I recent research about certificate in windows.
I try two different way to install certificate:
1. Use certutil command to install. ex: certutil -addstore -f "ROOT" rootCA.pem
2. Use Microsoft api to install.
certStore = CertOpenSystemStore(NULL, "ROOT")
CertAddEncodedCertificateToStore(
certStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
rootCACert,
len(rootCACert),
CERT_STORE_ADD_REPLACE_EXISTING,
NULL
)
After installed, I use certmgr.msc to check it success.
And firefox's security.enterprise_roots.enabled set True.
But I found a strange situation.
Firefox only trust certificate which certutil install.
Can somebody tell me why?
Thanks in advance!
According to the Mozilla Wiki there are differences in Versions:
As of version 49, ... Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE)
and
As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).
So it would be nice to know what version you use.
To answer your question: As the flags of the stores searched are named in the wiki it seems you are using the wrong store in your API solution. Have a look at the function CertOpenStore instead of CertOpenSystemStore. This allows to pass e.g. CERT_SYSTEM_STORE_LOCAL_MACHINE as dwFlags to open the store Mozilla searches.
Related
I have to add some certificates to firefox before building it. Then test it with this certificates. I know that certificates are hardcoded into the certdata.txt, in this location:
mozilla-source\mozilla-central\security\nss\lib\ckfw\builtins
I've tried to add certificates into the certdata.txt using addbuilit from nss-tools. But after building it I get errors.
Compiler shows this errors when reading certdata.txt:
0:49.23 c:/mozilla-source/mozilla-central/obj-x86_64-pc-mingw32/security/nss/lib/ckfw/builtins/builtins_nssckbi/certdata.c(20983,1): warning: missing terminating '"' character [-Winvalid-pp-token]
0:49.23 "\152\270\202\165\004\122\100\146\207\136\301\151\270\325\275\134
Actually it's pretty easy to do.
Firstly you need a nss and nspr, because of nss that is built in to mozilla installer does not have addbuiltin function that we need.
Download NSS for windows
Download Nspr for windows
Second step
unpack both of these files.
Then copy the contents of the NSPR /lib folder to the NSS /bin folder
Copy your certificate and certutil.txt to the NSS /bin folder.
Note: Your certificate should be in .der format!
Third step
Run this code bellow:
addbuiltin -n "My certificate name" -t "CT,C,C" < CAcert.der >> certdata.txt
My certificate name - The name of the certificate that will be added to the certutil.txt.
CT,C,C - Is the trusted properties of the certificate.
CAcert.der - Certificate itself.
certdata.txt - Certificates containing file.
But before copying certutil.txt back to the source code you have to do one more thing.
Open certutil.txt in Notepad++ and turn on hidden characters by Menu View → Show Symbol → Show All Characters. Then change /r/n to /n.
And you've done!
I built an MSI using the WIX Toolset. In the MSI I use:
<SetProperty Id="ARPINSTALLLOCATION" Value="[INSTALLFOLDER]" After="CostFinalize"/>
to set the InstallLocation regkey. When testing with the App Cert Kit I get the failure:
A non-optional value 'InstallLocation' is missing or invalid for program.
After checking the registry on my PC and another's the correct registry key
InstallLocation: C:\Program Files\*program_name*\
is present on both in the correct location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}.
I tried consulting a related question but honestly have no idea what the solution is saying. I also tried running the Cert Kit on the other computer but to no avail. Is this a known bug in the Cert Kit or is that not a valid InstallLocation?
The gradle signing plugin requires secring.gpg keyring file, according to the documentation: https://docs.gradle.org/current/userguide/signing_plugin.html
But since gpg version 2.1 the secring.gpg does not exist anymore.
https://www.gnupg.org/faq/whats-new-in-2.1.html
Is there a possibility to use the signing plugin of gradle with gpg >= 2.1?
I just encountered the same issue and solved it by manually creating a secring.gpg file by executing the following terminal command:
gpg --keyring secring.gpg --export-secret-key XXXXXXXX > secring.gpg
You have to replace XXXXXXXX with the ID of the key you want to use. You can list all available keys by using the command gpg --list-key.
Edit: I forgot to mention, that I am using Linux.
I also faced with the same issue that I could'n solve with the gpg --export-secret-key, like this.
gpg: WARNING: nothing exported
Actually my gpg's version was 1.4.xx (with gpg --version) and there was another: gpg2.
So try this:
gpg2 --export-secret-key XXXXXXXX > secring.gpg
For people reaching this issue in 2017+, starting with Gradle 4.5, using GnuPG 2 (and gpg-agent) is fully supported. From the signing plugin documentation:
signing {
useGpgCmd()
sign configurations.archives
}
In addition, there have to be defined (at least) signing.gnupg.keyName (most likely in ~/.gradle/gradle.properties).
Please pay attention that the properties to defined key (signing.gnupg.keyName), key store (signing.gnupg.homeDir), passphrase (signing.gnupg.passphrase), etc. differ from those used in the previous Gradle versions (are in signing.gnupg.* not just signing.*).
My boss has procured a certificate from Comodo and I've been breaking myself against walls of text trying to find the solution to the problem of getting the certificate into a VB6 application. The certificate itself is in VB6 format and I know like next to nothing about this type of thing. The people at Comodo were just OH so helpful (From my boss, they said he can find something on the internet. Apparently they don't know how big the internet is -.-)
Does signing the project require putting code into the program, or is it just the .exe that gets signed by the MS Authenticode executable files?
Does anyone have like an idiots step by step guide solution for this?
Thanks in advance.
Here is a snippet from our build scripts
set signtool=C:\{cert_path}\signtool.exe sign /f C:\{cert_path}\my_code_sign_current.p12 /p ###### /du "http://mycompany.com" /t "http://timestamp.comodoca.com/authenticode"
%signtool% /d "My Application 1.0" "C:\{binn_path}\App.exe"
%signtool% /d "My Other App 2.0" "C:\{binn_path}\Other.exe"
...
We use older version of signtool.exe (6.0.4002.0) because we had troubles using some timestampimg servers with newer versions (http://www.startssl.com/timestamp).
Note: .pfx and .p12 files -- these are the same PKCS #12 container files, DER encoded
I can't get windows 8 (release preview) to accept either the inf2cat or makecat approach described as solutions to the question at
What changed in the driver signature requirements for Windows 8?
unless I disable validation.
I am not signing these with any certificates at this point, just trying to get past the errors preventing the drivers from installing at all.
Windows 8 gives me a very nondescript error:
"A problem was encountered while attempting to add the driver to the store."
Looking in the event logs, there is nothing of use; only an informational entry from "Windows Error Reporting" indicating a PnPdriverimporterror.
When i use my original files with the cab files that don't match the inf, I get the error everyone else is listing:
The hash for the file is not present in the specified catalog file.
I have one .inf file that i need to generate a .cat for.
Perhaps I am doing something wrong. Ideas??
INF2CAT Approach
c:\win_xp_vista32_64>inf2cat /driver:"." /os:XP_X86,XP_x64,Vista_X86,Vista_x64,7_X86,7_X64,8_X86,8_X64
.......................
Signability test complete.
Errors:
None
Warnings:
22.9.10: usbser.sys in [drivercopyfiles.nt] is missing from [SourceDisksFiles] s
ection in \mchpcdc.inf; ok if file source is provided via LayoutFile in [Version
].
22.9.10: %driverfilename%.sys in [drivercopyfiles.ntamd64] is missing from [Sour
ceDisksFiles] section in \mchpcdc.inf; ok if file source is provided via LayoutF
ile in [Version].
Catalog generation complete.
c:\win_xp_vista32_64\mchpcdc.cat
MAKECAT approach
--- start of catalog.cdf file---
[CatalogHeader]
Name=mchpcdc.cat
ResultDir=.\
[CatalogFiles]
<hash>mchpcdc=.\mchpcdc.inf
---end of .cdf file ---
c:\win_xp_vista32_64>makecat catalog.cdf
These same files, w/ the cat from either approach install just fine in Windows 7.
I think this problem is to do with "windows driver signing enforcement". You can resolve this by disabling this option. Go through with below link:
http://tivadj-tech.blogspot.in/2012/09/certificate-check-error-when-installing.html
I just tested this on Windows 10 and 8 PRO now, to get this right, follow these steps:
1) From your Start menu, locate your DDK's "x64 Checked Build Environment" i.e. the custom DOS build screen. Right-click, run-as administrator...
2) Compile your source with the Build tools etc.
3) Go into your compiled code, and then create your test-certificate (you don't need to purchase one just yet, use your self-signed one created with the line below):
makecert -r -pe -ss PrivateCertStore -n CN=newhex.com(Test) NewhexTest.cer
The above means your certificate is called "newhex.com(Test)" and the generated file is "NewhexTest.cer"
4) Create / Edit your .CDF file which contains items about what your CAT file's contents.
5) Create your CAT file by executing:
makecat -v MyCDF.CDF
This should generate an un-signed CAT file that includes all files specified by your CDF.
6) Sign your CAT file as follows:
Signtool sign /v /s PrivateCertStore /n newhex.com(test) /t http://timestamp.verisign.com/scripts/timestamp.dll MyDriverWhatever.cat
This should result in a CAT file that is signed, but don't just install it, because your Windows can't trust Newhex's cert since it's not in the keystore, to fix this do:
7) Add your certificate to your private Key Store, remember this step MUST be done by an administrators access, otherwise you will get an error about (Keystore not found etc):
certmgr.exe -add NewhexTest.cer -s -r localMachine root
This should add into your keystore, Once done, you can then:
8) Go into your device manager, and add your new driver, you would get a warning but will be accepted and installed without the need to reboot with a forced (Don't check cert type account).
I tried this already and it works on Windows 10 and Windows 8 pro versions.
Kind Regards
Heider Sati
You are supposed to use inf2cat, not makecat, because you have an INF file.
You should work on addressing those warnings from inf2cat by fixing your INF file. Here is my INF file that uses usbser.sys and doesn't cause any warnings: https://gist.github.com/3647208
I was able to fix my INF file thanks to the advice from chinzei in the first post of this thread: http://www.microchip.com/forums/m488342-print.aspx
If you continue to have trouble, please edit your question to include the source of your INF file, or at least a link to the source.
I encounter the same problem and was able to install my driver with a TEST certificate using the instructions provided here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487328.aspx