In AutoCAD 2014, we introduced Trusted Locations (TRUSTEDPATHS). “Trusted Paths” are in concept a “white list” of locations that the CAD manager can audit and maintain for add-ins and customizations loaded into AutoCAD. AutoCAD allows signed files to be loaded from outside of this “whitelist” without SECURELOAD warnings, with the exception that AutoCAD 2016 will check if the publisher of the signed app is in the users trusted publisher certificate store. The “best practice” is to ensure the “trusted locations” are only writable with Administrator permissions.
Applications utilizing the "autoloader" functionality within AutoCAD have the options to install to the following locations:
%APPDATA%\Autodesk\ApplicationPlugins
%ALLUSERSPROFILE%\Autodesk\ApplicationPlugins
%ProgramFiles%\Autodesk\ApplicationPlugins
%ProgramFiles(x86)%\Autodesk\ApplicationPlugins (In 64-bit OS)
In AutoCAD 2014 & 2015 - %ALLUSERSPROFILE%\Autodesk\ApplicationPlugins and %Appdata%\Autodesk\ApplicationPlugins – are by default trusted paths.
With AutoCAD 2016, only the Program files folder (C:\Program Files\Autodesk\ApplicationPlugins and C:\Program Files (x86)\Autodesk\ApplicationPlugins ) is trusted by default.
This means, when you try to load an unsigned add-in from any location outside of the "trusted locations" you will get a warning message like the one shown below. Note that in AutoCAD 2016 the user can choose to “always trust this app” – if they do, the warning will not be triggered again.
Signed add-ins with publishers that haven’t been “trusted” by the user will trigger this kind of warning, below. Note the user can add the publisher to the certificate store by selecting “always trust applications from…” and then they won’t be asked again for that publisher.
To avoid warnings, you need to:
Sign all your add-in files with your own digital signature and add your certificate to the local machine’s trusted certificates cache. Attaching a digital signature affords a basic level of security to help designate the publisher of the application and to help guarantee that the application hasn't been tampered with since it was distributed by the signer. We recommend that an app be signed regardless of where it is installed.
OR
Install to a trusted folder (for example C:\Program Files\Autodesk\ApplicationPlugins.) Note that AutoCAD implicitly trusts the AutoCAD install folder and all subfolders under it and C:\Program Files\Autodesk\ApplicationPlugins and all its subfolders. These are considered "trusted locations."
It is strongly recommend to sign your add-in as more and more of AutoCAD customers - particularly larger customers – are requiring any files installed on their networks to be signed.
Related blogs:
Digitally signing plug-in files
Through the Interface – Security
Autodesk Help: