Manage Code Sign Client distribution

Both Code Sign Manager - Self-Hosted and Code Sign Manager - SaaS use a single universal client to sync signing keys and certificates to signing workstations.

By default, when users download the client from the Code Sign Client distribution page, the latest universal client is retrieved from the public download endpoint (dl.ngts.paloaltonetworks.com).

This topic explains how to customize that behavior and host the file internally from your Trust Protection Foundation server. Examples of when you might want to do this include:

Disabling downloads from the public endpoint in an air-gapped environment
Controlling which client version is distributed

Follow the steps below to configure client distribution according to your environment.

Disable public download endpoint

You can disable the public download endpoint from the Clients tab in global code signing properties.

Once disabled, the client distribution page will no longer download the client from dl.ngts.paloaltonetworks.com.

Download and host the client internally

After disabling the public download endpoint, download the required client packages and host them on your server.

NOTE Client version numbers follow a yy.mm.dd.build-number format.

For example, version 26.2.10.1 represents a build created on February 10, 2026, with build number 1.

For instructions and a distribution utility script, see Code Sign Client Distribution Script Guide.