In 2025, Data Center products are rolling out a useful feature that lets you verify the integrity and origin of apps and app files using a digital signature.

This enhancement not only aims to securely re-enable the app upload feature but also improves security overall, as Marketplace apps will now need to come with a signature too.

The table below lists the UPM version bundled with major Data Center product versions (some of them are not released yet).

The default location is $SHARED_HOME/upmconfig and it requires the following condition:

• The user running the product must NOT own the configuration file, the truststore folder, or any file or folder it contains
• The user running the product must NOT have write privileges on the configuration file, the truststore folder, or any file or folder it contains.

For more information: Configuring UPM app signature check.

Problem

The existing nfsPermissionFixer will break this functionality since it's job is to set all the content of the $SHARED_HOME to the product owner with 755 permission.

Workaround

• Disable the nfsPermissionFixer. Manage the permissions and ownership manually in the NFS server.
  OR
• If nfsPermissionFixer is enabled, use the postStart to fix the permission and ownership:

    postStart:
      command: |
        chown -R admin: admingroup /var/atlassian/application-data/shared-home/upmconfig
        chmod 755 /var/atlassian/application-data/shared-home/upmconfig/truststore
        chmod 644 /var/atlassian/application-data/shared-home/upmconfig/truststore/*
  

  OR

• If nfsPermissionFixer is enabled, use the atlassian.upm.configuration.directory JVM args to provide a path outside of the $SHARED_HOME. This introduces an additional task for the admin to manage the certs on each node.

    additionalJvmArgs:
      - "-Datlassian.upm.configuration.directory=/somewhere/outside/shared-home"