How to use codesign command - certificate

I am trying to use codesign command to sign bundle.
First of all I have got p12 file and I have imported into my keychain.
However when I try to use codesign like this:
codesign -v --force --verify --deep --verbose --sign <ID> <MyApp.app>
It says 'no identity found'. The identity field I got it from
What am I doing wrong please?
Thanks in advance

Before you run codesign command, you need to unlock your keyChain, either by clicking on unlock on the keychain app or run security unlock-keychain, otherwise you can get inconsistent result because sometimes the keychain is already unlocked, sometimes not.
You might also need to include the --keychain option in your codesign command, depending on your configuration.
You can verify if the identity is available in your current shell environment by
security find-identity -p codesigning

Related

curl Failed to import cert file client.crt on command prompt and Powershell works fine on gitbash

I am using Windows...
When I run the following curl command through gitbash it works fine:
curl --cacert ca.crt --key client.key --cert client.crt "https://myurl"
However, if I try to run the same command in command prompt or Powershell, I get this error:
curl: (58) schannel: Failed to import cert file client.crt, last error is 0x80092002
What do I need to do to get the command working in Command Prompt or Powershell?
Windows version of curl.exe is not configured to work with openssl but git's is.
So to make sure whenever I typed 'curl' into a command prompt, it was using git's version of curl I added the path to git's curl (C:\Program Files\Git\mingw64\bin) in system environment variables and moved it right to the top…so it find’s git’s curl before it finds window’s curl.
After then restarted the command prompt it resolved the issue.
You are providing your client certificate in the wrong format. curl requires the certificate in the PEM format (source):
-E/--cert <certificate[:password]>
(SSL) Tells curl to use the specified certificate file when getting a file with
HTTPS or FTPS. The certificate must be in PEM format. If the optional password
isn't specified, it will be queried for on the terminal. Note that this option
assumes a "certificate" file that is the private key and the private
certificate concatenated! See --cert and --key to specify them independently.
If curl is built against the NSS SSL library then this option can tell curl the
nickname of the certificate to use within the NSS database defined by the
environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM
PKCS#11 module (libnsspem.so) is available then PEM files may be loaded. If you
want to use a file from the current directory, please precede it with "./"
prefix, in order to avoid confusion with a nickname.
If this option is used several times, the last one will be used.
Your certificate might be in the DER format or contain a whole certificate chain instead of your single client certificate.
in the manpage of curl, it is described that on Windows, it uses schannel provider by default (which itself uses the windows store). I am on the same errand now :-) trying to find a way to pass the certs from the command line and from local files.
Perhaps try importing the certs into the Windows store.
On our Windows 2019 server we have two curl.exe.
By default, the version 7.83.1 was summoned.
The issue was solved by using the version 7.54.1 and adding the full path to access it.

How to avoid Permission denied (publickey) when pulling from github?

I want to connect with GitHub from my server Centos.
I was doing ssh-add ~/.ssh/id_rsa and these problem solved.
But, I don't know why, when I am sign out and then sign in again, the problem shows again.
Anybody know how to solve this problem?
Check exactly what key is used with:
git -c core.sshCommand="ssh -Tv" pull
That way, you will see which URL and key is actually used by your command, and have some clue as to why the current key does not work.
Note that ssh-add is only valid for your current session: signing out/back in would require an ssh-add again. Which is why it is generally part of your .bashrc to automate that step.

docker-compose pull gives either a gpg error or a permissions error when I attempt to use it with or without sudo

everyone.
I hope that someone can help to answer my question.
I am joining a project in which I have to use various docker containers. I was told that I just needed to use docker-compose to pull down all the necessary containers. I tried this, and got two different errors, based on whether I used sudo or not. My machine is Ubuntu bionic beaver 18.04.4LTS
I have docker-engine installed according to the installation instructions for Bionic on the github page, and docker-compose is likewise installed according to its instructions. I did not create a "docker" group since I have sudo access.
We have two repos that I have to log in to before I can do anything. In order to prevent my passwords from being stored unencrypted in config.json, I followed this guide to set up a secure credential store:
https://www.techrepublic.com/article/how-to-setup-secure-credential-storage-for-docker/
However, rather than asking me for the password and/or passphrase mentioned in this article, the login process makes me enter the actual passwords to the repos. So, the secure credential store may not be working, which might be causing the problem.
At any rate, once I log in and the two commands show login succeeded, I then try to do a
docker-compose pull
on the repos. When I do
sudo docker-compose pull
I get this final error:
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-pass exited with "exit status 2: gpg: WARNING: unsafe ownership on homedir '/home/myuser/.gnupg'\ngpg: decryption failed: No secret key".')
an ls of the .gnupg directory is
myuser#myhost$ ls -lA ~ | grep gnupg
drwx------ 4 myuser myuser 226 Feb 9 13:35 .gnupg
gpg --list-secret-keys shows my keypair when I run it as myuser.
I am assuming that what is happening is that because I am running as sudo the user trying to access this directory is root, not myuser, and so it is failing. However, if I leave off the sudo
docker-compose pull
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
I am guessing that this is because my normal user doesn't have the ability to connect to the docker daemon's Unix socket.
So, how do I make these play together? Is the answer to add a docker group so that the command still runs as myuser and not as root? or is there another way to do this?
Also, why is my credential store not asking me for the password set by docker-credential-pass or the GPG passphrase? I suspect these two are related. Perhaps the pull is trying to send my authentication tokens over again and can't because it doesn't have access to the secure credentials store.
All of the above are guesses. Does anyone know what is going on here?
Thanking you in advance,
Brad
I just wanted to follow up with a solution to this question that worked for me.
Firstly, you need to add your user to the docker group that was created during docker-engine's installation.
sudo usermod --append --groups docker your_user_name
Because I had already used sudo to try this, there were a few files that ended up being created by root.
So, you have to chown a few things.
sudo chown your_user_name:your_group_name ~/.docker/config.json
Note that for the group name I used
docker
but I'm not sure if that's necessary.
Then, there were files inside the ~/.password-store directory that needed to be changed.
sudo chown -R your_user_name:your_group_name ~/.password-store
Most of these files are already owned by you, but the recorded credentials are not.
Then, the magic that fixed it all. From
https://ask.csdn.net/questions/5153956
you have to do this.
export GPG_TTY=$(tty)
and it is this last that makes gpg work.
Then, you can log in to your repos if you have to without using sudo
docker login -u repo_user_name your_repo_host
and then log in with your repo password.
Note that I don't know why you have to use the repo password instead of using the stored credentials.
Once you log in, you should be able to do a
docker-compose pull
without sudo
from the directory where you want the containers to be placed.
Note that you will probably have to provide your GPG passphrase at first. I'm not sure about this because I had already unlocked the key by following the steps in the above link to check to see if docker-credential-pass had the right credential store password stored.
and that should do it.

Generating a new project on Moovweb

I'm having a tough time creating a new project for Moovweb. I'm getting this error, but don't see where to add SSH keys within moovweb:
"ERROR: None of the SSH keys on this machine are associated with your moovweb account. Please use moov login, then try again."
Usually this happens if your ssh key is named something other than the default id_rsa
You can see what keys are associated with the ssh-agent by typing this command
ssh-add -l
If the key you have uploaded to Moovweb is not in that list, you can add it with
ssh-add <path to key>
For example,
ssh-add ~/.ssh/github_rsa

Silently import a Certificate into a specific Certificate Store

I am attempting to import a Certificate into the Current User -> Personal store using the command line: "importpfx -f [certificate name.p12] -p [password] -t USER -s Personal".
It works, but for reasons I don't understand there are now two Personal stores under the Current User, and the imported certificate is in the new Personal store.
When I try to connect to the website of [a well-known money transfer service], it fails. However, if I manually import the certificate using MMC into the original Personal store, it works.
My question is: How can I force IMPORTPFX to import the certificate into the original Personal store, and how can I delete the new Personal store?
Context:
I need to do a silent import of certificates on 3000+ remote point-of-sale Windows XP devices, so it needs to be a silent install via PSEXEC (SysInternals).
Thank you. Pieter.
“Personal” is a just friendly name of the certificate store which is internally identified as My. You need to use
importpfx -f [certificate name.p12] -p [password] -t USER -s My