I've been struggling with this for a couple days now, and I believe I have a workaround, but it's a tremendously crappy one.
Our code signing certificate is in an HSM slot. So we must use PKCS11 to sign.
So far as I can tell, the maven webstart plugin (beta 4) lacks support for providerClass, providerArg and providerName. This means that PKCS11 signing can't happen that way.
Fine. There's the jarsigner plugin. That works just fine to sign the jars.
The problem is that we now must also use updateManifestEntries to add the codebase and permission entries to our webstart applet.
Well, the actual code in the webstart plugin to actually perform the manifest update is inside of
if (sign) { ... }
So it never happens.
So we have to have a bogus self-signed cert and key and use that in the sign config of the webstart plugin so that we can get the jars' manifests updated, and then throw away all that wasted work and resign the jars with the jarsigner plugin.
SURELY there has to be a better way!
To make your PKCS#11 the default and pass it an argument I think you could do:
$JAVA_HOME/lib/secuirty/java.security:
security.provider.1=com.security.whateverPKCS11Provider whateverProviderArg1
Related
I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.
I code signed the winqual.exe and uploaded to my same server
I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
#echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
I think this is normal behavior.
When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).
You do NOT need this "Windows Application Certification Kit".
What #slappy says is correct:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).
It will most likely say "This download may be dangerous and has been blocked".
Then you can choose "Keep anyways". And then you can choose "Report as Secure".
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".
Install it on your computer! I think that is important.
I have used 5 different computers and reported my apps as secure multiple times and installed it.
I have also asked 2 friends (because of their different IP address) to do the same.
I hate this so much!!!!!!!!!!
After 1 day, the error message was gone.
The case: I am maintaining a Java applet which uses the BouncyCastle libraries bcpkix-jdk15on-149.jar, and bcprov-jdk15on-149.jar.
Problem is when the applet is run on a JRE version 7_u40 enabled browser.
The behavior has changed from version 7_u25 in a way that it always prompts a modal window like "Security prompt for an app using a self-signed certificate" (which cannot be permanently hidden anymore), just to trust bcprov.
https://www.java.com/en/download/help/appsecuritydialogs.xml
As far as I know, this is because BC libraries are signed with the BouncyCastle certificate, issued by the "JCE Code Signing CA".
Because of that, the lib can perform and act as a cryptography provider.
BUT: the JRE can not build the certificate chain to trust the signature. It shows "provider : UNKNOWN"
I know i can remove that signature and sign by myself (I own a Thawte code sign certificate):
it works with bcpkix lib
it does not work with bcprov because it won't be considered as a valid cryptography provider (it won't be trusted by the JRE).
Am I right?
What can I do?
PS: I googled a lot to find the JCA root cert (to put it into the JRE truststore), without success... Is there a way to grab that root CA?
After a lot of search and some post in BC mailing list.... I found the solution, so I drop it here for others who may face that issue:
The solution is basically to sign the BC library a second time with my own certificate.
The JAR needs the JCA signature in order to be trusted as a cryptography provider, so do not remove it.
The JAR also needs (in addition) a code signature in order to be able to be run in the JVM (trusted by the JRE).
One last thing, some incompatibility happened on the signature technology:
BC lib is signed using SHA1 digest algorythm
jarsigner (on my computer) is doing the signature with SHA256 digest algorythm by default, which leads to a verification failure.
So I had to ask jarsigner to do it the SHA1 way. (for some reason both signatures have to be consistent from that point of view)
Here is the magic parameter of jarsigner command to add and make it happen:
-digestalg SHA1
Sample command:
jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias
... and you're done!
The following post gave me the tip: What prevents Java from verifying signed jars with multiple signature algorithms
We can also include the other stackoverflow post and the answer that helped me:
Putting the line:
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
Helped me getting rid of the exception.
Source:
jce cannot authenticate the provider bc
I've got a Android AppEngine Connected Project I'm trying to build using GWT2.4 RequestFactory and Objectify on my Eclipse IDE.
Apparently I need to run the RequestFactory Validation Tool because I'm using ServiceName and ProxyForName annotations (these are required especially when working on the Android client side). My problem is the Eclipse can't validate it and the solution provided at http://code.google.com/p/google-web-toolkit/wiki/RequestFactoryInterfaceValidation#IDE_configuration is enough to make me rip my eyes out.
Since I'm working on a Windows machine, the shell script provided is not very useful. Trying to run Validation Tool from a cmd propt returns the error message:"This tool must be run with a JDK, not a JRE"
Can someone explain how this Tool is supposed to be run? Is there a way to use it as an External Tool in eclipse?
Normally if you follow carefully the instructions in the link you show, and run the GWT Development Mode from Eclipse, the Validation should be done automatically at the time you access the development URL with your browser.
For the record, I've actually had some problems with it, but launching the application several times maked it work.
Well, I ran into the same problem as well. When I tried annotation processing (under Java Compiler-> Annotation processing )was being disabled. So RequestFactoryDeobfuscatorBuilder was not being generated. Try enabling that and rebuilding your project.
I've just recovered from two days of hunting this bug down in a project that used to run validation properly but stopped.
In my case I had a new-ish generic BaseRequestContext and a specific sub-interface that extended it. My parent interface declared a method that didn't match the Locator's exactly (e.g. getThing(T) vs get(T)) and this wasn't reported as an error but did stop the validation tool from completing.
Apt is also removed in Java 8 : http://openjdk.java.net/jeps/117 . So beware.
Switching back to Java 7 will fix the issue if you are using Java 8.
I understood why the error happens sometimes in a project: the compiler was complaining it cannot find the directory .apt . But when I tried to create it manually it was not possible (under windows). I think the validation tool mutes the exception of not being able to create the directory: try renaming .apt in your validation tool calls (do a text search in your project)
I know that this is very common problem and I have gone through almost all the similar threads out here but no luck! This started happening after I renewed my membership with Apple!
I have confirm that I have private and public key in Key Chain, the required certificate listed under My Certificate, have my development certificate, and AWDR certificated installed but still under XCode organizer I get message saying "profile doesn't match any valid certificate/private key pair in default key chain". I also restarted mac twice.
Also I have confirmed everything mentioned at http://developer.apple.com/library/ios/#qa/qa1618/_index.html
What else to do? I have been scratching my head since last 3-4 hours now without any luck!
Thanks.
You could try and have a look at the project.pbxproj located inside the .xcodeproj package (open it by right clicking and select 'Show package contents'). Search the file for PROVISIONING_PROFILE and make sure everything checks out to the correct profiles. I've had problems in the past when Xcode doesn't really update this file but when I do it manually it works.
After so much pain I exported keys from other MAC where it works and imported on my Machine and RESTARTED MAC then it started working!
I could have revoked the certificates and create them from scratch so while generating CA Authority request certificate private keys would be generated on my machine. Learn to save these keys in .p12 format on shared location so that you simply need to double click to install it again!
I've succed to download and install the 3 file for the RRT on Eclipse, Blackberry plug-in, version 1.3.
After installing the keys, everything seem to be OK. I can clik on BlackBerry --> Sign -->Sign with Signature tool.
On my project, when I click on this, nothing happend. Perhaps is it normal ?
But nothing to do : on device (not on simulator), my appli alaways say "Error starting testappli : Module 'testappli' must be signed with the RIM Runtime Code Signing Key (RTT)"
I've tried at home and at works, with differents keys, it's always the same.
Perhaps something is wrong ?
Thanks
I had the same problem just the other night when I tried signing my first app for the first time. The top-level Blackberry > Sign > Sign with Signature Tool menu item doesn't work correctly. It compiles the project but does attempt to sign anything. What worked for me was to go into the Package Explorer, right-click on the project, and choose Blackberry > Sign with Signature Tool instead. That compiles and signs correctly.