License Signatures

The license signature feature allows signed Wolfram Language material to be executed even in the absence of a license. Specifically, license signatures allow signed Wolfram Language files, signed Wolfram Language symbols, and signed MX files to be evaluated.

License signature modules are C files that simplify the task of handling license signatures. Developers should send the material they need signed to Wolfram. Wolfram will then return the relevant license signature modules. Developers compile the license signature modules into their application. Once that’s done, the application can evaluate signed material in the absence of Wolfram licenses. Step 4: License Signatures in the workflow guide demonstrates this process in action.

For non-C/C++ applications, a Wolfram Language file that loads the relevant license signatures can be used instead of license signature modules.

Requesting License Signatures

The process for acquiring license signatures requires submitting all signable assets to Wolfram. To prepare for this, gather the following materials from the application:

  • All Wolfram Language source files: This includes any .wl or .m files that are loaded using Wolfram Language function Get or Needs.

  • All MX files: Any .mx files that are loaded

  • A list of Wolfram Language symbols used in C code: For example, suppose I called wlr_Eval(wlr_E(wlr_Symbol("Integrate"), wlr_Symbol("x"))). The symbols System`Integrate and Global`x should be submitted.

Once these assets are collected, please contact ccooley@wolfram.com to begin the signing process. Provide the collected materials.

Concerning the Expression API

The function wlr_StartRuntime (described in greater detail here) takes an argument that controls the signing behavior. If WLR_SIGNED_CODE_MODE is used, the kernel enters signed code mode. On the other hand, WLR_LICENSE_OR_SIGNED_CODE_MODE allows the kernel to use an actual license if one is available, using signed code mode as a fallback.

In signed code mode, the expression API uses license signatures to protect evaluations. For example, the function wlr_Eval (used to evaluate expressions) will produce an error if the kernel is in signed code mode, and its expression argument contains an unsigned symbol.

Additionally, signed code mode affects all Wolfram Language functions that use the parser to read in Wolfram Language expressions. This means Get, Read, and so on. For example, imagine we called wlr_Get on a signed Wolfram Language file. Imagine this file loads another file using Get. Even though the original file is signed, the second file must be signed as well.

When the runtime is in signed code mode, the requirement for a valid signature depends on how and where code is evaluated. The key distinction is whether the code is being introduced to the runtime from your C application, or whether it is being evaluated from within already-running Wolfram Language code.

The following table summarizes these scenarios.

_images/table.png

The main takeaways are:

  • Any file loaded from the C via wlr_Get must be signed

  • Any expression built in C and evaluated with an expression API function like wlr_Eval must only contain signed symbols

  • A signed Wolfram Language file can, in turn, load another file using Wolfram Language functions like Get, but that file must also be signed

  • Critically, once execution is inside trusted Wolfram Language code (i.e., from a signed file), that code can build and evaluate new expressions (for example, with ToExpression) without the same symbol-by-symbol signature restrictions

To facilitate development, note that the runtime includes built-in license signatures for a large set of common System` symbols.