We developed an application which signs PDF documents according to the PAdES standard. Yet, we have to register our intermediate and root certificates to Adobe Acrobat Reader from the application it self on each client. Is there any command line utility to automate this process?
Thanks in advance
Acrobat Customization Wizard DC (it's free) can help with that. There are a few manual steps to get it configured but after that, you can use your deployment tools to push out the security settings that include the certs. Basically, you configure one copy of Reader to be the way you want it then use the Wizard to push those settings out.
https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/WizardDC/
Related
I created a VSTO Excel Add-in ribbon. That I published to setup.exe. But when the end user tries to install it, it fails with this error:
Customized functionality in this application will not work because the
certificate used to sign the deployment manifests for [Add-In] or its
location is not trusted. Contact your administrator for further
assistance.
I can install the Add-In by doing the following.
Unzip and right click on “setup.exe” and select properties
Click on Digital Signatures tab
Select [issuer] from the Signature list and click the Details button
When the Digital Signature Details dialogue appears, click View Certificate
When the Certificate dialogue appears, click on Install Certificate
The Certificate Import Wizard window should appear. Choose the following:
a. Store Location: Current User, click the Next button.
b. Certificate Store: Place all certificates in the following store, Click Browse, select Trusted Root Certification Authorities, click the Next button.
c. Click the Finish button.
d. A security Warning should appear asking “… Do you want to install this certificate?” Click Yes.
e. Click OK. On the “The import was successful.” Dialogue.
Click OK to exit the Certificate dialogue
Click OK to exit the Digital Signature Details dialogue.
Click OK to exit the setup Properties dialogue.
then I run the setup and all works. The problem is we must send this setup file to many users. and NO ONE will want to do that. I've been messing around with the solution properties -> Signing -> Sign the ClickOnce manifests, but I can’t seem to bring up the Trust Prompt on anything I alter. I don’t have a paid for certificate, I just need the prompt to appear for the user to choose to trust it. I haven’t found an answer online on how to allow this prompt to appear. Any help is greatly appreciated.
You can deploy your VSTO to the Program Files directory. Your add-in will be considered as being safe since admin rights are required to install in this directory. I believe it is the simplest way.
Granting Trust when using Windows Installer You can use Windows Installer to create an MSI file to install Office solutions into the
Program Files directory, which requires administrator rights. For
Office solutions in the Program Files directory, the Visual Studio
2010 Tools for Office Runtime considers these Office solutions to be
trusted and does not show the ClickOnce trust prompt.
source msdn
If you give it a second thought, this feature (certificate signing) is designed to specifically disable your scenario. Means, it is built to prevent users from installing non-signed add-ins downloaded from the internet.
I think, if you have so many users which are not in your organisation (so that "correct" certificate cannot be installed centrally), the only reasonable way to overcome this is to buy a certificate from some authority (to pass organization or identity validation). It's not really expensive, and will ensure your users that the thing they are installing is really coming from you.
Can anyone help me create a certificate to use with the new version of Remote Desktop Connection Manager v2.7? I see the new version removed the "Store as plain text" option, but added using a certificate to the list.
I was wondering if anyone knew how to create a certificate (self-signed or whatever) that I could install on both computers to allow me to pass the config file between machines. I haven't been able to find anything online!
Thanks in advance.
If you in Remote Desktop Connection Manager click on the Help menu, and Usage, you will see a web page. On the Contents list, click on Encryption Settings (Under Local Options). There you will see how to create a personal certificate that RDCMan can use.
You will first need to get makecert.exe if you don't have it on your computer. You can get it by installing Windows SDK or Visual Studio.
I'm developing a WPF application that I deploy with ClickOnce to a network share on the intranet from which clients can install it.
I need to make sure that the user can't modify any of the application files (especially DLLs and the main executable) on their machine. That is, if any of the application files have changed, the application should refuse to run. I was under the impression that, when using ClickOnce, this was available out of the box and that the application would refuse to start if the file hashes didn't match the manifest.
However, I tried to manually replace the executable or a DLL with a slightly different version after installation and the application still ran fine (executing the modified code).
Does ClickOnce provide what I'm looking for?
How can I enable the functionality?
I'm using a level 2 StartSSL code-signing certificate to sign the application manifest if this matters.
P.S.: just to be sure: I'm talking about the installed application files, not the installation files.
You can sign AND strong name each one of DLLs to prevent tampering but then, doing so has its own pain points when it comes to upgrades and distribution in general. Note that even doing so, doesn't entirely prevent someone from injecting code into your running process. It's a sticky subject.
I recommend going thru this question which already discusses these points in detail. Does code-signing without strong-naming leave your app open to abuse?
I think it will be a fairly manual process.
Doesn't look like the VS2013 deployment tools handle code obfuscation but they do support signing and app permissions. Start with that, then you might have to get the generated manifest as a starting point to build your own with obfuscated assemblies.
MS docs break it into 3 steps: 1. obfuscate, 2. build manifest, 3. manually publish
Here is what MS docs say...
Securing ClickOnce Applications
Deploying Obfuscated Assemblies
You might want to obfuscate your application by using Dotfuscator to prevent others from reverse engineering the code. However, assembly obfuscation is not integrated into the Visual Studio IDE or the ClickOnce deployment process. Therefore, you will have to perform the obfuscation outside of the deployment process, perhaps using a post-build step. After you build the project, you would perform the following steps manually, outside of Visual Studio:
Perform the obfuscation by using Dotfuscator.
Use Mage.exe or MageUI.exe to generate the ClickOnce manifests and sign them. For more information, see Mage.exe (Manifest Generation and Editing Tool) and MageUI.exe (Manifest Generation and Editing Tool, Graphical Client).
Manually publish (copy) the files to your deployment source location (Web server, UNC share, or CD-ROM).
I work at a company who does 3rd party iOS development for various enterprises. I've been tasked with researching a better way to build and deploy code to these enterprises. Based on the Apple TOS, they cannot use an application signed with our Enterprise certificate (they're not "in house"). The code needs to be signed with their (our clients) Enterprise certificate. Here are a few possible solutions I've seen -
1) Send the code to the client, and have the client build it. This is a no-go.
2) Create a library with the application code and send the .so file, and the headers, to the client for building. We're currently doing it this way but are looking at making this easier on the client/us.
3) Have the client send us their certificate, mobileprovision, and .p12 file and then we build the application using their certificate. This could work but could become a management nightmare.
We've come up with an idea that is kind of a mix of these ideas. The idea involves building a customer portal where the client can upload their files (cert, p12, provision) to our Mac server and the Mac will automagically build their application, properly signed. The problem I'm having, however, is I can't seem to find out how to automate the installation of certificates and provisions.
So with that said, does anyone know of a way to install a CodeSign certificate (with a .p12 file) and a mobile provision file from the command line? Once installed is there also a way to remove the items from the command line?
Any help, ideas, and/or input would be greatly appreciated. Thanks!
You should be able to manage those resources in the keychain using the security (http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/security.1.html) command. The script I'm using to control command line builds might be a useful reference: https://gist.github.com/949831
Admittedly I've only ever had a maximum 2 external clients plus my own stuff at one time, so it was mostly only the same nightmare that it usually is by default, but how bad would it be if you had to manually do everything EXCEPT the provisioning profiles? In my experience once the client certs got added I never really messed with them again even with new projects (from the same clients.)
You could handle the provisioning profiles by simply copying the files into ~/Library/MobileDevice/Provisioning Profiles, and deleting them when no longer needed. It sounds like you are already set up to automate that process.
If you're currently installing the provisioning profiles by "dropping them onto xcode" I'd suggest you do it by copying into the folder anyway, because then the file names are preserved and so you actually can tell what you have installed by simply looking at the folder.
I need to make deployment our ActiveX control(two .dll files) through Web with using ActiveX. I saw that deployment .NET application with using ClickOnce is very easy, just need in VS click Build->Publish, but I can't find how I can make it with ActiveX.
Thanks, Roman
That's not possible, the point of ClickOnce is to not alter the configuration of the target machine in any way. Quite the opposite of what is required to get an ActiveX component functioning, it has to be registered and that requires altering the registry with an admin account.