iOS app: manually copy .mobileprovision file to keychain without xcode - macos

I want to manually add .mobileprovision to the keychain access without using xCode because I didn't develop the app with xCode. Any suggestions?

I found a YouTube video by Kotobee to be immensely helpful.
You will need an OpenSSL. All necessary info is within this video.
My personal notes from this video:
Step 1: Need Open SSL folder
Step 2:
Process of making the KEYS
https://youtu.be/yCvbbIfMnxI?t=6m
https://youtu.be/yCvbbIfMnxI?t=8m4s
1ST KEY
certificate signing request file (CSR)
open SSL file in COMMAND PROMPT (cmd)
openssl genrsa -out [keyname].key 2048
// optional change [keyname]
(NOTE: if issues locating openssl.cfg type at command prmpt
set OPENSSL_conf-d:\OpenSSL-Win64\bin\openssl.cfg
nothing will show on command prmpt, but continue)
2ND KEY
making the CertificateSigningRequest.certSigningRequest KEY
//// video timestamp around 13:00 //////
openssl req -new -key [keyname].key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourEmail#whatever.com, CN= companyName, C=US"
C=US is about the country of origin. So you may need to change this if not US.
NOTE: SEEMS LIKE ONCE YOU HAVE THE KEY FROM OPENSSL, don't need to do this process again. Not positive though, but so far seems true.
3RD KEY
https://youtu.be/yCvbbIfMnxI?t=14m52s
log into developer.apple.com account
3 steps:
STEP A:
Certificates
there's a DIFFERENCE between DEVELOPMENT & PRODUCTION/DISTRIBUTION
Click the PLUS sign in upper right corner of web page.
You can likely reUPLOAD the SAME key created under name:
CertificateSigningRequest.certSigningRequest
dev site will return "Your certificate is ready" to download
file name will be
ios_distribution.cer for DISTRIBUTION KEY
ios_development.cer for DEVELOPMENT KEY
/// NOTE: SO FAR LOOKS LIKE YOU CAN USE SAME KEY ONCE MADE!
Put your .cer file into the OpenSSL bin folder
STEP B:
Make your APP ID via the developer.apple.com site
https://youtu.be/yCvbbIfMnxI?t=16m58s
THIS SECTION appears to need to change per app, especially for DISTRIBUTION
could just use the wildcard key and be done with it for DEVELOPMENT
STEP C: Create .mobileprovision file
(note: this will include your registered devices)
Make an APP ID
click on Identifiers > App IDs >
Explicit App: Dev Prov Profile
App Bundle: id="com.domain.app"
Enabled: Push Notifications (can exclude this line)
Download new .mobileprovision file from developer.apple.com into
D:\OpenSSL-Win64\bin
Make sure latest CertificateSigningRequest.certSigningRequest file in
D:\OpenSSL-Win64\bin
Along with .key file in D:\OpenSSL-Win64\bin
STEP D: Create .pem file
In Command Prompt type:
openssl x509 -in [developer_certificate].cer -inform DER -out [app_pem_file].pem -outform PEM
ios_distribution.cer OR ios_development.cer
rename the [app_pem_file].pem file if you like -- make it similar (my thought)
to bundle app ID name or Explicit App name
OR
make it same as the .key name (if recreating & not using a previous one)
this creates the .PEM file
STEP E: Create .p12 file (final task)
In Command Prompt type:
openssl pkcs12 -export -inkey [keyname].key -in [app_pem_file].pem -out [app_p12].p12
As I said, all this information is on the video. You don't need my personal notes to get the key. :)

Related

SelfSignedCertificate not accepted in MS Edge (Win 10)

To get Edge to trust the localhost development server, I created a selfsigned certificate following this tutorial. I just replaced all instances of client-1.local by localhost.
So in short, I created a trusted authority by creating a .pem-file with the commands
openssl genrsa -des3 -out rootSSL.key 2048
and then
openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
and imported those into the trusted authorities store in the MMC.
Then I created a private key with
openssl req -new -sha256 -nodes -out localhost.csr -newkey rsa:2048 -keyout localhost.key -subj "/C=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=localhost/emailAddress=local#local.com"
and a certificate with
openssl x509 -req -in localhost.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out localhost.crt -days 50000 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNA:localhost"
The certificate shows up as valid when double clicking on it.
For the exception I need to import the certificate into the browsers. For Firefox I got at first the error
You do not own the private key for the certificate
So I created a PKCS12 file
openssl pkcs12 -export -inkey ./sample.key -in ./sample.crt -out ./sample.p12
and imported that one in Firefox under "My Certificates". That works, I host with ng serve "ssl/localhost.crt" and Firefox with the imported .p12 accepts my localhost. Now for MS Edge it still complains, my certificate is not valid.
I also tried .pfx-merging, but no change. I also read the certificates should not be installed under My Certificates but as Authorities. That sounds wrong to me but I tried it and imported both the .crt and the .p12 into Authorities and Root Authorities, because why not, but no change. I also installed the certificate through the Windows Wizard.
What am I missing for MS Edge? I sadly have no way around it.
===== Update =====
Additional information:
Edge does not give any helpful error. Here is an image of the message. It is in German but all it says is the default text "The connection is not secure. The certificate is invalid. Your credit card information might be stolen." If there is some way to get a more informative message for Edge I would be very happy. In the developer console the message is:
This site does not have a valid SSL certificate! Without SSL, your site's and visitors' data is vulnerable to theft and tampering. Get a valid SSL certificate before releasing your website to the public.
The certificate files and the output of openssl x509 -text localhost.crt can be viewed here (password is pass or password, if necessary) and an image of the .crt here. It is sitting in my development folder, I host the site with
ng serve --ssl true --ssl-cert \"ssl/localhost.crt\" --ssl-key \"ssl/localhost.key\"
and access the server locally through localhost:3000.
I imported the .p12 file into edge through manage certificates -> My Certificates -> Import. The result looks like this.
What am I missing for MS Edge? I
The certificate does not contain any subject alternative names, which makes it invalid for Edge and Chrome. There is an attempt to specify these information, but the attempt is wrong.
I created a selfsigned certificate following this tutorial.
Looks like this tutorial is broken.
openssl x509 -req ... -extensions "authorityKeyIdentifier ... subjectAltName=DNA:localhost"
The -extension command line option is used to give the name of an extension section in a configuration file and not the extensions itself. Additionally the subjectAltName should be DNS:... not DNA:....
To fix create an extension file my.ext which includes the extensions you want to use:
[myext]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=DNS:localhost
Then use this file as extension file with -extfile my.ext and specify the extension to use with -extensions myext:
openssl x509 -req ... -extfile my.ext -extensions myext

Add certificate to certdata.txt and build firefox with them

I have to add some certificates to firefox before building it. Then test it with this certificates. I know that certificates are hardcoded into the certdata.txt, in this location:
mozilla-source\mozilla-central\security\nss\lib\ckfw\builtins
I've tried to add certificates into the certdata.txt using addbuilit from nss-tools. But after building it I get errors.
Compiler shows this errors when reading certdata.txt:
0:49.23 c:/mozilla-source/mozilla-central/obj-x86_64-pc-mingw32/security/nss/lib/ckfw/builtins/builtins_nssckbi/certdata.c(20983,1): warning: missing terminating '"' character [-Winvalid-pp-token]
0:49.23 "\152\270\202\165\004\122\100\146\207\136\301\151\270\325\275\134
Actually it's pretty easy to do.
Firstly you need a nss and nspr, because of nss that is built in to mozilla installer does not have addbuiltin function that we need.
Download NSS for windows
Download Nspr for windows
Second step
unpack both of these files.
Then copy the contents of the NSPR /lib folder to the NSS /bin folder
Copy your certificate and certutil.txt to the NSS /bin folder.
Note: Your certificate should be in .der format!
Third step
Run this code bellow:
addbuiltin -n "My certificate name" -t "CT,C,C" < CAcert.der >> certdata.txt
My certificate name - The name of the certificate that will be added to the certutil.txt.
CT,C,C - Is the trusted properties of the certificate.
CAcert.der - Certificate itself.
certdata.txt - Certificates containing file.
But before copying certutil.txt back to the source code you have to do one more thing.
Open certutil.txt in Notepad++ and turn on hidden characters by Menu View → Show Symbol → Show All Characters. Then change /r/n to /n.
And you've done!

Signing WLMA.ocx with ev signing code certificate

In order to get Microsoft PlayReady Server Agreement I need to sign WMLA.ocx file with Extended Validation Code Signing Certificate and send it back to Microsoft.
I've obtained Extended Validation Code Signing Certificate pack from Thawte, it contains:
1. Code Signing certificate itself
2. CA
3. PKCS7 certificate
Put Code Signing certificate itself to separate file with .cer extension.
I've downloaded Microsoft Code Signing pack from http://go.microsoft.com/fwlink/?LinkID=148072 contains:
a. Signcode.exe
b. WMLA.ocx
c. WMLA Instructions for EV Cert OCX v10 17 16.pdf
Following instructions (option 3) from http://msdn2.microsoft.com/en-us/library/ms537364.aspx we've tried to sign .ocx file using Signcode.exe and Code Signing certificate itself in .cer file.
Enter following command in command line:
C:\Users\User123\WMLA>signcode.exe -c ev.cer WMLA.ocx
And got error:
Error: There is no valid certificate in the my cert store
Error: Signing Failed. Result = 8009200c, (-2146885620)
Certificate is valid, but I'm not sure about signcode.exe options and putting certificate in separate .cer file?

OpenSSL Keystore Generation for Trinidad

I am trying to use openSSL to set up an https connection for my application. I'm running a Neo4j 1.2.2 database, with a Trinidad 1.3.5 web server, using the Rails 3.1 and ruby 1.9.
I have a Thawte trial certificate, ca_cert.crt, their intermediate and root certificates, ca_intermediate.crt and ca_root.crt respectively, and my own private key, ca_private.pem. What openssl command do I need to run to create a keystore, which I can specify in my app's trinidad.yaml config file?
So far the "looks-closest-to-right" thing I've tried is:
pkcs12 –export –in ca_cert.crt inkey ca_private.pem –out keystore.p12 –name tomcat
and it gives me the error:
unable to load certificates
6380:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
n1\tasn_dec.c:1319:
6380:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_CINF
6380:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:.\crypto\asn1\tasn_dec.c:751:Field=cert_info, Type=X509
6380:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:.\crypto\pem\pe
m_info.c:258:
error in pkcs12
It looks to me like openssl doesn't like the format I have the files in, though I have tried nearly every combination of the .pem, .crt, .cer, and .key extensions I can think of to no avail. I'm new to SSL entirely, so I hope I'm just doing something stupid and its an easy fix...
Here is the example I've been trying to follow: https://github.com/trinidad/trinidad/wiki/ssl-end-to-end-example
From this answer it seems that Thawte certificates are formatted as PKCS#7, while openssl pkcs12 -export command expects PEM. Certificate in PKCS#7 can be converted using modified version of command from previously linked answer.
$ openssl pkcs7 -in ca_cert.crt -print_certs | openssl x509 -outform PEM > ca_cert.pem
Then executing command, that you provided, creates PKCS#12 keystore.
$ openssl pkcs12 –export –in ca_cert.pem -inkey ca_private.pem –out keystore.p12 –name tomcat

How do you sign a mono for android application

I am attempting to add google map functionality to my mono for android application by following these instructions.
I have created a public.keystore and I am trying to use this keystore to sign the application by following these instructions, which I do not find explicit enough.
1) I gather I must add the following block into the csproj file. Is this correct?
<PropertyGroup>
<AndroidKeyStore>True</AndroidKeyStore>
<AndroidSigningKeyStore>public.keystore</AndroidSigningKeyStore>
<AndroidSigningStorePass>public</AndroidSigningStorePass>
<AndroidSigningKeyAlias>public</AndroidSigningKeyAlias>
<AndroidSigningKeyPass>public</AndroidSigningKeyPass>
</PropertyGroup>
2) What is the correct location of the public.keystore file?
I completely failed to register that there was full sample solution, as part of the instructions I was trying to follow that, that answered my questions.
I am a giddy goat.
1) You should, but I don't know if you must. If you do then you may need to change some of the values.
Consider a keystore that is created by the command:
keytool.exe -genkey -v -alias public -keyalg RSA -keysize 2048 -validity 10000 -keystore public.keystore
Then:
<AndroidSigningKeyStore>public.keystore</AndroidSigningKeyStore>
Defines the filename of the keystore ie. public.keystore
<AndroidSigningKeyAlias>public</AndroidSigningKeyAlias>
Is the alias of the key within the keysotre that you want to use. ie. public
<AndroidSigningStorePass>public</AndroidSigningStorePass>
Is the keystore's password. This will be the first password that you were prompted for.
<AndroidSigningKeyPass>public</AndroidSigningKeyPass>
Is the key's password. This will be the second password that you were prompted for.
References
http://developer.android.com/guide/publishing/app-signing.html#cert
http://android.xamarin.com/Documentation/Build_Process#Signing
2) You can place public.keystore in the root of the project, but you don't have to add it to the solution.
To location of the keystore file is defined by the following element from Question 1:
<AndroidSigningKeyStore>public.keystore</AndroidSigningKeyStore>
I am using command file to sign the package.
"C:\Program Files\Java\jdk1.6.0_25\bin\jarsigner.exe" -verbose -keystore key.keystore myapplication.apk keyalias
"C:\Program Files\Android\android-sdk\tools\zipalign.exe" -v 4 myapplication.apk myapplication-Signed.apk

Resources