There is an apk installed on the emulator manually. I want to start testing this application. You cannot reinstall it using Xamarin UI Tests. AppInitializer.cs contains :
string keyStore = #"C:\...\Certificate\Mycompany.keystore";
return ConfigureApp
.Android
.InstalledApp("com.myapk.test")
.PreferIdeSettings()
.KeyStore(
keyStore,
"passw",
"passw",
"\"alias\"")
.EnableLocalScreenshots()
.StartApp();
When I run the test through Test Explorer, I catch the Exception:
System.Exception : Failed to execute: C:\Program Files\Android\jdk\microsoft_dist_openjdk_1.8.0.25\bin\jarsigner.exe -sigalg SHA1withRSA -digestalg SHA1 -signedjar "C:\Users\user\AppData\Local\Temp\uitest\a-287A94...D0807\23248\SignedTestServer.apk" -storepass passw -keypass passw -keystore "C:\...\Certificate\Mycompany.keystore" "C:\Users\user\AppData\Local\Temp\uitest\a-287A...D0807\TestServer.apk" ""alias"" - exit code: 1
Only one alias can be specified
Please type jarsigner -help for usage
Ok, I've just executed it manually :
jarsigner.exe -sigalg SHA1withRSA -digestalg SHA1 -signedjar "C:\Users\user\AppData\Local\Temp\uitest\a-287A94...D0807\23248\SignedTestServer.apk" -storepass passw -keypass passw -keystore "C:...\Certificate\Mycompany.keystore" "C:\Users\user\AppData\Local\Temp\uitest\a-287A...D0807\TestServer.apk" "alias"
After that I got a new apk file called SignedTestServer.apk. I've copied it into folder :
C:\Users\user\AppData\Local\Temp\uitest\a-287A943C412ED6ED5DEB1675E7FDF91843FD0807
and rerun tests.
#echo off
set spassw="password"
set kpassw="password"
cordova build android --release --keystore="developer.keystore" --storePassword=%spassw% --alias=developer --password=%kpassw% --prod
del app-release-unsigned.apk
move e:\MobileJs\chatapp\ChatApp\platforms\android\app\build\outputs\apk\release\app-release-unsigned.apk e:\MobileJs\chatapp\ChatApp\
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore developer.keystore app-release-unsigned.apk developer
ERROR: jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore format
I wrote a cordova build script and I cant seem to sign the APK
this is what my keystore generation looks like
keytool -genkey -v -keystore developer.keystore -alias developer -keyalg RSA -keysize 2048 -validity 10000
Password: password
What is your first and last name?
[Unknown]: First Last
What is the name of your organizational unit?
[Unknown]: n/a
What is the name of your organization?
[Unknown]: n/a
What is the name of your City or Locality?
[Unknown]: City
What is the name of your State or Province?
[Unknown]: State
What is the two-letter country code for this unit?
[Unknown]: US
could it be the n/a
you can refer here for keystore generation. enter link description here after generating keystore you can sign enter link description here your apk. After following these procedure if you are not able to generate feel free to ask.
I've been fighting with this for quite some time and would be extremely grateful if anyone could help me understand what's happening here.
I have an install4j project that creates installer packages for Windows and OSX. I have a regular signing cert for Windows and this works without issue. I have an Apple developer certificate as well. I've exported the private key from my keychain to a p12 file. I've tested the resulting p12 file to make sure it works with the keystore password. The certificate is definitely valid, since I just created it (again) today. And, when I run the installer build via Maven, it even looks as though everything is going fine:
[INFO] Compressed media file 'Mac OS X Single Bundle':
[INFO] Compressing files
[INFO] Generating VM options file vmoptions.txt.
[INFO] Signing installer
[INFO] Signing DMG
[INFO] Moving media files to media directory /Users/....
[INFO] The name of the media file is my-app_macos_1_1_1.dmg.
[INFO] The size of the media file is 4.8 MB
Which seems good, except that the installer and dmg AREN'T signed, or at least not in a way that's useful:
$ spctl -a -v target/media/my-app_macos_1_1_1.dmg
target/media/my-app_macos_1_1_1.dmg: CSSMERR_TP_CERT_EXPIRED
$ spctl -a -v /Volumes/my-app/My\ Application\ Installer.app
/Volumes/my-app/My Application Installer.app: CSSMERR_TP_CERT_EXPIRED
The cert is NOT expired:
Alias name: mac developer: me myself (my company, inc.)
Creation date: Mar 6, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: C=US, O="Radiologics, Inc.", OU=K865L34KBQ, CN=Mac Developer: Me Myself (XXXX), UID=YYYY
Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
Serial number: 30544da25ea67233
Valid from: Mon Mar 06 14:46:17 CST 2017 until: Tue Mar 06 14:46:17 CST 2018
But whether I build the dmg/installer directly from install4j or through the Maven plugin, the result is not valid. I always get something similar to this:
$ codesign -dvvv target/media/my-app_macos_1_1_0.dmg
Executable=.../target/media/my-app_macos_1_1_0.dmg
Identifier=my-app_macos_1_1_0
Format=disk image
CodeDirectory v=20100 size=173 flags=0x0(none) hashes=1+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=XXXXXX
Hash choices=sha256
CDHash=XXXXX
Signature size=8641
Authority=(unavailable)
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=36
In order for us to be able to distribute this app, we really need to get this to work, but I've spent literally days on this without making any progress at all. If anyone could shed any light on what's going on here, I'd greatly appreciate it.
There are two different kinds of certificates for distributing apps outside of the Mac App Store.
An application certificate and an installer cetificate.
Check your certs (which you can do via the "My Certificates" in the Keychain Access app hiding in /Application/Utilities) to make sure you're using an installer certificate (on my machine the name of it is "Developer ID Installer: Michael Dautermann". This is separate from the "Developer ID Application" certificate you use to codesign apps.
More information can be seen here.
As for DMG's, my original answer would have been "can't do that", but actually as of MacOS 10.11.5 you CAN sign dmg files. More information can be seen in the "Signing Disk Images" section of the "macOS code signing in depth" reference guide. You'd use your Developer ID Application certificate.
I've created a Firefox plugin, a Win32-native code DLL - using Firebreath. I'm working on Windows 7/x64, and targeting Windows only. The plugin itself is working well, but I'm really stuck getting a correctly signed XPI. If I don't sign my XPI, it's accepted and installed by FF 3.6 thru 10 (beta). Of course, during the install it lists the publisher as (Author not verified). So, I spent a week debugging the signing process... but FF 9 and 10 still say (Author not verified)! FF 3.6 rejects the signed XPI as invalid.
How do I troubleshoot this??
Just to repeat: I sign the xpi without error, and the resulting XPI installs successfully on FF 9 and 10, but FF still says (Author not verified).
Here's the batch code I use to sign the XPI:
echo * clean out old signing folder and xpi
if exist package rmdir /S /Q package
if exist %package%.xpi del %package%.xpi
echo * copy in files for package
md package
xcopy ..\*.rdf package
md package\plugins
xcopy ..\build\bin\Plugin\Debug\*.dll package\plugins
echo * clean out certificate database
del *.db
echo * import our signing certificate
pk12util -d . -i %keyfile% -K %pwd% -w keypass.txt
echo * adjust trust on base, intermediate and root cert
certutil -M -d . -n "VeriSign" -t "c,c,C"
certutil -M -d . -n "VeriSign Class 3 Code Signing 2010 CA - VeriSign, Inc." -t "TC,TC,TC"
certutil -M -d . -n "%certname%" -t "u,u,Cu"
certutil -L -d .
echo * create signed package
signtool -d . -X -Z %package%.xpi -k "%certname%" -p %pwd% package
I work for Mozilla, but this isn't an authoritative answer, just what I've gathered asking around:
So, essentially, each certificate authority has three trust bits Mozilla might grant it: they might trust it to sign websites, and/or mail, and/or code. Your certificate is from a certificate authority that Mozilla doesn't trust to sign code. (This is why going and manually setting the bit in your preferences makes it workâfor you.)
I'm told so few people try to use binary code in xpi's that Mozilla doesn't really have an organized way to find out which authorities can be used for what. However, you can check out this list: look at the "Code Trust Bit":
https://spreadsheets.google.com/pub?key=ttwCVzDVuWzZYaDosdU6e3w&single=true&gid=0&output=html
For example (picked completely at random), ComSign Secured CA has the "Websites" and "Code" trust bits set.
I gather that Mozilla publicly discusses what rights to grant to each CA, and re-evaluates each CA periodically:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Basically your signature needs to include full certificate chain up to the trusted VeriSign root certificate, bypassing the "VeriSign Class 3 Public Primary Certification Authority - G5" with unknown trust in mozilla (bug 602107), as by default the chain ends too soon.
Your XPI is currently signed with your certificate, with no further certificate chain included, relying that the user's browser will trust the issuer of your certificate immediately. You can examine this with Mozilla's jarsigner tool (see Mozilla NSS tools):
Tools\nss-3.11>jarsigner -verify -verbose -certs my-old.xpi
2057 Thu Sep 15 15:17:44 CEST 2011 META-INF/zigbert.rsa
sm 87 Thu Sep 15 15:17:44 CEST 2011 chrome.manifest
X.509, CN=Company Name inc., OU=General, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Company Name inc., L=City, ST=State, C=XX
[certificate will expire on 26.4.13 0:59]
(showing just the output for the 1st file)
You need to include a few more certificates to complete the chain to a certificate that is by default explicitly trusted in the end user's browser. In the end it should look like this:
jarsigner -verify -verbose -certs my-newly-signed.xpi
2057 Thu Sep 15 15:17:44 CEST 2011 META-INF/zigbert.rsa
sm 87 Thu Sep 15 15:17:44 CEST 2011 chrome.manifest
X.509, CN=Company Name inc., OU=General, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Company Name inc., L=City, ST=State, C=XX
[certificate will expire on 26.4.13 0:59]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 8.2.10 1:00 to 8.2.20 0:59]
[KeyUsage extension does not support code signing]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 8.11.06 1:00 to 8.11.21 0:59]
[KeyUsage extension does not support code signing]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 23.5.06 19:01 to 23.5.16 19:11]
To achieve this you need to:
remove the not-explicitly-trusted VeriSing's built-in certificates from the certificate database with Mozilla's certutil tool
Build the certificate trust chain of your certificate all the way up to Microsoft's "Class 3 Public Primary Certification Authority".
sign the xpi (this time full certificates chain will be included in the signature)
verify the xpi with jarsigner as described above
test the xpi in Firefox - you should not see "Author not verified" anymore.
Caveats:
Trust bits in the built-in Firefox certificate store are actually 3-state (trusted, untrusted and unknown), despite only being shown as 2-state checkbox in the FF GUI (checked=trusted, unchecked=untrusted OR unknown). By default trust is unknown, which enables you to bypass the VeriSign's certificate as described. If you ever enabled trust via FF's checkboxes it will still work, but if you uncheck the trust checkbox the trust will be set to untrusted, which will prevent bypassing that certificate in the chain. The easiest (only?) way to reset this back to initial unknown is to delete your firefox profile.
After Mozilla eventually enables the code-signing trust bit (see the bug above) you will still need to sign like this if you want to support older versions of Firefox.
Hope it helps!
I am attempting to add google map functionality to my mono for android application by following these instructions.
I have created a public.keystore and I am trying to use this keystore to sign the application by following these instructions, which I do not find explicit enough.
1) I gather I must add the following block into the csproj file. Is this correct?
<PropertyGroup>
<AndroidKeyStore>True</AndroidKeyStore>
<AndroidSigningKeyStore>public.keystore</AndroidSigningKeyStore>
<AndroidSigningStorePass>public</AndroidSigningStorePass>
<AndroidSigningKeyAlias>public</AndroidSigningKeyAlias>
<AndroidSigningKeyPass>public</AndroidSigningKeyPass>
</PropertyGroup>
2) What is the correct location of the public.keystore file?
I completely failed to register that there was full sample solution, as part of the instructions I was trying to follow that, that answered my questions.
I am a giddy goat.
1) You should, but I don't know if you must. If you do then you may need to change some of the values.
Consider a keystore that is created by the command:
keytool.exe -genkey -v -alias public -keyalg RSA -keysize 2048 -validity 10000 -keystore public.keystore
Then:
<AndroidSigningKeyStore>public.keystore</AndroidSigningKeyStore>
Defines the filename of the keystore ie. public.keystore
<AndroidSigningKeyAlias>public</AndroidSigningKeyAlias>
Is the alias of the key within the keysotre that you want to use. ie. public
<AndroidSigningStorePass>public</AndroidSigningStorePass>
Is the keystore's password. This will be the first password that you were prompted for.
<AndroidSigningKeyPass>public</AndroidSigningKeyPass>
Is the key's password. This will be the second password that you were prompted for.
References
http://developer.android.com/guide/publishing/app-signing.html#cert
http://android.xamarin.com/Documentation/Build_Process#Signing
2) You can place public.keystore in the root of the project, but you don't have to add it to the solution.
To location of the keystore file is defined by the following element from Question 1:
<AndroidSigningKeyStore>public.keystore</AndroidSigningKeyStore>
I am using command file to sign the package.
"C:\Program Files\Java\jdk1.6.0_25\bin\jarsigner.exe" -verbose -keystore key.keystore myapplication.apk keyalias
"C:\Program Files\Android\android-sdk\tools\zipalign.exe" -v 4 myapplication.apk myapplication-Signed.apk