignatureProperty element, a timestamp indicating the time when the digital signature was created.

NOTE The timestamp can be set to arbitrary values (within the validity period of the signing certificate) by the signer. The validity period check-in procedure (see Table 3) assumes that the signer is trusted to not backdate the timestamp.

An engineering tool importing a Descriptor should support X.509 certificate technology for signer authentication. See Clause 8 for details on X.509 certificate technology usage.

Each digital signature is stored in a file with file name extension psdsxs in the folder “/package/services/digital-signature/xml-signature” in the Descriptor.

The folder “/package/services/digital-signature/_rels” contains the relationship file origin.psdsor.rels, which holds the relationship references to the signature files.

The following shows an example of a relationship reference to a digital signature file.

<Relationship Type=“http://schemas.openxmlformats.org/package/2006/relationships/digital-signature/signature” Target=“/package/services/digital-signature/xml-signature/a4c483fa3305415e9e691039665d9c67.psdsxs” Id=“R292d9a91d8f94796” />

The digital signature file contains XML Signature markup with a subset of elements and attributes of the XML Digital Signature specification, e.g., the elements SignedInfo, SignatureValue, KeyInfo, X509Data and Manifest. The Manifest element lists the files of the signature scope.

An example of a digital signature is given in Annex I.