The case: I am maintaining a Java applet which uses the BouncyCastle libraries bcpkix-jdk15on-149.jar, and bcprov-jdk15on-149.jar.
Problem is when the applet is run on a JRE version 7_u40 enabled browser.
The behavior has changed from version 7_u25 in a way that it always prompts a modal window like "Security prompt for an app using a self-signed certificate" (which cannot be permanently hidden anymore), just to trust bcprov.
https://www.java.com/en/download/help/appsecuritydialogs.xml
As far as I know, this is because BC libraries are signed with the BouncyCastle certificate, issued by the "JCE Code Signing CA".
Because of that, the lib can perform and act as a cryptography provider.
BUT: the JRE can not build the certificate chain to trust the signature. It shows "provider : UNKNOWN"
I know i can remove that signature and sign by myself (I own a Thawte code sign certificate):
it works with bcpkix lib
it does not work with bcprov because it won't be considered as a valid cryptography provider (it won't be trusted by the JRE).
Am I right?
What can I do?
PS: I googled a lot to find the JCA root cert (to put it into the JRE truststore), without success... Is there a way to grab that root CA?
After a lot of search and some post in BC mailing list.... I found the solution, so I drop it here for others who may face that issue:
The solution is basically to sign the BC library a second time with my own certificate.
The JAR needs the JCA signature in order to be trusted as a cryptography provider, so do not remove it.
The JAR also needs (in addition) a code signature in order to be able to be run in the JVM (trusted by the JRE).
One last thing, some incompatibility happened on the signature technology:
BC lib is signed using SHA1 digest algorythm
jarsigner (on my computer) is doing the signature with SHA256 digest algorythm by default, which leads to a verification failure.
So I had to ask jarsigner to do it the SHA1 way. (for some reason both signatures have to be consistent from that point of view)
Here is the magic parameter of jarsigner command to add and make it happen:
-digestalg SHA1
Sample command:
jarsigner -keystore ./mykeystore.jks -storepass myPass -digestalg SHA1 bcprov-jdk15on-149.jar myAlias
... and you're done!
The following post gave me the tip: What prevents Java from verifying signed jars with multiple signature algorithms
We can also include the other stackoverflow post and the answer that helped me:
Putting the line:
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
Helped me getting rid of the exception.
Source:
jce cannot authenticate the provider bc
Related
I always use Inno Setup for packaging and publishing. Users download the application using a link for example: https://oursite.com/codesigned/mysetup.exe
Till now, it always worked. But recently I have to renew my code signing certificate because its expired. After renew I have SmartScreen problem, every users download the application and gets this Smartscreen which was not before.
I have used signtool.exe verify /pa innosetup-made-myexe.exe and it shows successful, also I have done the verification with Windows Application Certification Kit, that shows it is PASSED, but with WARNNINGS, all those WARNNINGS mostly generated by Inno Setup.
Here you can find the output, where its showing WARNINGS on Inno Setup exes:
https://docs.google.com/document/d/11frW_GxI0xSVcrAXh4_rqcKBQSaermAlpYKj4xzQi4o/pub
How can I fix this problem?
(still not sure if its Standard Code Signing vs EV code signing issue? I already used Standard Code Signing for few years, it always worked. I can upgrade to EV Code signing, but how can I make sure its not Inno Setup compiler problem? As you can see already the WARNNINGS are shown in the URL above to Inno Setup)
To verify if it's Inno Setup or code signing issue (see https://stackoverflow.com/a/29067585/285594), I have done following:
From Microsoft, I have downloaded the file call winqual.exe, which does not need Inno Setup.
I code signed the winqual.exe and uploaded to my same server
I downloaded the same file with Internet Explorer and it works without showing me the SmartScreen.
Does it make any sense now if Inno Setup is the main cause of this problem?
Nowadays, you have to use EV code signing certificates.
See Transferring Microsoft SmartScreen reputation to renewed certificate.
Below is the original answer, which addresses some specifics of the question.
If you believe the problem is due to an unsigned uninstaller, make sure you set the SignTool directive of your Inno Setup project accordingly. And make sure SignedUninstaller directive has its default value yes.
Quoting SignTool directive documentation:
Specifies the name and parameters of the Sign Tool to be used to digitally sign Setup (and Uninstall if SignedUninstaller is set to yes). When Setup has a valid digital signature, users will not see an "unidentified program" warning when launching it.
If you want to set NXCOMPAT and DYNAMICBASE flags to the uninstaller, you can create a sign.bat batch file that both calls signtool.exe and editbin.exe:
#echo off
editbin.exe /NXCOMPAT /DYNAMICBASE %1
signtool.exe sign ... %1
The calls need to be in this order, otherwise the editbin.exe breaks the signature.
Then use the sign.bat instead of signtool.exe in the SignTool directive.
Though I do not really think this is necessary, nor helps anything.
I think this is normal behavior.
When your software collect enough "likes" = downloads or installs the SmrtScreen will automatically turn off this message.
It is really annoying feature because with every software release you need to wait appropriate time while the software become "popular" and it is recognized as safe (no certificates or antivirus methods can solve it).
You do NOT need this "Windows Application Certification Kit".
What #slappy says is correct:
After renewal of your certificate, you need enough downloads and "good reviews" before this message goes away.
What you need to do is to download your application using Microsoft Edge (not Chrome or Firefox!!!).
It will most likely say "This download may be dangerous and has been blocked".
Then you can choose "Keep anyways". And then you can choose "Report as Secure".
And THEN even Smart Screen says that it doesn't trust your app (even though it's digitally signed, LOL!!!!), then you have to choose "More..." and "Install anyways".
Install it on your computer! I think that is important.
I have used 5 different computers and reported my apps as secure multiple times and installed it.
I have also asked 2 friends (because of their different IP address) to do the same.
I hate this so much!!!!!!!!!!
After 1 day, the error message was gone.
I had finally founded a solution to connect Mylyn to Gitlab's Issues in this question.
It all worked well. But a few months since I had all configured out it doesn't work anymore. I'm getting this error when trying to connect:
Invalid TLS Certificate: You can disable certificate checking by setting ignoreCertificateErrors on GitlabHTTPRequestor
Anyone know how I can get rid of this message ? There is no ignoreCertificateErrors option in the preferences neither the plugin has any such configuration ?
Do I have to put somethig in the ini file ? How I set ignoreCertificateErrors ?
Edit
The commands VonC gave have worked. But now I got another error:
Unknown Exception: java.io.FileNotFoundException: https://git.company/api/v3/projects?private_token=whatever
I put this url in the browser, and got the following json:
{"error":"API V3 is no longer supported. Use API V4 instead."}
So I changed the url to:
https://git.company/api/v4/projects?private_token=whatever
and the data loaded correctly. So I guess this is a problem with the connector using an outdated api. This link:
https://github.com/pweingardt/mylyn-gitlab/issues/47
tells me I probbly will have to wait a bit. I' couldnt find any configs or files where I can change this url.
But my original question was for the TLS problem which was solved, so I'll consider the question answered by VonC.
But if someone knows how could I solve this new problem in order to really get to he end of this by connecting with the site feel free to add aditional answers.
This is probably linked to GitLab move to GCP (Google Cloud Platform)
Try and add it to your JDK keystore (the JDK used to run your Eclipse: it could be the embedded jdk, or one on your system)
First get the new certificate:
echo -n | openssl s_client -connect git.company:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gitlab.chain.pem
(replace git.company by your GitLab server domain name)
Then add it to your JDK
cd /path/to/jdk
jre/bin/keytool -keystore jre/lib/security/cacerts -storepass changeit -import -trustcacerts -file gitlab.chain.pem -alias NewGitLab
Launch your Eclipse again, and try your Mylyn connector.
Note: I confirm that, since GitLab 11.0 (July 2018), the API v3 is no longer supported. Only v4.
See issue 36819.
I finally made it work. Steps:
First make sure you have the JDK and maven installed in your machine, working properly and have followed the instructions VonC gave in his answer. You should install JDK BEFORE following VonC instructions.
Clone this github repo: https://github.com/timols/java-gitlab-api
Cd to the folder where you cloned it and run mvn clean verify. It will create a target folder with a file named java-gitlab-api-4.0.1-SNAPSHOT.jar in it.
Clone this github repo: https://github.com/scriptninja/mylyn-gitlab
Put the java-gitlab-api-4.0.1-SNAPSHOT.jar file in de.weingardt.mylyn.gitlab.core/lib folder.
Goto to the folder where you cloned mylyn-gitlab and run mvn clean verify again
When the build ends there should be a folder called de.weingardt.mylyn.gitlab.updatesite/target/repository
Go to eclipe->help menu->installation details and uninstall any previous "Mylyn gitlab connectors" you had installed (if any)
Go to eclipse->help menu->Install new software->Add and put <your complete folder path>/de.weingardt.mylyn.gitlab.updatesite/target/repository in the Location field. You can put anything you want in the Name field.
Select the repository you just added in "Work with:" selection.
An entry called "Mylyn connectors" should appear below.
Install it and it's done. You can add your new working connector in Mylyn. Then just connect to the repository using the normal connection process.
If you have any problems connecting after this, check the SO link I mention my question, (this one). It has some interesting info there.
Hope it helps. Thanks to VonC for giving me the first step I needed to solve this. :)
Edit
My environment: Java 8, Ubuntu 16.04 64 bits and Eclipse Oxygen
I've been struggling with this for a couple days now, and I believe I have a workaround, but it's a tremendously crappy one.
Our code signing certificate is in an HSM slot. So we must use PKCS11 to sign.
So far as I can tell, the maven webstart plugin (beta 4) lacks support for providerClass, providerArg and providerName. This means that PKCS11 signing can't happen that way.
Fine. There's the jarsigner plugin. That works just fine to sign the jars.
The problem is that we now must also use updateManifestEntries to add the codebase and permission entries to our webstart applet.
Well, the actual code in the webstart plugin to actually perform the manifest update is inside of
if (sign) { ... }
So it never happens.
So we have to have a bogus self-signed cert and key and use that in the sign config of the webstart plugin so that we can get the jars' manifests updated, and then throw away all that wasted work and resign the jars with the jarsigner plugin.
SURELY there has to be a better way!
To make your PKCS#11 the default and pass it an argument I think you could do:
$JAVA_HOME/lib/secuirty/java.security:
security.provider.1=com.security.whateverPKCS11Provider whateverProviderArg1
How to define key store in SoapUI it is giving error invalid keystore format. Which file i to define for that.
In my case, I use a .pfx file. On the SSL tab, I enter the path to the .pfx and the password. Then it "just works".
There is apparently a problem with v4.5, as some users (including a co-worker) are getting "invalid keystore format", with keystores that worked previously. See this link:
http://www.eviware.com/forum/viewtopic.php?f=4&t=13181&p=33196&hilit=p12#p33196
I had a different error with 4.5, so I'm back to 4.0 which is working fine for me. Perhaps your issue will go away if you use 4.0 instead.
I know that this is very common problem and I have gone through almost all the similar threads out here but no luck! This started happening after I renewed my membership with Apple!
I have confirm that I have private and public key in Key Chain, the required certificate listed under My Certificate, have my development certificate, and AWDR certificated installed but still under XCode organizer I get message saying "profile doesn't match any valid certificate/private key pair in default key chain". I also restarted mac twice.
Also I have confirmed everything mentioned at http://developer.apple.com/library/ios/#qa/qa1618/_index.html
What else to do? I have been scratching my head since last 3-4 hours now without any luck!
Thanks.
You could try and have a look at the project.pbxproj located inside the .xcodeproj package (open it by right clicking and select 'Show package contents'). Search the file for PROVISIONING_PROFILE and make sure everything checks out to the correct profiles. I've had problems in the past when Xcode doesn't really update this file but when I do it manually it works.
After so much pain I exported keys from other MAC where it works and imported on my Machine and RESTARTED MAC then it started working!
I could have revoked the certificates and create them from scratch so while generating CA Authority request certificate private keys would be generated on my machine. Learn to save these keys in .p12 format on shared location so that you simply need to double click to install it again!