What Is a .taco File? How to Sign a TACO File with Jarsigner?
What Is a .taco File and Why Should You Care?
If you’re building for Tableau, the .taco file is your product’s packaging. It’s a bundle of everything metadata, connection logic, and XML configs, wrapped into one distributable unit. This is what Tableau expects when you hand it a connector.
It’s just a ZIP archive, and it behaves like a JAR file. But in Tableau’s world, it’s the official format for plugins created with the Tableau Connector SDK.
Tableau only loads signed .taco files. Unsigned ones get flagged. Then blocked.
So if you’re planning to distribute your connector or test it in a different environment, remember. A .taco without a signature isn’t a connector. It’s a liability.
Why Signing Isn’t Just a Formality, It’s a Trust Contract
Every modern user wants Confidence, Proof, and Safety. They don’t want to hope your software is legit. They want to know. That’s what signing does. When you sign a .taco file using jarsigner, you’re not just jumping through hoops. You’re creating a contract of trust.
Tableau checks:
- Is this file signed?
- Is the signature backed by a trusted certificate authority?
- Was the file timestamped so we know it hasn’t expired?
If the answers are yes, Tableau loads it. If not? It won’t touch it.
Unsigned = Untrusted = Blocked.
Signed = Verified = Ready to Run.
Before You Touch Jarsigner: What You Need to Prepare?
You don’t want to get halfway through packaging your connector, only to realise… You forgot something critical. Like the certificate. Or the JDK. Or worse, the whole SDK. So, before you even type the word jarsigner, run through this checklist. Skipping a single step could cost you hours or even get your connector rejected.
Your Pre-Signing Checklist:
- Java JDK is installed and properly configured (JAVA_HOME and PATH are set)
- Python 3.9+ installed (used for packaging, not just scripting)
- Tableau Desktop 2019.4+ is ready for local testing
- You’ve tested it locally using Run Under Development or TDVT
- You have a keystore (.jks or .p12) and a valid certificate from a trusted CA
How to Sign a .taco File?
Signing is a tricky thing that most developers do not fiddle with. They spoil it because it is not transparent. When it breaks, there is no feedback, and when it fails without notice, where is the obvious error? Everything works one day.
The second, Tableau won’t load your connector and gives you an incomprehensible error message concerning trust.
This is not ceremonial. It has to do with trust. Signing indicates to Tableau (and to your users) that you provided this file and have not tampered with it, and it is safe to execute.
Step 1: Build Your .taco File Properly
Your connector files, the .trex, the manifest, icons, and config files need to be bundled. But here’s where most people slip: you’re not zipping the folder. You’re zipping the contents inside the folder. If you zip the outer folder, Tableau won’t load it. You’ll get nothing but frustration and a blank error window.
Run the following commands to do this.
cd connector_folder/
zip -r ../my_connector.zip *
cd ..
mv my_connector.zip my_connector.tacoStep 2: Get a Real Code Signing Certificate
No, you can’t self-sign. And no, a regular code signing cert won’t work. Tableau requires an EV (Extended Validation) Code Signing Certificate, issued by a real Certificate Authority.
All code signing certs must live on a hardware token (usually a USB key or HSM). That means you can’t just export it and keep it in your filesystem. The private key never leaves the hardware, which is the whole point.
Expect a human verification step when you buy it. These certs aren’t automated. The CA will probably call your company, verify your identity, and it might take a few days to issue.
Step 3: Install the Windows Signing Tools
This is Windows-only. You’ll need A Windows machine (or VM). The Windows 10 SDK (which includes SignTool.exe). Your USB token is plugged in. Once the SDK is installed, find signtool.exe here:
C:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\Make sure it’s on your PATH, or just navigate to it directly.
Step 4: Sign the .taco File
Run this command to sign the taco file.
signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /a my_connector.taco- /fd SHA256: Use SHA-256 for the file digest (required by Tableau)
- /tr: Tells Windows to use a timestamp server, which is critical. Otherwise, your signature dies the moment the certificate expires
- /td SHA256: SHA-256 for the timestamp digest too
- /a: Automatically picks the best cert if there’s more than one
If your token is plugged in and your cert is valid, this should Just Work. If it doesn’t check that:
- You installed the token’s driver software
- You’ve logged into the token via its GUI (some require PIN auth first)
- No other security tool is blocking the signing process
Step 5: Verify That It Worked
Don’t just assume, check it by running this command.
signtool verify /pa /v my_connector.tacoAfter running the command, you will see that:
- A valid signature
- A valid timestamp
- Confirmation that the certificate chain is trusted
If it fails, you’ll get a verbose error. Read it closely. The problem is usually expired certificates, timestamp server issues, or missing intermediate certificates on the system.
Conclusion
Signing your .taco file isn’t a task to check off. It’s the difference between shipping a product and shipping a risk. If Tableau can’t trust your connector, neither can your users. Do the work once, do it right, and your connector becomes something people can depend on.
And if you need a code signing certificate, the kind that works, contact us. We’ll help you get the right certificate from a trusted CA, fast. No guesswork. Just trust, built in.
