we developed an app for WP8 and wanted to distribute it internally via a download URL to the XAP file. Steps we have taken so far:
Use Makecert.exe to generate a self signed XXX.cer with a XXX.pvk (with no password)
Used Pvk2Pfx.exe to create a pfx file which includes the private key (with a password)
Used XapSignTool.exe to sign our XXX_Release.xap
We also deployed the XXX.cer to the phone device but we still get the error "Can't install company app".
After that we tried to generate a Application enrollment token (AET) with AetGenerator.exe (not 100% sure if we do need this) from out XXX.pfx which exits with an error:
Unknown error while generating AET startIndex cannot be larger than
length of string. Parameter name: startIndex
Any ideas what we are doing wrong or suggestions what would be the way to distribute an app like that? Is it only possible if we have obtained a certificate from Symantec?
Thanks!
PS: I just browsed throught the MS Documentation and for the PFX parameter of the AETGenerator it states:
Required. The name of the PFX file generated from the enterprise mobile code-signing certificate provided by Symantec.
So most probably it seems that a Symantec $299/year certificate is required. Would this be the correct assumption?
It was indeed as it seemed. You can sign you code with any self signed pfx generated after the latest documentation on the pfx tool.
It is not possible to deploy an App without a company account. This involves paying the $299 and going through the certification process by Symantec.
Related
Lets say you have a windows executable (driver or usermode app), and you want to :
Verify if the digital signature is OK and file is not corrupted (same as when you go to the digital signature tab and it says the certificate is OK)
Find which company signed the file. Therefore I am not talking about the root of the certificate chain (Which is the CA most of the times), I am talking about the bottom certificate in the chain, which is the company that signed the file, i want to get the name of that company.
I found two APIs, WinVerifyTrust And CertGetCertificateChain, But I'm not sure how to use them for this task, or if they can help me with this or not.
Lets say you already have the handle to the file that you want to check, and have read it in a buffer as well, how do you use these to check the certificate afterwards? The documentations are very vague.
Verify if the digital signature is OK and file is not corrupted
For more details about how to Verifying the Signature of a PE File, I suggest you could refer to the example: https://learn.microsoft.com/en-us/windows/win32/seccrypto/example-c-program--verifying-the-signature-of-a-pe-file
Find which company signed the file.
I suggest you could try to use CryptQueryObject function (wincrypt.h).
For more details I suggest you could refer to the Doc:https://learn.microsoft.com/en-us/troubleshoot/windows/win32/get-information-authenticode-signed-executables
And you could refer to the Thread:Read and validate certificate from executable
I'm building a React Native app using the Expo managed project process. Upon completion, when I run expo build:android I am prompted that I need a keystore file associated with my project. I chose to let Expo handle the keystore file process for me. The app builds and I have a .aab file. Great.
Then when I upload to the Play Store, I am prompted by Google Play to ask me if I want Google to store and handle my upload keystore/certificate. This is I believe a requirement now. I also selected yes for this option. It generates its own keystore file and stores SHA-1, MD5 Certificate, etc. These are different than my Expo-produced ones.
So now I have a keystore file generated by Expo that is associated with my app, and an upload keystore file generated by Google Play associated with my app.
I was able to upload my .aab file to Google Play and it is available in the internal testing track which I am currently using to review the app. But I am unclear which keystore file is the one now associated with my app.
Are these the same file or different? If the same, which keystore file prevails? Does Google overwrite the Expo one?
Thank you.
Google play is using two sets of certs/keys
"app signing" one is used to sign application that are in store, unless you are migrating from the old app you will never see that key, it's generated and managed by google, only thing you might need from it is SHA-1 fingerprint that can be used in third party apps to identify your app
"upload" one is certificate that you need to use to sign your app before uploading it to google. Google needs only public key of that upload certificate.
When you are uploading app to the store google is removing "upload" cert signature and it's signing it with "app signing" certificate
When you are generating app using expo cli it generates random keystore that contains private and public key. At this point keystore is not connected in any way to google account, that connection is established when you upload first application, at this point google saves public key extracted from apk/aab and from this point only applications signed using that keystore can be uploaded to the store
I have 2 code signing certificates, for both CSR is created same way, also import and export is done same way. The only difference that I see is that one of certificates Common name contains Quotes, and the other doesn't.
e.g.
some cert and
some "cert"
CSR creation
Request format PKCS #10
disabled "Strong private key encryption"
Entered Common name, Organization, Locality, State, Country
2048 bytes for private key
set private key exportable
Import
place all certificates in Personal store
Export
Include all certificates if possible
Enable certificate privacy
encryption algorithm TripleDES-SHA1
Misleading thing is that this Common name value is NOT taken from the value I entered when I created CSR request
I am using those certificates to sign Winforms applications in Visual Studio. Certificate without Quotes in common name is working correctly (i.e. when I install application user is not getting security warning about unknown publisher), but when I install application which is signed with the other Code signing certificate (with Quotes in Common name) - it does not recognize Publisher. No error when published my application. When I take a look at setup.exe properties in Windows Explorer I see a Digital signatures tab which contains row for my certificate.
I tried to sign files with signtool and then verify - it said that certificate is valid.
I tried to get help from godaddy.com where I bought my certificate, they said that it should work with quotes, too, but didn't offer help to solve the issue. Rekey also didn't help.
I see that there are some suggestions to use Pre Publish, Post Build tasks, but I am not using those for my first certificate which is working.
So, is anyone here using code signing certificate for Winforms application with common name having quotes in it? Or maybe anyone knows about this problem and how to solve it?
Had to revoke (common name which is entered when creating CSR is not taken into account, so rekeying is not enough!) my code signing certificate and create from start without quotes/brackets in company name.
So this means, you will have to wait again for few days, because verification process is made from start again. When you will be contacted by issuer, they will verify / ask you about company name - make sure that they do not include quotes/brackets.
Revoking means that you will basically have to buy your certificate once more, because after you revoke it (at least in godaddy case) in your account you don't have options to create it again. So, you have to contact support (use call center and not chat ;)
I made my app using appsgeyser of which was version0.1.
I made the same app with more features on phonegap and updated my version to 0.2.
Everything goes fine
BUT
while uploading my apk to google store under the same app
it says that my SHA1 is modified and I have to use the same certificate.
what shall I do?
Thanks
Play store requires .apk to be signed before you can publish it there.
If you've made an app with AppsGeyser and published it to Play then your application is signed by the AppsGeyser private keys (unless you've explicitly signed the .apk before publising it or if you've provided your secret keystore to AppsGeyser which is unlikely).
AppsGeyser wont give you their keystore and you need it to be able to sign new version of your software. Here is the quote from docs about this:
Your private key is required for signing all future versions of your application. If you lose or misplace your key, you will not be able to publish updates to your existing application. You cannot regenerate a previously generated key.
In other words you have 2 options here. Either stick with AppsGeyser and update your app using their services or publish update to your application as a whole new appliation.
I'm trying to create a test certificate and sign a .MSI file I have created. I need to get the test version working with a signed .MSI before we can purchase a real security certificate.
I have performed the following steps to sign my .MSI file. Everything completes successfully and it displays a message that 1 file was successfully signed after the last step.
makecert.exe -sv c:\Test\mykey.pvk -n "CN=WTS" c:\Test\myCert.cer
cert2spc.exe c:\Test\mycert.cer c:\Test\mycert.spc
pvk2pfx -pvk c:\Test\mykey.pvk -pi password -spc c:\Test\mycert.spc -pfx c:\Test\mycert.pfx -po password
signTool sign /f c:\Test\mycert.pfx /p password /v c:\Test\test.msi
After performing these steps, I run the .MSI file (the date modified for the .MSI does change to match the time the signTool step was ran). The warning message saying this .MSI is from an unknown publisher is still displayed as is "Publisher: Unknown".
Did I miss a step or something? Everything seems to work correctly, I never see any errors, but my file doesn't appear to be signed.
Your file is signed. Windows declares the publisher as unknown because it does not trust the publisher identification in the signature.
Remember that in the world of digital signatures, you always need to verify at least two things at once or the whole exercise is meaningless. You must check the name on the signature, and you also need to find a trust link from something that you already trust (for example, a certification authority, or a certificate manually added as trusted) up to the signature that you are checking. Only then it makes sense to trust the name on the signature, and perhaps to display it to the operating system user.
In your web browser, go to Tools / Internet Options / Content / Publishers / Certificates and add your test certificate to Trusted Publishers.
(Another browser might have the same function under Settings / Show Advanced Settings / HTTPS/SSL / Manage Certificates.)
And retry. It won't work but I don't really know why and it is an instructive game.
It is not clear whether there is a way on Windows to establish a chain of trust if your certificate is home-made and there is no certification authority to back it. This source says:
If you use a test (self-created) certificate, the installation dialogs
will display an "Unknown publisher" message. For applications deployed
internally in an organization, this is an acceptable practice."
You can however create your own certification authority as described here and add the CA certificate under the Trusted Root Certification Authorities. By doing this you are basically letting any certificate issued by that CA sign anything and be trusted by Windows.
I had the same problem and found that Microsoft is no longer trust certificates with "sha 1" algorithm.
I solved the problem by asking my CA to replace the cerificate.
This can also happen if you have not used the switch "/d" to specify a description when signing the package. See more details under "sign Command Options" on this page:
http://msdn.microsoft.com/en-us/library/8s9b9yaz.aspx