We used to have a binary running in user space built with VC++ /integritycheck flag which sets IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag on executable (see more here and here). We signed it with our old certificate and it run smoothly. Now we were given new certificate and binary is blocked by security check (defender prompt + log in event log).
Yes, we added certificate to our trusted store.
Yes, we used page hash (/ph) switch while signing.
New cert running fine if we enable test sign on a platform (through bcdedit)
The major difference seems to be that new certificate is not cross signed by Microsoft. Cross signing is no longer supported so maybe anyone knows if there's alternative or how to workaround it? Maybe /integritycheck flag for user space code is no longer valid?
Same issue we found at MSFT forum https://learn.microsoft.com/en-us/answers/questions/348812/signed-file-fails-to-start-because-of-bad-signatur.html. Still no precise answers how to solve it.
Related
I'm a software developer who works as a freelancer, and my question has two parts.
First part:
I was working on a project then out of nowhere while testing on windows 10 VM windows security start blocking my app, I have a legit Bitdeferter and Malwarebytes on my main machine, and when I scanned my app (the EXE file from C# project) everything is clean, yet when I uploaded the file to virustotal.com it shows 5 detections
I start doubting my code and NuGet packages (I use Microsoft.AspNet.WebApi.Client and Newtonsoft.Json) so I removed them and to my surprise, I only got 2 detections out of 5.
I even create an empty Console app and still get those 2 detections, and my main machine still shows nothing as a virus.
So does that mean that my app is good but needs to be signed?
Second part:
If my issue is just a signing certificate, do I need as a developer to obtain that or my client, and then I only sign his/her app under his/her certificate?
Thank you.
Many engines treat VirusTotal samples very harshly, and any new executable has very low reputation (never having been seen before).
Therefore you will get lots of false-positives from VirusTotal when looking at your own new binary.
Signing is likely to help somewhat - at least there's a chance that you can build reputation in your certificate rather than each binary separately.
As far as I know, you get the signing certificate for you as a developer, although that might be different if you are providing source code and the client is building the end executable.
I'm using signtool to sign my exe and dll files. For testing purposes, I want to find the way to do it using an expired certificate. Is it possible? If not possible with signtool I can also use another tool.
Btw. I don't want to change my system date, because later I want to try with adding a timestamp.
This is the command along with the parameters used with signTool to sign my file:
signTool sign /f expiredCert.pfx /p "pass" /v test.dll
in result I get:
SignTool Error: No certificates were found that met all the given criteria.
I'm answering my own question because it turns out that the easiest way to do it is to manipulate system time. That was cumbersome for me because that is blocked on my dev machine, so I had to do it with a virtualbox machine with time synchronization turned off. After changing system time to a date within certificate validity period I was able to sign the files. Later I was even able to add a timestamp using an external service. Windows of course complains about that fact right away when you check out the Digital signatures tab in the file properties, but this is what I wanted to achieve to perform my tests.
As you noted it is possible to sign, but for it to be REALLY signed (Authenticode) as said here https://support.globalsign.com/code-signing/ev-code-signing-windows-7-and-8
Timestamping your Code is extremely important and is highly
recommended for every piece of code that you sign. This timestamp will
allow the file that you sign to remain valid long after the
certificate itself has expired.
you need to timestamp it. I doubt you are allowed to timestamp expired at the moment of timestamp cert (it will never be valid IMHO).
P.S. You are allowed to do it :( Nvidia does it. And as I said it is invalid, but skipped by Windows 10, but is recognized as bad by virtualbox.
I have a ClickOnce application deployed on our internal network. As this is only an "internal" application, I don't really need an "officially signed" certificate for any reason. When I went to publish an update today, I got the error message
The signers's certificate is not valid for signing.
When I check the "Signing" tab in Visual Studio 2010, I can see that I am past the expiration date. I know that I created this TemporaryKey using the "Create Test Certificate" button on this same tab in Visual Studio.
In the past, I just created a new test certificate, and used that. This essentially "buys" me another year until I have to do this all over again. I would like to correctly sign a new certificate that is good for X number of years (or never expires).
I have done some research, but as I am unfamiliar with this whole scenario, the nomenclature is extremely confusing. I can follow instructions, but only if they are written in a manner that an intermediate user can understand. Is there a reference that explains this process step by step, hopefully with screenshots? I can't believe with all my looking around I haven't found this already, so I must not be looking up the relevant keywords.
For future reference, here is all the information you ever wanted about expiring certificates in ClickOnce deployments. It also shows you how to create a certificate and set the date range for which it is valid.
Use Xenos Certificate Generator, a free tool that will allow you to create a certificate with x number of days until expiration.
Our device relies on a built-in windows driver (usbser.sys). Do we still need to go through WHQL testing or can we install in such a way that the user won't see a warning about not passing Logo testing? I found http://support.microsoft.com/kb/837637 but it's not clear to me if this will do what I want. Does it matter whether I use DPInst program or have my own program that calls DriverPackagePreinstall?
[Edit: changed "Our code" to "Our device" based on comment]
You don't need to sign usbser.sys (KMCS) but you still need to sign your .inf, because the matching of usbser.sys to your Hardware ID or Compatible ID is not trivial and it's your responsibility, so you should be signed on it.
You don't have to go through WHQL certificate on Windows Vista and higher. A code signing certificate from a known CA will suffice. This will raise a question of "Do you want to trust this publisher?". You can work around this by first adding yourself to the TrustedPublishers (see this question). (WHQL still has its benefits, e.g. you wouldn't have the above warning prompt.)
Still not a 100% sure but some general pointers:
follow http://msdn.microsoft.com/en-us/library/ff542476%28v=VS.85%29.aspx to create/test etc. an INF file and esp. http://msdn.microsoft.com/en-us/library/ff542605%28v=vs.85%29.aspx
WHQL is not only for drivers but for the devices themselves (see http://msdn.microsoft.com/en-us/windows/hardware/gg463175 and http://msdn.microsoft.com/en-us/windows/hardware/gg463175 ) so strongly recommended to avoid that warning AFAIK
I'm going crazy! I'm trying to upload the binary of my first application but I have always the same error!
"The binary you uploaded was invalid. The signature was invalid, or it was not signed with an Apple submission certificate."
I did everything, EVERYTHING!!
I created the request for the certificate, used it for both developer and distribution certificate, created the provisioning profile (12 times!!!) always cleaning my keychain and my Xcode deleting the old certificates and profiles..
I reboot the machine, reboot Xcode, the log is correct, but... I can't upload my app!!!!
Checked if my iPhone is connected (i tried with iPhone disconneted too).
I checked the certificate in both my project settings "Distribuition" Configuration (duplicate of "Release" configuration) and in my target settings.
Reveal in finder, compress the app and sent the zip...
I tried with Application Loader and iTunes connect online..
but nothing! NOTHING!!
I've spent 8 hours! And again i can't have my app uploaded!!!
I'm really going crazy!
Can anyone help me pleeease?
Thx!
It seems like there are a LOT of causes for receiving this cryptic and mostly unhelpful email. Even after verifying the use of distribution certificates, cleaning & rebuilding my project, and checking with codesign from the command line (and following instructions from the email), no errors showed up—-but I'd get the "invalid signature" email right after uploading. All the solutions seem anecdotal and obviously depend on what secret error is causing the problem. I've spent the last week pulling my hair out, trying to figure it out for my app—-and finally got it successfully submitted today—so let me share my story and see if it's relevant to your situation.
In my case, I seemed to have a complex cause of having my Entitlement.plist set with an incorrect variable along with the holdover of an old provisioning profile (from a previous Xcode version?) buried deep in the project.pbxproj component of my Xcode project file.
The "aps-environment" variable in my Entitlements.plist was set to "distribution" instead of "production" (I swear I read somewhere in the developer docs that it was supposed to be "distribution"!) But fixing that alone wasn't enough to get my app through. (I must have submitted 100 different combinations of app configurations trying different variables!) Starting with the helpful suggestions from this post on another forum, I dug through the distribution profile and found duplicate entries for some variables. The duplicates had empty quotation marks (i.e. nothing set for the variable) or strange variables or old provisioning profiles which seemed to be causing problems (somehow). Cleaning this up and removing the duplicate lines with bad variables worked in my case. YMMV. But carefully examining the project files ("show contents" on the Xcode project file in finder) seems like a good idea for diagnostics. Good luck!
Been there - done that.
Make sure your certificate is in the "login" keychain, and that that i the default keychain (highlighted bold) in Keychain Access
Make sure you have both the private and public keys for your certificates and that they are valid. You will also need the Apple Worldwide Developer Relations Cert Authority installed.
I assume you have dragged the profile into xcode - easiest to drop them onto the xcode icon on the dock.
Make sure as Paul says, that the bundle identifiers all match up
You say you checked the certificate in the distribution configuration. Its not the certificate you need to concentrate on but the provisioning profile.
Select your Release config top left, click on the project under groups & files and do cmd I. Select build tab and then pick distribution in the top left. Then look at the Code Signing Identity. Pull down the dropdown list and make sure you have the right application identifier, the right profile and the right certificate. Don't use the Automatic Profile Selector.
Hope one of those steps helps!
I was getting the same error when I tried to submit a version update from the Organizer. What solved my issue was using the Application Loader found in the directory /Developer/Applications/Utilities. You'll need to compress your .app file and send the corresponding .zip file. I used this for my initial submission as well, I just thought I'd try the new way. What a pain! Go with Application Loader.
Best solution:
Revoke Distribution Certificate
Create new AppStore provisioning profile
This solved my problem. Spent 4hrs+ :( :)
I just had this problem. I resolved it, after hair-pulling, by going back into Keychain Access one more time and discovering the "Show Expired Certificates" menu item. When I did that, one more expired cert of the kind I had (so far, unsuccessfully) replaced showed up! I had deleted a couple of expired certs already, but this menu item caused another to show up, and after deleting it, my upload worked. I was previously aware that expired certs can get in the way of valid ones, and I STILL wasted a lot of time. Hopefully, this helps some people.