When I Digitally sign a MS Access Database(2007-2016), it creates a signed package. That's great but when it is sent to a client, they open it up, prompting to save the accdb file.
Is this accdb signed in any way?
It does not show anywhere that the code has been signed by me.
What am I missing?
Related
I am trying to sign a UWP app, either debug or release, for the purpose of testing on some other devices. My certificate appears not to be valid.
Here are my steps:
I right click on my UWP project, choose "publish", then "create app packages".
In the popup, I choose "sideloading".
Then I get a step asking whether I'd like to sign the package.
I want to choose "yes". I have a certificate where the subject matches the publisher in my manifest. But, just below, it shows a message "this certificate is not trusted on this PC".
If I continue, VS will create a folder containing some installation files. If I click on "...x64.msixbundle", it shows a dialog that says "update ...?", with a note "untrusted app" and a message below "this app package is not signed with a trusted certificate..." (Alternatively, I can run the Install.ps1 script in the powershell, having the same results.) I cannot go further. And, this is on same PC that I'm doing my development.
I've attempted to follow the instructions on Create a certificate for package signing, and some of the adjacent pages. They infer that using the VS wizard should simply work.
P.S. I have never signed a Windows app before. Maybe I should be doing it in a completely different manner ?
The certificate where the subject matches the publisher needs to be trusted.
So what to do:
a) The certificate is self signed (The issuer is the same as the subject)
Run certlm.msc (for machine wide trust) or certmgr.msc for current user trust.
Import the certificate to the Trusted Root Certificate Authorities
b) The certificate is NOT self signed (The issuer is NOT the same as the subject)
You should not need to do anything if you bought a real code signing certificate as you pay for exactly the trust we are establishing...
Get the root/issuer certificate
*have a .cer?
double click the cer file
click the Certificate Path tab.
double click the first certificate in the tree - if there is only one ask where you got the certificate from!
On the newly opened window click the Details tab
Click the Copy to file button to save the root certificate.
have a *.pfx import it
Run certmgr.msc
Right click on Personal and select Advanced Tasks | Import to import the pfx file.
Identify the imported certificate(s) and export the root certificate (see have a *.cer)
Run certlm.msc (for machine wide trust) or certmgr.msc for current user trust.
Import the root certificate to the Trusted Root Certificate Authorities
For package signing there are additional requirements on the certificate:
The certificate that you use to sign the app package must meet these criteria:
The subject name of the certificate must match the Publisher attribute that is contained in the Identity element of the AppxManifest.xml file that is stored within the package. The publisher name is part of the identity of a packaged Windows app, so you have to make the subject name of the certificate match the publisher name of the app. This allows the identity of signed packages to be checked against the digital signature. For info about signing errors that can arise from signing an app package using SignTool, see the Remarks section of How to create an app package signing certificate.
The certificate must be valid for code signing. This means that both of these items must be true:
The Extended Key Usage (EKU) field of the certificate must either be unset or contain the EKU value for code signing (1.3.6.1.5.5.7.3.3).
The Key Usage (KU) field of the certificate must either be unset or contain the usage bit for digital signature (0x80).
The certificate contains a private key.
The certificate is valid. It is active, hasn't expired, and hasn't been revoked.
Source: https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-sign-a-package-using-signtool
Configure VS to use the customer CA (Certificate Authority) that signed the certificate you want to use.
This CA should be the root CA and thus any intermediate CA will be trusted as well.
The general cause of this problem is when the root CA is missing and the trust chain can not be completed, meaning you may have only the intermediate CA installed.
Im just a little overwhelmed by all the certificates and I hope I can find some help here.
So basically I have an sideloaded UWP app (that I created with Visual Studio) where the certificate is running out in the next few days. I was able to extend the certificate by creating a new one which also can stay alive for 1 year. But I wondered if it is possible to extend it from 1 year to like 5 years or so. The "solutions" I found are either to buy a certificate or to create one myself.
Well about buying one: I´ve been looking trough the internet but could not tell what I am actually looking for. There are a few different certificates and I don´t know which I need for an UWP app. Does anyone know what I have to look at? Buying one is expensive and I would rather not buy the wrong one.
Now about creating one myself. There are a few suggestions on how to do it but after reading trough some of the suggestions it felt like the "guides" were incomplete. Some ways were deprecated. Some other have not give me enough information for me to do it myself. Does anyone have a good guide on how to create an own certificate with a longer lifecycle for sideloaded UWP apps?
(Also an not so important question for now but later it propably will be important. How would you integrate a bought/self-created certificate?)
edit
Alright so far I have created a certificate for package signing like this: I opened the Power Shell and wrote this in it:
$notAfter = [datetime]::Today.AddYears(5)
$thumb = (New-SelfSignedCertificate -Type Custom -Subject "CN=myCN" -KeyUsage DigitalSignature -FriendlyName iTest -CertStoreLocation "Cert:\LocalMachine\My" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String t -Force -AsPlainText
Export-PfxCertificate -cert "Cert:\LocalMachine\My\$thumb" -FilePath C:\MyTest.pfx -Password $pwd
Then I installed this certificate like this:
From the Windows RT PC, either map the network share or connect the
USB drive where you can access the AppPackages folder that contains
the app package to install. Use Windows Explorer to open that folder.
Double-tap the certificate file in the folder and then tap Install
Certificate. This displays the Certificate Import Wizard.
In the Store Location group, tap the radio button to change the selected option to Local Machine.
Click Next. Tap OK to confirm the UAC dialog.
In the
next screen of the Certificate Import Wizard, change the selected
option to Place all certificates in the following store.
Tap the
Browse button. In the Select Certificate Store pop-up window, scroll
down and select Trusted People, and then tap OK.
Tap the Next button;
a new screen appears. Tap the Finish button.
A confirmation dialog
should appear; if so, click OK. (If a different dialog indicates that
there is some problem with the certificate, you may need to do some
certificate troubleshooting. However, describing what to do in that
case is beyond the scope of this topic.)
Then in Visual Studio I go into the properties of my Package.appxmanifest
-> Choose Certificate -> Select from file
I pick my file and get this Error message:
The Manifest Designer could not import the certificate.
The certificate you selected is not valid for signing because it is either expired or has another issue. For more information, see http://go.microsoft.com/fwlink/?LinkID=241478.
But this does not help me. I guess Im missing alot of steps. What else do I need to do?
edit2
I tried to use the signtool with windows powershell:
signtool sign /fd sha256 /a /f C:\MyTest.pfx /p t C:\path\to\Package.appxmanifest
This did not work. Error message (free translation from german to english):
signtool : The name "signtool" has not been identified as a name of an Cmdlet, a function, a scriptfile or as an executable file. Check the correct name or the path for it and try again.
My signtool.exe is here: C:\Program Files (x86)\Windows Kits\10\bin\x86
When you create a self-signed certificate using the New-SelfSignedCertificate PowerShell cmdlet, you could use the NotAfter parameter to specify the date and time when the certificate expires. Please see the docs for an example.
The certificate must then be installed on the device where you intend to sideload the app. Please refer to the docs and this answer for more information about how to sideload an app on Windows 10. You basically need to turn on sideloading and import the certificate.
If the app is signed with a certificate that chains to a trusted root authority on the client machine, you don't need to import the certificate. Most certificates that you buy from a certificate authority (CA) is.
My boss recently purchased a code signing certificate from Comodo. I now have the task of making it work in VS2013 using Strong Name Key signing and perhaps as a post-build event, too. He did the whole purchasing process on the same machine (Windows 8.1 64-bit laptop) and using the same browser (Firefox 59.0.1 64-bit). I have gone to the Menu > Options > Privacy & Security > View Certificates > Your Certificates screen in Firefox, and selected the cert that was just purchased. I then clicked the "Backup" button, named it something generic, like companyCert.p12 (I don't get any other choice or settings but .p12), clicked the "Save" button, and entered a 16-character alphanumeric (caps and lowercase) password, and clicked the "OK" button. I got the popup saying that the export was successful.
When I try to import that .p12, or the extension-renamed .pfx, file into the local user's Personal or Trusted Publishers certificate store through mmc (even tried certmgr.msc just for kicks), I get:
The password you entered is incorrect.
When I try to build my assemblies in VS using the .p12 file to Strong Name Key sign them, I get:
The key file 'absolute\path\to\cert\companyCert.p12' does not contain a public/private key pair.
When I try to do the same thing but renaming the extension to .pfx, I am prompted for the password, so I input that, and I get:
An error occurred during encode or decode operation.
So I then tried to import the .p12/.pfx using the command prompt (running as administrator) and CertUtil using the following line:
certutil -importPFX -user "absolute\path\to\cert\companyCert.p12" AT_SIGNATURE
and I was prompted for the password, which I input, and got:
CertUtil: -importPFX command FAILED: 0x80092002 (-2146885630 CRYPT_E_BAD_ENCODE)
CertUtil: An error occurred during encode or decode operation.
for both .p12 and .pfx.
I've tried all of these several times just in case I did something wrong with the password or something. I've tried going back into the Firefox certificates and instead of clicking on the "Backup"
button in the Your Certificates screen, clicking on the code signing certificate, and clicking "View..." That takes me to the Certificate Viewer window, where I click on the Details tab and click the
"Export" button. There, I am given the choice of X.509 Certificates:
PEM (.crt/.pem, both with or without chain)
DER (.der without chain)
and PKCS#7 (.p7c with or without chain)
I did all but .der when trying to do the code signing, but to no avail. I was able to import some of them into the local user's Personal and Trusted Publisher stores, but I was unable to get any of
them to work in VS for Strong Name Key signing.
As I understand it, I need to be able to get the private/public key certificate in the local store on the OS level, not just Firefox's browser level, and then I should be able to export how I need to. Is that correct? If it's not, please, someone tell me what I can do to get this to work.
In my case I could successfully import the .pfx file in my Desktop running Windows 10, but when I tried to import the certificate in the server running Windows Server 2016 I received the error "The password you entered is incorrect".
To solve the problem:
Remove the certificate from my windows (using Management Console / Certificates)
Import the original .pfx certificate to my Desktop Computer
Export the certificate (using Management Console / Certificates)
The trick is:
When exporting the certificate, select the encryption "TripleDES-SHA1".
I downloaded - DigiCertUtil - and manually installed the certificate with this tool, and it worked perfectly!
https://www.digicert.com/util/
I managed to re-export the file and use the certUtil.exe with -importPFX.
Initially i used the digicert utility to install the certificate on one machine and add it to the store.
Then i exported it from the google chrome browser to a new .pfx file. (Settings > manage certificates > export)
And voila all of sudden the file was no longer corrupted and could be used with the certUtil.exe
I saw a post where the Comodo Support Team blamed Firefox for the issue, which made me wonder if chrome could export after the use of DigiCertUtil.
I have properly signed .msi that user can download from a web server.
When the user runs it Windows gives her a warning about "Unknown Publisher".
However if she looks at file properties ("Digital signatures") proper signature and certificate are in place.
Cert path is VeriSign -> VeriSign Class 3 Code Signing 2010 CA -> My Company.
We expect the user to see correct "My Company" name instead of "Unknown Publisher" in that dialog box. What is the reason for unexpected behavior?
I solved this problem by using the /ac switch for signtool. This switch takes a path to a certificate file, and allows you to add an additional certificate to the signature block of the signed file. I used "/ac AddTrustExternalCARoot.crt" to add Comodo's Root Code Signing (SHA-2) certificate to my msi file. I tested this on Windows 7 where I was having the problem.
The /ac switch is intended for signing kernel code, but it is also necessary to fix this issue. You'll still need to use /f or one of the other switches to use your code signing certificate.
I've tried to download a signed executable
( http://live.sysinternals.com/procexp.exe )
and modify it. I've thought it can't be done and Windows will somehow prevent me from running it (or warn me at least). But when I change a single character (for example in DOS stub or any other text data) it is still runable.
Before modification, when I run this app it splashes UAC warning showing it signed Microsoft and asking whether I want to run it. After modification, there is no such thing. Even when I revert changes back, it still won't show up. I've compared modified and reverted executable to the original (in total commander) and it shows no difference. But the original still splashes UAC.
Why is that?
I'm using Windows 7 and Firefox.
I've never tried to do it. Yet when you edited the file, you invalidated the digital signature, you should see it in the Properties of the file.
Windows usually does not check digital signatures. Digital signatures come into play when the file is marked as downloaded from the Internet (if the signature is valid, Windows will show its publisher in the confirmation dialog; otherwise, the publisher will be unknown), and UAC (in this case, the digital signature also confirms the file came from a publisher stored as part of the digital signature).
Whether to show or not to show UAC confirmation is not controlled with digital signature, it's controlled with the application manifest.
So in my understanding, UAC dialog should be shown. But since the modified file fails digital signature check, Windows may decide the file is unsafe to elevate. You could look for messages in Windows event log, there could be events explaining the behavior you see.
I have copied chrome.exe in other directory and started writing random bytes in the application.
I checked properties , the digital signature was there. I have changed the application. It was unable to execute (giving some king of internal error not windows error) but still showing valid certificate in properties. Its strange.
I think windows validates certificate of an application only once.
After you change the file it will still show a digital signature but if you click on the Details button for that signature I think you will find that it says the signature is not valid.
When i changed it back to exactly what it originally containsed it once again told me that the signature was valid. (But you have to use an editor that edits the bytes in place - not one that might add a line break or something unintentionally.)