I came with error after creating the certificate ,
This app package’s publisher certificate could not be verified. Contact your system administrator or the app developer to obtain a new app package with verified certificates. The root certificate and all immediate certificates of the signature in the app package must be verified (0x800B010A)
Related
The following set-up is given:
We are a fairly small branch of a big enterprise sitting on the bottom of a complex WinServer 2012 R2 AD. Therefore we are somehow restricted in our policies.
Our development department has three PowerShell developers who want to use their scripts securely.
We implemented an AD CS to sign our scripts by our own root certificate authority.
The technical steps to implement our certificates are the following:
Create a private key with a public certificate using openssl.
Sign the certificate by our certificate authority.
Import the signed certificate into an AD users account along with the public certificate of the CA into the trusted CAs.
The certificate user "ScriptUser" is not an AD user, therefore we import his certificate into the trusted users area.
Signing and testing:
On the client system (Windows 7 or Windows 10) we tested to sign a
PowerShell script which went ok.
When running the script locally we get an error message that the certificate owner is not trustworthy. After committing the script runs.
We expected the script to run without any dialogue.
What's our fault?
I am trying to implement APNS for my App. I created APP id and was able to generate an SSL certificate for my App (the type is shown to be APNs development IOS). However, when I try to generate a provisioning profile, following the screen where I choose the AppID of my app, I do not see the SSL certificate I generate for this app. In the certificates list, I only see certificates of type 'IOS development' that were created previously.
The APNs certificate that you created is used by what the documentation refers to as the "APNs Provider" -- In the simplest case, this is your own server that is responsible for keeping track of APNs device tokens and generating APNs Push Payloads that instruct the APNs what message, sound, or badge to deliver to a specific device token. Just as the arrangement of executable code and other assets in your app is secured by a cryptographic signature (via your iPhone Development or iPhone Distribution certificate and associated provisioning profile), communications between your server and the Apple APNs gateway must also be secured to prevent a rogue 3rd party from masquerading as your server and sending spammy push messages to your users. This APNs SSL certificate is used to secure and authenticate your server's connection to the APNs, authorizing it to deliver push payloads to your app on user's devices -- Keep those certificates secure! If anyone gains access to the private key of the SSL certificate then they could send spammy pushes to your app!
Your APNs Provider will need access to the private key for this SSL certificate. Without it, Apple's APNs gateways will reject any and all attempts to connect. Your provider, does not need to have your provisioning profiles -- this APNs certificate is entirely separate than the mechanisms used to code sign an iOS app, that is, the server only needs the server certificate, while the app needs the code signing certificate + provisioning profile. These two items do not intersect and do not exchange data with each other.
It is true that your provisioning profiles (Development, Ad-Hoc Distribution, and App Store Distribution) will need to be reissued, but that is specifically to add the aps-environment entitlement to each of these profiles allowing apps signed with these profiles to connect with the APNs environments. To be absolutely clear, reissuing these profiles does not and should not add your APNs SSL certificate anywhere in the profile...your application code doesn't need to leverage this certificate in any way and would lead to a slight increase in your application's size.
You can check if your current provisioning profiles include the aps-environment entitlement by opening Terminal, copy and pasting the following, taking care to update the path to your specific .mobileprovision:
/usr/libexec/PlistBuddy -c 'Print :Entitlements' /dev/stdin <<< $(security cms -D -i /path/to/your/application.mobileprovision)
This command does two things:
Uses the security tool in OS X to extract the plist content from the .mobileprovision file identified after the -i argument and passes all of this content into...
PlistBuddy printing the entire contents of the Entitlements key to screen.
The output for a basic Development profile that has not been enabled for Push Notifications will resemble the following:
Dict {
get-task-allow = true
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
While the output for a basic Ad-Hoc or App Store Distribution that has not been enabled for Push Notifications will resemble:
Dict {
get-task-allow = false
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
Now that you have the APNs certificates issued for your app's AppId, you do need to step through and reissue your Development, Ad-Hoc, and Distribution provisioning profiles to add the aps-environment entitlement to each of your profiles.
Navigate to Certificates, Identifiers, and Profiles tool and find one of the profiles associated with this application.
Click the Edit button and walk through each step of the wizard -- you don't have to make any changes to the previously defined settings, you simply need the current profile reissued!
Click the Download button at the end of the wizard.
Drag and drop the updated profile on the Xcode icon on your Dock to install.
If you run that same set of Terminal commands again on these new files (remember to update the path to the new .mobileprovision if necessary!) you'll now see that aps-environment key appear in your App's entitlements:
Dict {
get-task-allow = true
aps-environment = development
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
There are two values for this new key:
aps-environment = development -- This will appear only on Development Provisioning Profiles and allows apps signed using iPhone Developer certificates and may only connect with the Sandbox APNs Environment
aps-environment = production -- This will appear only on Distribution Provisioning Profiles (Ad-Hoc or App Store), allowing apps signed using iPhone Distribution certificates to connect with the Production APNs Environment
Depending on which certificate you use to sign a build determines which APNs gateway your app will connect to and fetch a Push token as well as which gateway your app will receive push messages from. One of the most common errors developers make with respect to push notifications is mismatching how the app is signed with how their server is connecting to Apple's APNs gateways:
Apps signed with Development certificates can only successfully negotiate APNs and receive Push Messages when the Provider is also connecting with the Development APNs SSL certificate to the Sandbox APNs gateway and using a sandbox device token in the payloads it generates.
Apps signed with Distribution certificates can only successfully negotiate APNs and receive Push Messages when the Provider is also connecting with the Production APNs SSL certificate to the Production APNs gateway and using a production device token in the payloads it generates.
Give it a shot and let us know how things go!
I was able to develop a mdm solution.
I started facing problem when I moved my agent from Developer account's provisioning profile to Enterprise account's in-house distribution profile.
Now I am totally confused which certificate is used where?
Please guide me his is the certificate used in the below places:
Certificate in credentials section of enrollment profile (is it having BI as com.apple.mgmt._ ? or can be any like com.abc.mdm ? or it's the one received by customer)
Certificate .pem file used to wake up device?
Thanks
You need to use your iOS Enterprise developer account use the Agent account's credentials.
Follow this page http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few things as remove the passphrase from customerPrivateKey.pem using this command
openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Verify the .pem certificate downloaded from https://identity.apple.com/pushcert/
You can install this .pem in you Mac's Keychain and then see the Get Info and the certificate should have com.apple.mgmt.External.b503419d-1e2a-a60f-7451-5b8832b5a9cb, which you can use as push topic while generating enroll mobileconfig .
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command
cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem
Now the PlainCert.pem you can use as APNS/MDM certificate.
Please see this for Identity.p12 and respective password, which you have to use in Credential section.
1) it HAS to be com.apple.mgmt._ however this does not come from the provisioning portal - all you can set up here is your vendor certificate. See here
2) the certificate is used to make the connection to the APNS service, but you should get this from the the Apple Push Certificates Portal
I am trying to create certificates that will allow me to send push notifications on my device and I am total lost. I have used certificates for BETA and distribution but adding push notification is pain.
When I do create certificates for BETA testing, I do the following steps.
From keychain, Request a certificate from a certificate authority.
In Apple Provisioning Portal under Certificates, create a certificate uploading file keychain file.
Assume APP ID is created perfectly and devices are ready.
In Apple Provisioning Portal under Provisioning, I create a new profile and download mobile provisioning file to add to the XCode organizer.
That above steps works and I can BETA test. Now in order to enable push notification, I have setup server which is tested with push notification and is 100% working. When I configure for push notification, I need to upload keychain file. Is that the same file I uploaded under Certificates? There is a file in return which I double click and it gets added to the keychain, am I doing it right?
If I understand your question correctly, the answer is no, it should not be the same file. I'll explain the entire process in detail and hopefully that will clarify the situation (and what you need to do next).
When you enable push notifications, you need to do four things:
Create a private/public key pair.
Create a certificate signing request (CSR), signed with your private key.
Submit the CSR to Apple and download a signed certificate.
Create a file containing your certificate and private key, for validating each APN request.
Some points:
I recommend you use different keys for development (sandbox) and production APN. You can re-use the keys if you are sending notifications to different apps, but it is safer if you don't re-use keys between development and production.
The file you "submit" to the provisioning portal is the certificate request. You will have one CSR file for each certificate. You will create a two CSR for each app (bundleID); one for development, one for production. The CSR created with your development key should be submitted for development and the CSR created with your production key should be submitted for production.
Note: Keep the CSR files. You don't have to have them, but it will save you some time when you need to re-send the certificate requests.
After submitting your CSRs, you will be able to download the actual certificates. They aren't ready immediately, so give Apple a minute or so and then refresh your browser. The difference between the CSR and a certificate is important: the certificate is signed by Apple; it validates your ability to send push notifications. Download the certificates and load them into your keychain (double clicking is fine).
Note: the certificate is useless without your private key; so you will need to safely export your private key if you switch computers.
Any computer sending an APN request will need both the private key and the certificate. You can export them as a single .p12 file using Keychain Access. (I name mine MyAppCertKey.p12 to indicate that the file contains both the certificate and the key.)
Last, I wrote up a detailed explanation on testing / verifying communication with Apple's servers (from the terminal). It's a little complicated since you need to have some root certificates set up for openssl to validate against; however, it will tell you if you are communicating correctly with the servers, without requiring any work on the receiving app itself.
Couldn't able to connect to APNS Sandbox server
Hope that helps.
In our organization we are trying to get familiar with push notifications.Our administrator generated a SSL certificate and an app id which one of my colleagues used for developing an app having push notifications which was working nicely.After that administrator disabled the certificate which stopped push notifications working.Now I am working on the same and for that purpose the certificate is enabled again.But When I used it on my machine in a sample app it didn't work.More strangely I ran the app which was on my colleague's machine and it also doesn't receive any notifications now!!!I tried to replace old certificate by the re-enabled one but that also doesn't do the job.What should I do?
If you revoke a certificate, and recreate it, you must download the new certificate because it's not the same certificate, the old has expired.