I know that we can do it with certutil -csp Microsoft Platform Crypto Provider" -importpfx but wondering if we can in .Net 5
Related
I recently took on a task to update our filter driver from building with Visual Studio 2015 -> 2019. I also moved to the latest SDK + WDK 22000 (Which is the new Windows 11 one).
Everything seemed to work except that on Win 7 x64 (with secure boot) boxes the driver no longer loads.. It get's:
Load failed with error: 0x80070241
Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damaged,
or that might be malicious software from an unknown source.
Our driver was/is attestation signed by Microsoft via the MS Hardware portal and so it's joint signed by both our company and Microsoft with a SHA-2 signature each. Windows 7 doesn't support SHA-2 certs out of the box however, it was previously working provided:
Windows6.1-KB3033929-x64
Was installed. Something seems to have changed though and Windows 7 x64 boxes can't load the new driver even with the latest updates. They load the 2015 built driver just fine even though the certificates on both look identical. The new driver loads just fine on Windows 10 machines.
Is anyone aware of any other changes which might make this combination fail to load?
I had a similar issue a few months ago, when we decided to switch our certificate provider. I'll share my knowledge to you, hope that going to help.
A while ago, Microsoft used cross-certificates to validate trusted certificate authorities (CA), so the only thing you needed to sign a driver is a proper certificate bought from a trusted CA. But recently validating process had changed and starting from Windows 10 20H2 you are forced to sign your driver through Microsoft Partner Center and all the cross-certificates was deprecated. However, you still need to use cross sign process for all your drivers prior to Windows 10, actually cross signed driver will work up to Windows 10 20H1 if to be correct.
Now back to the Visual Studio. To properly sign driver, you had to set up production certificate to field Properties -> Driver Signing -> General -> Production Certificate, that causes Visual Studio to use signtool utility to sign driver after the build done. As I presume, Visual Studio 2019 process do not use cross-certificate and looks something like:
signtool sign /v <trusted_certificate> /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a <sys_driver_filepath>
But Visual Studio 2013 actually must use cross-certificate and the command it uses is:
signtool sign /v /ac <microsoft_cross_certificate> /tr http://timestamp.digicert.com /a <sys_driver_filepath>
So what is cross-certificate is? It's a special trusted Microsoft certificate that tied to certified CA. List of all the cross-certificates available can be found here https://learn.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list. To take the correct one you need to check your company certificate first. Take a look into root of certification path of your cert, open View Properties -> Details and find Issuer, that's your CA. Now you need to find exact match on cross-certificate list and download it. Note the thumbprint doesn't need to match (revealed in related issue). After all use a proper signtool command to sign your file.
P.S. If your certificate issuer not present on the list, that means your CA inappropriate and you need to get/buy another certificate.
Using VS2013 and Windows 8.1
I have a .cer and .pfx file bought from Verisign. I am new to store apps. I have couple of questions
What is the difference between signing the package and code signing (done using the VS 2013 packaging tab of Package.appxmanifest) -
my understanding so far
(a) I guess this is similar to using signtool.exe tool right?
(b) both will install the public key(.cer) to certificate store(mmc) and sign the appx with private key(.pfx) so i would need to manually install .cer file in the live machines inorder to install my app?
(c) Code is signing is done in order to ensure the code has not been tampered with but do we need to do this for all main store app and other components used part of dfferent project (.dll)
Do we need both package and code signing inorder to publish store apps on client machine?
I can't use the same .pfx used for package signing for code signing because of some chaining information. Is this how it is supposed to used different .pfx for both is this a normal way?
For the regular Windows Store apps:
You don't need to sign windows store apps manually.
No. Windows Store will sign the package automatically.
Code signing is for Windows Classic apps or drivers and not for Windows Store apps.
For the sideloaded apps:
Windows store enterprise apps can be signed by any certification authority that is trusted on your PCs (where the app will be installed). It's better to sign with visual studio. There is documantation for an exact procedure.
If you will sign with Verisign certificate, you don't need to install anything except the app, because verisign root is already trusted in Windows. Visual studio signs only application package.
We are developing the Windows Phone 8.1 app.
The Hockeyapp was chosen for app distribution. To be able to distribute a Windows Phone 8.1 app, it requires to upload the company profile file (.aetx). Which then should be downloaded on Windows Phone and only after that the .xib file signed with the company certificate can be installed.
The problem is that the phone reports the error when trying to install the .aetx file:
Can't add workplace account
We weren't able to set up the workplace account.
Contact your company's support person for help.
The specifics is that the Enterprise Mobile Code Signing Certificate was requested from Symantec from the Mac computer, and the certificates were exported to .p12 format but not .pfx as in case of Windows OS. But the AETGenerator.exe didn't show any error and successfully created the .aet, .aetx and .xml files.
I followed the Company app distribution for Windows Phone, and the steps I have done:
Registered the Company account on Windows Phone Dev Center
On Mac computer applied for Symantec Enterprise Mobile Code Signing
Certificate
On Mac picked up Enterprise Certificate from Symantec
On Mac exported the Enterprise Certificate to .p12 file
On Windows installed the Symantec_Enterprise_Mobile_Root_for_Microsoft.cer
On Windows installed the Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert.cer
On Windows development computer generated the .aetx file using the AETGenerator.exe of the Windows Phone 8.1 SDK tools
Now either installing the .aetx file from email or through Hockeyapp the phone shows the same error and doesn't install the certificate.
I tried installing the .p12 from Mac to Windows, then exporting the .pfx file on Windows with included private certificate, and then generating the .aetx file from this .pfx, the result is the same; phone shows the same error.
If I install all certificates on Windows (downloading Symantec certificates and installing private and public Enterprise certificates from .p12 file), and then trying to pick up the Enterprise Certificate from Symantec on Windows, the browser shows:
Your certificate cannot be installed. Either it has already been installed, or you have removed your private key.
It seems this error is shown when trying to install the public key of certificate not on the same computer from where it was requested.
Can applying for Symantec Enterprise Mobile Code Signing Certificate from Mac and then exporting the certificate be the reason of this problem?
If the Enterprise Mobile Code Signing Certificate was once acquired for the company, is there a way to apply for another certificate for same company from another computer? When enrolling for a certificate, the private key is being created in the browser on the back end, and I am thinking if it is possible to pass the same procedure from Windows but not paying for extra certificate.
This should help.
When we try to generate AET token, it fails with following error? What is cause for this failure?
Unknown Error while generating AET
StartIndex cannot be larger than length of string
Parameter name: StartIndex
http://blogs.msdn.com/b/wsdevsol/archive/2014/04/21/frequently-asked-questions-about-windows-phone-company-hub-apps.aspx
I ordered a verisign code signing certificate (microsoft authenticode) and I now have a .cer file that has my certificate.
I have checked the signtool.exe documentation and I now require a .pfx file. How do I get the .pfx file and how do I get my private key (.pvk file)?
you get this file from verisign on any other provider.
they usually install the certificate on your machine and you need to export it as pfx to use it with signtool.
Use MMC and add the Certificate snap-in to do it.
You will find a detailed help in your certificate provider site. make sure you've bought a code signing certificate.
I have a VS 2008 Setup Project created. I am trying to install this on a Windows 7 machine as a Standard User. I am getting a warning during install about an unknown publisher. I have used makecert to create a certificate, then converted it to a password pfx file. I have digitally signed the msi and setup.exe with the pfx file. When I go into the file properties, I can see the digital certificate attached. On the Windows 7 machine, I imported the pfx file to "Trusted Publishers". What do I need to do to get rid of the warning? I can't have the admin user and password required to install the app. I can't change the UAC settings. I need to make the change to the certificate / setup files to get this to work.
Makecert creates certificates only for testing purposes. To sign your installer you need a real certificate purchased from an official authority. You can try purchasing one from Verisign or Comodo.
Windows UAC recognizes only real certificates.