More sanity checking than an actual question, so this dll is not signed? Does anyone know if there is any semi-recent version of this that is signed?
I just find this very strange and i mpretty sure there must be some sort of error on my side
Cheers
Signing an open-source project doesn't make sense. Do you?
Include the key file: In which case anyone can modify the code and sign it as if they're the original author.
Don't include the key file: So now if you need to change the original code you can't sign the modification and you can't reference it without the original signing.
It makes more sense to not sign it and let the person download the code and sign it themselves.
No, it's not signed. However if you need it signed (like if you wanted to GAC it or something like that), you can do so yourself with the included source code.
This is available here: http://compositewpf.codeplex.com/
Related
I first attempted this by getting the stock source from OpenSSL's website. That wasn't fun.
Then I clued in, and I got the source from here.
When I try to build from Xcode, it fails with several warnings and 1 error.
/Users/x/OpenSSL098-OpenSSL098-76.200.2/src/crypto/x509/x509_vfy_apple.c:29:10: Did not find header 'TrustEvaluationAgent.h' in framework 'TrustEvaluationAgent' (loaded from '/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks')
I had assumed that the patches included in this tarball were already applied, and when I attempt to run the bash script to do that, it complains that there is no (openssl) source tarball... that's ok (I think), there is already a populated src/ directory. I modified the bash script enough that it would ignore that, and indeed, when it goes to patch it gripes the patches are already applied. The README.rtf file (Apple's) is suggestive that this is only if I wish to use the patches against a later version of the source, which I'm not much interested in.
It's not clear to me if my Xcode is just mangled beyond recognition, if I'm missing some dependency, or if I don't know what I'm doing within the Xcode interface (much more comfortable on the command line).
I did find this, which seems like a related issue... but I cannot find the source code he suggests needs to be uncommented (nor how to remove the references from the project file).
Can anyone point me in the right direction?
But for the unclear English, the instructions in the second link are correct.
Delete the x509_vfy_apple.c file from the treeview on the left, it will be in the Source/crypto/x509 folder. Then in x509_vfy.c (same folder), there will be an #if directive near line 76. It's defined as...
#if __APPLE__
Make that...
#if 0
Somehow I brainfarted on this and made it #if 1 on the first try, and then dismissed the instructions as not working. Commenting this out would also work, or just nuking the entire directive for that matter.
Still seems to compile with a zillion warnings, but I'm not even sure that just isn't what you get with a 7 year old version of openssl.
Actually, I'm a PHP developer. I want to sell my PHP product.
So, I want to protect some major source code in PHP. But it's impossible in PHP.
I know Golang also. So, I want to to build secret algorithm in golang code and compile into binary.
Finally I want to protect my PHP major algorithm with PHP code && binary program.
My doubt is:
When I'm compiling golang source code into binary file.
Is it possible to grab golang source code from binary file ?
No, if they really really want to, they can disassemble the binary and guess what the algorithm does from the assembly, this however, applies to all languages.
If it runs, it can be disassembled and it can be broken.
There are 3 things you can do to protect your code.
You can, of course, obfuscate all the code prior to a build.
I dont knwo of any specific golang tools to do this.
Stripping symbols
But i worry about a "gifted hacker" who will decompile and try to steal my work. It has happened a few times already.
So, you want something whereby the "hacker" is defeated as it's too much work to try and re-assemble.
Stripping the symbols should be more than enough.
You can omit debug information passing the '-w' flag to the linker, and you can omit the symbol table by passing '-s'.
See go tool link in 1.5 here:
https://golang.org/cmd/link/
Device Fingerprinting
This ensures your software cannot run unless its on the same machine when the license was generated for it.
The license is stored on your server, and the fingerprint meta data is sent and check.
You can see this in action here:
https://github.com/hashicorp/nomad/blob/master/client/client.go#L147
Note that in their code they are NOT generating a license against the fingerprint. This is something you would want to do as extra. You can also hash it and sign it and other fancy stuff, but thats too much detail for this post.
Of course a "hacker" can get around this IF they can decompile your code, but as i mentioned in Step 2, this can be defeated pretty well by stripping the symbols.
Obfuscation, as in step 2 helps, but most decent coders can find the place where the code is doing a check and just comment out the check and recompile.
But with no symbols its almost impossible to recompile.
Hope that helps ...
I have a solution with some projects in that make up a library. I use this library in some of my other solutions. I do this by making a reference to the dll which is generated when the library solution is compiled. So far, so good.
Now I'm debugging one of those "other solutions". I see that I'm using a function from the library I built and I want to see what the code does. I hit F12 and I'm taken to a very useless page where I see only the signature.
I could add the library projects to my solution. this is unsatisfactory because when someone is editing the solution I want it to be clear that the messing about with the library bit is going to affect other programs. If I can describe my desire crudely, I would say I want the library solution to be show when I hit F12, but be read only.
How can I do this?
I think it depends on the complied option of the library. If the library is built without debug symbols, it would not be possible to debug inside in a normal human readable way. I suggest you compile/build the library with debug option. That may solve your problem.
HTH!
I have some vb6 code I have not compiled in a long time. The last compile is in production. Now I get an error "User-defined type is not defined" when I do a full compile. I'm sure there is a reference missing. But there is no code that is hi-lighted. And I cannot seem to find what reference might be lost.
Any clues as to what I can do to find the missing reference would be very helpful.
Thanks!
Dave
I've had that happen before it drove me crazy!! But then I found this:
http://support.microsoft.com/kb/190197
Occurs when compiling with binary compatibility on. The above solution suggests turning off binary compatibility and re-compiling - then missing reference will then be highlighted.
Other steps you can try:
Rather than turning off BC for everything look for ones that have
been recently changed
search C: drive and dev folder and delete any
*.oca files
also look in the vbp file for any oca references
You need to ensure that you have the appropriate items checked in the References dialog. This is outside the code and they are listed in the VBP file (text file).
EDIT Corrected reference storage. Thanks MarkJ
Make sure all of your object types are spelled right. A simple error like spelling Variant Varient can cause this error as well.
Are you still using the same machine in which the original compile was made and / or with the same OS
?
If the answer is no, then there is a chance that VB6 or its like linked to a reference which is no longer available in Win7 or later, this may also include the compiler if you are using a modern version of studio.
Since the code is also in VB6, if you are using any outside commercial controls, and again if not on the same machine, you would loose those links as well if you did not port over the library.
When I attempt to use SecPKCS12Import() from the Security framework as provided by Mac OS X 10.6, the result code is always errSecUnimplemented, regardless of the arguments provided.
Furthermore, the linker is unable to find symbols for the constants relevant to this function declared in SecImportExport.h (i.e. kSecImportExportPassphrase, kSecImportItemIdentity, et al.).
What on Earth is going on with this library -- is the function implemented or is it not? Why can the linker resolve all other symbols in the framework, but not these? How should I convert a PKCS12-formatted binary blob to a SecIdentityRef or SecCertificateRef and SecKeyRef pair?
What am I doing wrong? I'm sure this is a PEBKAC issue. :-)
EDIT: I see that I was very unclear in my question. I'm aware that Security.framework is implemented, given that I am able to use the other functionality it provides without an issue. Given this, I'm fairly certain that I'm linking against the framework correctly, since if I remove the link, none of the symbols can be found -- as expected. When I relink the framework, all the symbols are found, with the exception of the constants relevant to SecPKCS12Import(), e.g. kSecImportExportPassphrase, kSecImportItemIdentity, etc.
Given that I cannot use these symbols, I passed in what could have been incorrect strings (#"kSecImportItemIdentity", etc.), but the error code returned was errSecUnimplemented. This led me to believe that perhaps this specific functionality has not been implemented.
I tried using the 10.5 SDK, but that didn't work, of course. :-)
EDIT: My import is just a regular #import <Security/Security.h>. For kicks, I tried #import <Security/SecImportExport.h> as well, but this effected no change. That said, the error is issued by the linker, not the compiler.
I ran dyldinfo -export Security.framework/Security to list the symbols exported by the library and found many of the new symbols, but kSecImportExportPassphrase and friends were conspicuously missing. This might explain why the linker cannot find the symbols. The symbol for SecPKCS12Import appears in the symbol table and I can call that with no issues, it's just the functionality does not seem to be there.
Security.framework is most certainly implemented — see the Security Reference Update which documents what has changed in the framework in 10.6 and prior. Since you know the headers to use, I assume you've already consulted the Security Framework Reference.
Are you sure you're properly importing and linking against the framework? (It's in /System/Library/Security.framework, so you shouldn't have to specify the path.)
Does the compiler issue warnings or errors stating that the symbols in SecImportExport.h are undefined? (If not, how do you know they're "declared but undefined"?)
When you say that this fails on 10.6, have you tried it on an earlier version of the OS successfully?
EDIT: Okay, since you're using other parts of Security.framework successfully, and the APIs and constants you're trying to use are 10.6 only, it doesn't seem like a linking issue. What do your import look like? Are you sure you're importing SecImportExport.h properly? The constants are declared just above the SecPKCS12Import() function, so if you get warnings for the constants, you should get one for the function being undefined as well.
EDIT: I have confirmed with a member of the team at Apple that works on Security.framework that this functionality is not currently implemented. Please file a bug to gripe about this at http://bugreport.apple.com against component Security (New Bugs), version X. Include the URL to this question in your report. Sorry there's not a better answer at the moment.
To my knowledge, Apple is great at partially implementing things or leaving no documentation. If you really can't find the real implementation you need, you can use OpenSSL to extract the blobs and then Security services to import them to a keychain or further process with Security/CDSA methods. That would get you going and you can ping the Apple dev connection with further questions, if you have the possibility.
Further, looking at /System/Library/Frameworks/Security.framework/Headers/SecImportExport.h on my 10.6.2 machine, I see references to PKCS#12 in the documentation of SecKeychainItemImport()
Search that file for "PKCS12" for further information.