While I'm able to get Conan to download a package from a remote by adding a corporate CA certifiate to cacert.pem, many of these package recipes use conans.tools.download() to download source code from external sites. It seems as if this functionality does not use cacert.pem for its certificate store.
So, for a simple example, I have a conanfile.txt that looks like this:
[requires]
sdl2/2.0.8#bincrafters/stable
Of course there is no sdl2 binary for Visual Studio 2019, so I need to specify the compiler version, build type, cppstd (well, technically not this one since SDL2 is written in C), etc, but the larger project uses C++, so I run the command to build SDL2:
conan install .. -s compiler.version=16 -s build_type=Debug -s compiler.cppstd=17 --build
Conan downloads the package fine, since it's respecting the corp CA I've added to cacert.pem, but the package recipe uses tools.download() to actually pull the source. This failed spectacularly with this error:
ERROR: Error downloading file https://www.libsdl.org/release/SDL2-2.0.8.tar.gz: 'HTTPSConnectionPool(host='www.libsdl.org', port=443): Max retries exceeded with url: /release/SDL2-2.0.8.tar.gz (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)'),))'
While I'm able to modify the recipe directly by adding verify=False to the download call, this is obviously not a viable solution.
How can this be fixed? I'd prefer not to disable certification verification but at this point would settle for that.
You need to include the ROOT (not a non-root ancestor) certificate in the Python requests package CA bundle, or create a new CA bundle that includes the root certificate and use the REQUESTS_CA_BUNDLE environment variable.
Related
I have a question about how and what is the version of OpenSSl that I must install in Windows to later create certificates.
Install a one version (openssl-1.0.2d-fips-2.0.10) found in SourceForge but it does not generate the files correctly.
There is also the official website https://www.openssl.org, but I do not know how to install it and how, so that when it comes to generating the keys and .pem file, it works.
Generate some environment variables that point to the folder where I unzipped the downloaded, I do not know if it is the correct way.
I also wanted to create OPEN SSL for Windows 10. An easy way to do it without running into a risk of installing unknown software from 3rd party websites and risking entries of viruses, is by using the openssl.exe that comes inside your Git for Windows installation. In my case, I found the open SSL in the following location of Git for Windows Installation.
C:\Program Files\Git\usr\bin\openssl.exe
If you also want instructions on how to use OPENSSL to generate and use Certificates, here is a write-up on my blog. The step by step instructions first explains how to use Microsoft Windows Default Tool and also OPEN SSL and explains the difference between them.
https://kaushikghosh12.blogspot.com/2016/08/self-signed-certificates-with-microsoft.html
If you have chocolatey installed you can install openssl via a single command i.e.
choco install openssl
In case you have Git installed,
you can open the Git Bash (shift pressed + right click in the folder -> Git Bash Here) and use openssl command right in the Bash
Do you have Git installed?
You can access openssl command from Git Bash without adding any environment variable.
But, if you want to access the openssl command from Windows cmd, then follow me:
Find the path of the bin directory of Git. Normally it is at
C:\Program Files\Git\usr\bin\
Then add the path your environment variable (User variables -> Path):
Now open a new command prompt (don't use an already opened cmd, because the already opened cmd doesn't know the new environment variable).
Now write:
openssl
Either set the openssl present in Git as your default openssl and include that into your path in environmental variables (quick way)
OR
Install the system-specific openssl from this
link.
set the following variable : set
OPENSSL_CONF=LOCATION_OF_SSL_INSTALL\bin\openssl.cfg
Update the path : set Path=...Other Values
here...;LOCATION_OF_SSL_INSTALL\bin
Necroposting, but might be useful for others:
There's always the official page ([OpenSSL.Wiki]: Binaries) which contains useful URLs (pointing to unofficial resources / builds, make sure to read the Important Disclaimer)
There are other repositories which contain unofficial builds
Here I want to mention: [GitHub]: CristiFati/Prebuilt-Binaries - Prebuilt-Binaries/OpenSSL
v1.0.2u (FIPS capable) is built with OpenSSL-FIPS 2.0.16
Artefacts are .zips that should be unpacked in "C:\Program Files" (please take a look at the Readme.md file, and also at the one at the repository root)
Other 3rd-party software may bundle OpenSSL, so it gets "installed" as a side effect. Such software (mentioned by other answers): Cygwin, Git
And of course you can build it yourself from sources, but that requires some deeper knowledge
Note: when having a functional OpenSSL instance (using whatever method above), here's how you can use it (if you need it into your own projects) from VStudio: [SO]: How to include OpenSSL in Visual Studio (#CristiFati's answer)
I recently needed to document how to get a version of it installed, so I've copied my steps here, as the other answers were using different sources from what I recommend, which is Cygwin. I like Cygwin because it is well maintained and provides a wealth of other utilities for Windows. Cygwin also allows you to easily update the versions as needed when vulnerabilities are fixed. Please update your version of OpenSSL often!
Open a Windows Command prompt and check to see if you have OpenSSL installed by entering: openssl version
If you get an error message that the command is NOT recognized, then install OpenSSL by referring to Cygwin following the summary steps below:
Basically, download and run the Cygwin Windows Setup App to install and to update as needed the OpenSSL application:
Select an install directory, such as C:\cygwin64. Choose a download mirror such as: http://mirror.cs.vt.edu
Enter in openssl into the search and select it. You can also select/un-select other items of interest at this time. The click Next twice then click Finish.
After installing, you need to edit the PATH variable. On Windows, you can access the System Control Center by pressing Windows Key + Pause. In the System window, click Advanced System Settings → Advanced (tab) → Environment Variables. For Windows 10, a quick access is to enter "Edit the system environment variables" in the Start Search of Windows and click the button "Environment Variables". Change the PATH variable (double-click on it or Select and Edit), and add the path where your Cywgwin is, e.g. C:\cygwin\bin.
Verify you have it installed via a new Command Prompt window: openssl version. For example: C:\Program Files\mosquitto>openssl versionOpenSSL 1.1.1f 31 Mar 2020
If not, refer to the Cygwin documentation and also other tutorials such as: https://www.eclipse.org/4diac/documentation/html/installation/cygwin.html
Here's a solution that may delight those who have implemented WSL (Windows Subsystem for Linux). You can just use:
wsl openssl ...whatever_args...
The point is that many who've implemented WSL may not realize they can call upon ANY linux command (within their underlying WSL linux vm) right from the DOS or powershell command-line this way. (It's easy to fall into thinking the point of WSL is to use it to "shell into the vm", which is indeed an option, but the power to just run linux commands from Windows is a real value-add of WSL.)
And to be clear, in doing the command as above, whatever file names or folders you may point to (or create) will be relative to the Windows folder from which you run the command. So doing for example, openssl req to create a self-signed cert, where you may name -keyout selfsigned.key -out selfsigned.crt, those two files will be created in the Windows folder where you ran the command.
That said, there are ways this could fall down for some openssl command examples one may find, such as if they tried to use various bash-specific arguments, in which case "shelling into wsl" to run the command may well be the better choice. You could still direct things to be found or placed on the host, but I don't mean this answer to become overly-focused on such WSL aspects. I just wanted to propose it as another alternative to installing openssl.
I installed openssl 3.0.0 from https://slproweb.com/products/Win32OpenSSL.html. then I go to windows start ->openssl->Win64 OpenSSL Command Prompt, it opens a window like regular dos window, all I need is to go to the installation folder of openssl.
If you are running Windows 10 1709 (build 16299) or later versions, you can use winget command below to install OpenSSL
winget install -e --id ShiningLight.OpenSSL
Or if you have Git for Windows installed on your system, you can also find OpenSSL in Git file directory.
C:\Program Files\Git\usr\bin\openssl.exe
For more details, check this guide 3 Methods on How to Install OpenSSL on Windows.
Check openssl tool which is a collection of Openssl from the LibreSSL project and Cygwin libraries (2.5 MB). NB! We're the packager.
One liner to create a self signed certificate:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt
you can get it from here https://slproweb.com/products/Win32OpenSSL.html
Supported and reqognized by https://wiki.openssl.org/index.php/Binaries
Install scoop then type
scoop install openssl
Open your
Git Bash
Move to your directory if required.
Run your command. eg.
openssl
I run: conan install Boost/1.64.0#conan/stable, and it fails.
Output:
C:\temp>conan install Boost/1.64.0#conan/stable
Boost/1.64.0#conan/stable: Not found in local cache, looking in remotes...
Boost/1.64.0#conan/stable: Trying with 'bintray'...
Boost/1.64.0#conan/stable: Trying with 'conan.io'...
ERROR: Unable to find 'Boost/1.64.0#conan/stable' in remotes
Trying other package, works:
C:\temp>conan install fmt/4.0.0#bincrafters/stable
fmt/4.0.0#bincrafters/stable: Not found in local cache, looking in remotes...
fmt/4.0.0#bincrafters/stable: Trying with 'bintray'...
fmt/4.0.0#bincrafters/stable: Trying with 'conan.io'...
Downloading conanmanifest.txt
[==================================================] 121B/121B
Downloading conanfile.py
[==================================================] 1.8KB/1.8KB
fmt/4.0.0#bincrafters/stable: Installing package
Requirements
fmt/4.0.0#bincrafters/stable from conan.io
Packages
fmt/4.0.0#bincrafters/stable:63da998e3642b50bee33f4449826b2d623661505
fmt/4.0.0#bincrafters/stable: Retrieving package 63da998e3642b50bee33f4449826b2d623661505
fmt/4.0.0#bincrafters/stable: Looking for package 63da998e3642b50bee33f4449826b2d623661505 in remote 'conan.io'
Downloading conanmanifest.txt
[==================================================] 938B/938B
Downloading conaninfo.txt
[==================================================] 491B/491B
Downloading conan_package.tgz
[==================================================] 159.8KB/159.8KB
fmt/4.0.0#bincrafters/stable: Package installed 63da998e3642b50bee33f4449826b2d623661505
Any idea why the package isn't found?
How to debug it?
Conan is a decentralized package manager (kind of git-like style), so it can have many remotes. By default it comes configured with 2 remotes:
conan-transit: Is a read-only copy of the old conan.io repository, which contains many different Boost packages, from different authors. Quality is variable, so some packages might work only for certain OS, or might fail for some configurations.
conan-center: It is a moderated/reviewed repository, package creators can submit inclusion requests to share their packages with the community.
So far conan-transit contains several Boost/1.64 packages, so can check it with:
$ conan search Boost* -r=conan-transit
$ conan search Boost* -r=conan-center
As you can see the package you are trying to install doesn't exist in these repositories.
As I said above, conan is decentralized, so you can use different remotes. For example, the "bincrafters" community has a bintray repo that can be added with:
$ conan remote add bincrafters https://api.bintray.com/conan/bincrafters/public-conan
$ conan search Boost* -r=bincrafters
You will see they have a large number of Boost/1.64 packages, because they have created a modularized version of boost, in which every library lives in a different package, so you only get installed what you need.
UPDATE: Packages in the central repository are being renamed by the community to lowercase. Try with boost lowercase in the above if necessary.
I have been trying to build the desktop client for about a week now so that I can dig in and try to mess with some theming and turn off some features I wont be needing. In the process I have run into numerous issues and have managed to resolve them in one way or another. I have a VM running openSUSE and I have downloaded the source file ownCloudClient-2.3.2.tar.xz file and unzipped it all into my home/jwarren/client folder. I then ran:
cd admin/win/docker
docker build . -t owncloud-client-win32:
Which I was able to get through. Now I am on the second command:
docker run -v "$PWD:/home/user/client" owncloud-client-win32: \
/home/user/client/admin/win/docker/build.sh client/ $(id -u)
Here I am getting almost to the end and then I receive this error message which I cant figure out how to resolve.
CPack Error: Problem running NSIS command "user/bin/makensis"
CPack Error: Problem Compressing Directory
Can anyone help me out with this? Or maybe point me in the direction of better instructions for the ownCloud Desktop Client theming. I noticed that once you get it installed properly there is no instructions explaining where anything is to edit.
I wrote a comprehensive guide to build the Windows client using the cross-compilation toolchain in the Dockerfile some time ago in ownCloud's central: https://central.owncloud.org/t/error-using-docker-to-build-the-windows-client/5107/5
What you're probably missing out is the git-submodule initialization; i.e. running git submodule update --init on your unzipped repository. You need these to bundle on the installer some pre-compiled binaries used by the shell integrations.
Also, on a side note, there was some problems last month with mingw toolchain compiler (gcc7) - in case you get some dll error after installing the client with your self-generated installer, refer to https://central.owncloud.org/t/building-the-windows-installer/8403/4 for an snapshot of a fully working Docker image to use instead of your self-built.
About the docs to build your own theme: those can be found in https://doc.owncloud.org/branded_clients/branded_desktop_client/index.html (for enterprise installations of ownCloud) - and for an unsupported version, you can also check the source in
https://github.com/owncloud/client/blob/master/src/libsync/theme.cpp for some hints about what settings can be overwritten from there.
I set up my Visual Studio Team Service account to clone my private GitHub repo and build the Windows UWP application anytime I queue a build. The cloning works without any issues; the compilation of every project (6) works except one. The Windows UWP app project.
I receive the following warnings while the build server compiles the app:
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(1778,5):
Warning APPX0104: Certificate file 'myapp_TemporaryKey.pfx' not found.
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(1778,5):
warning APPX0104: Certificate file 'myapp_TemporaryKey.pfx' not found. [C:\a\1\s\Source\Applications\myapp.WindowsUWP\myapp.csproj]
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(1778,5):
Warning APPX0102: A certificate with thumbprint '58F2EA544193F6FC9F2737135570555B388E58D8' that is specified in the project cannot be found in the certificate store. Please specify a valid thumbprint in the project file.
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(1778,5):
warning APPX0102: A certificate with thumbprint '58F2EA544193F6FC9F2737135570555B388E58D8' that is specified in the project cannot be found in the certificate store. Please specify a valid thumbprint in the project file. [C:\a\1\s\Source\Applications\myapp.WindowsUWP\myapp.csproj]
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(1778,5):
Warning APPX0107: The certificate specified is not valid for signing. For more information about valid certificates, see http://go.microsoft.com/fwlink/?LinkID=241478.
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(1778,5):
warning APPX0107: The certificate specified is not valid for signing. For more information about valid certificates, see http://go.microsoft.com/fwlink/?LinkID=241478. [C:\a\1\s\Source\Applications\myapp.WindowsUWP\myapp.csproj]
This is the last project out of the 6 to compile. After I receive the warnings, it proceeds to copy all of the output files over to the final /bin directory. Then when it's all done, reports the same messages as above, but as errors this time and fails the build.
_GenerateAppxPackageFile:
C:\Program Files (x86)\Windows Kits\10\bin\x64\MakeAppx.exe pack /l /h sha256 /f obj\x86\Debug\package.map.txt /o /p C:\a\1\s\Source\Applications\MyApp.WindowsUWP\AppPackages\MyApp_1.0.0.0_x86_Debug_Test\MyApp_1.0.0.0_x86_Debug.appx
MyApp -> C:\a\1\s\Source\Applications\MyApp.WindowsUWP\AppPackages\MyApp_1.0.0.0_x86_Debug_Test\MyApp_1.0.0.0_x86_Debug.appx
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(2382,5): Error APPX0104: Certificate file 'MyApp_TemporaryKey.pfx' not found.
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(2382,5): error APPX0104: Certificate file 'MyApp_TemporaryKey.pfx' not found. [C:\a\1\s\Source\Applications\MyApp.WindowsUWP\MyApp.csproj]
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(2382,5): Error APPX0102: A certificate with thumbprint '58F2EA544193F6FC9F2737135570555B388E58D8' that is specified in the project cannot be found in the certificate store. Please specify a valid thumbprint in the project file.
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(2382,5): error APPX0102: A certificate with thumbprint '58F2EA544193F6FC9F2737135570555B388E58D8' that is specified in the project cannot be found in the certificate store. Please specify a valid thumbprint in the project file. [C:\a\1\s\Source\Applications\MyApp.WindowsUWP\MyApp.csproj]
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(2382,5): Error APPX0107: The certificate specified is not valid for signing. For more information about valid certificates, see http://go.microsoft.com/fwlink/?LinkID=241478.
2>C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v14.0\AppxPackage\Microsoft.AppXPackage.Targets(2382,5): error APPX0107: The certificate specified is not valid for signing. For more information about valid certificates, see http://go.microsoft.com/fwlink/?LinkID=241478. [C:\a\1\s\Source\Applications\MyApp.WindowsUWP\MyApp.csproj]
2>Done Building Project "C:\a\1\s\Source\Applications\MyApp.WindowsUWP\MyApp.csproj" (default targets) -- FAILED.
1>Done Building Project "C:\a\1\s\Source\MyApp.UWP.sln" (default targets) -- FAILED.
Build FAILED.
"C:\a\1\s\Source\MyApp.UWP.sln" (default target) (1) ->
If I just delete the certificate (as I did in this particular error log), it fails because it can't find it. If I generate the certificate using the manifest editor in VS, and assign it a password, the build server fails because it doesn't know the password. So I can't get it to build whether I provide a temporary test certificate or not.
How are we supposed to run Windows 10 UWP apps through the Visual Studio Team Services build system? This is something that Microsoft has been promoting for a while now so I I assumed this was a thing that could be done. I can't seem to get the UWP project to actually build.
You can generate a certificate without password assigned.
Or add a PowerShell step in your build definition to import the password protected certificate. Following is the powershell script you can use:
$pfxpath = 'myapp_TemporaryKey.pfx'
$password = 'yourpassword'
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()
Remember to set the "Working Folder" to the path where your pfx file placed.
By default .gitignore ignores any *.pfx file. Therefore it is not added to git. I had the same issue, that the build machine does not has the *_StoreKey.pfx file and therefore the build did not succeed.
For me the solution was to install the *_StoreKey.pfx on the build server. Then building the solution on the build server succeeds.
I solved this with the "secure files" feature: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=vsts
In the build pipeline, there's a "library" tab. I added the pfx (that's excluded from source control) as a file there.
I then added "download secure file" as a build task (https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/download-secure-file?view=vsts). Note the environment variable in the documentation (currently $env:DOWNLOADSECUREFILE_SECUREFILEPATH)
I then added a command line task to move the file to where it was expected. So the command was move %DOWNLOADSECUREFILE_SECUREFILEPATH% FolderOfMyProject
Now it behaves as though the certificate were checked in.
Same issue I met these days, And I finally successfully solved with the help of this post.
Actually we must ensure we had create a test-used .pfx as the developer of UWP
,and followed words shared some helpful solutions I thought:
Create a test certificate with VS:
In Visual Studio, from Solution Explorer, open Package.appxmanifest
In the App Manifest Designer, choose the Packaging tab, and then choose the Choose Certificate button.
In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose Create test certificate.
In the Create test certificate dialog box, input your info and click the OK button.(Above step description are coming from this ↓)
Create a certificate with MakeCert,Pvk2Pfx and Certutil tools
MDSN : How to create an app package signing certificate
Hope it can help u!
I too was getting the error:
"Cannot import the key file 'blah.pfx'. The key file may be password protected. To correct this, try to import the certificate manually into the current user’s personal certificate store".
You can double click a .pfx file to import it into your store, the trick is that when it brings up the wizard, you have to choose "Current User", instead of "Local Machine" on the first screen, then instead of "Automatic", I specifically chose "Personal".
I was able to build the package after that. Didn't work when I chose "Local Machine" + Personal.
Had the same issue (error APPX0107: The certificate specified is not valid for signing) and tryed every solution but nothing worked for me.
In fact their was a new line after the key name in the .csproj:
<PackageCertificateKeyFile>myCert.pfx
</PackageCertificateKeyFile>
Removed it and it worked.
Can anybody tell me how to add signature in jar file.
I have developed a plugin, but when i am installing it, it is showing some warnings that it is not a signatured jar file.
Can anyone give me guidance on how to do that?
You can follow instructions given in the Eclipse wiki Jar Signing page
It is part of a protection policy against malicious code
How is signing done?
Signing is performed using the JDK's jarsigner.
This tool signs JARs by producing a separate signature for every file in the JAR.
The signatures are put in the MANIFEST.MF file and in a separate signature file in the META-INF directory.
For optimization purposes, the signature of the MANIFEST.MF with all embedded signatures is also computed and placed in the signature file.
Projects who wish to sign their JAR's with the Eclipse Foundation Signature need to name a person which applies for "signer" privilege with the Webmaster. The Webmaster will grant required permissions on the signing server and send an E-Mail with exact instructions how signing is done.
Now if the warning appears because your plugin, even signed, is not signed with the "Eclipse Foundation Signature" (if your plugin runs within an Eclipse instance), that warning is likely to remain.
See also this thread if you want to use your own keystore:
java
-Djava.security.manager=""
-Djava.security.policy=policy
-Dosgi.framework.keystore=file:keystore
-Dosgi.signedcontent.support=true
-jar org.eclipse.osgi_3.4.0.<qualifier>.jar
-console
-consoleLog
Finally, you can try out this jarsigner/keytool integration (integration to the jar exporter) which can facilitate the process.