I'm porting an existing Chrome extension to Microsoft Edge. The extension works when I load it as temporary extension in Edge.
Now I want to pack and sign it. The package has been generated successfully. But when I try to sign it using Windows App Certification Kit, it fails with following error:
Edge extension manifest.json
Error Found: The JSON schema validation test detected the following errors:
Validation failed: Data does not match any schemas from "anyOf"
Schema location: /allOf/1/dependencies/background/anyOf
Manifest location:
Validation failed for extension manifest: Extension\manifest.json
Impact if not fixed: Microsoft Edge extensions that violate the Windows Store certification requirements can’t be submitted to the Windows Store.
How to fix: Extension’s manifest.json must include valid entries for all required and specified fields. Please resolve the entries and conflicts above.
The commands I use to pack extension:
manifoldjs -l debug -p edgeextension -f edgeextension -m EdgeExtension\manifest.json
manifoldjs -l debug -p edgeextension package Test\edgeextension\manifest\
My manifest file:
{
"author": "Test",
"background": {
"page": "Agent/Ext/bg-loader.html",
"persistent": false
},
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"Agent/Content/contentLoader.js"
],
"run_at": "document_start",
"all_frames": true
}
],
"content_security_policy" : "script-src 'self'; object-src 'self'",
"default_locale" : "en",
"description": "Test Web Applications Using Google Chrome",
"name": "Test",
"permissions": [
"nativeMessaging",
"webNavigation",
"webRequest",
"webRequestBlocking",
"tabs",
"cookies",
"browsingData",
"debugger",
"<all_urls>",
"notifications",
"unlimited_storage"
],
"version": "1.0.0.0",
"-ms-preload": {
"backgroundScript": "backgroundScriptsAPIBridge.js",
"contentScript": "contentScriptsAPIBridge.js"
},
"minimum_edge_version" : "33.14281.1000.0"
}
With help of Alexey Sidorov from this thread, I figured out how to sign Edge extensions.
Note: Please make sure do following steps in PowerShell, not command line.
1. Create a self signed certificate
New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName <Your Friendly Name> -CertStoreLocation "Cert:\LocalMachine\My"
You can get your Subject in your App identity at Microsoft Developer site.
Friendly name can be any string.
2. Export the certificate
Check thumbprint:
Set-Location Cert:\LocalMachine\My
Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint
You need a password for exporting due to security reasons.
$pwd = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText
Export-PfxCertificate -cert "Cert:\LocalMachine\My\<Certificate Thumbprint>" -FilePath <FilePath>.pfx -Password $pwd
3. Install the certificate to Trusted Root Certification Authorities.
Type "Manage computer certificates" in Start menu, navigate to Trusted Root Certification Authorities\Certificates. Right click at it, All Tasks, Import Follow the wizard to finish importing.
4. Sign the app using SignTool (The SignTool is installed with Windows 10 SDK. Please make sure it exists in your system PATH)
Check the Hash Algorithm of your extension:
Extract AppxBlockMap.xml in your .appx file, check HashMethod:
<BlockMap xmlns="http://schemas.microsoft.com/appx/2010/blockmap" HashMethod="http://www.w3.org/2001/04/xmlenc#sha256">
The Hash Algorithm is the value after #, for example, #sha256 means you are using SHA256 as Hash Algorithm.
SignTool sign /fd <Hash Algorithm> /a /f <Path to Certificate>.pfx /p <Your Password> <File path>.appx
5. Now you can install your app by double-click.
Official References:
Create a certificate for package signing
Sign an app package using SignTool
Related
I have a private APT repository configured with a GPG key and a self-signed certificate. I want to access the repository from a device with a yocto generated OS. I am trying to create a recipe for communicating the device with the remote repository. This is, until now, the recipe myrepo_1.0.0.bb:
SUMMARY = "Install files for APT secure repository"
DESCRIPTION = "Copy security configuration files for enable secure APT communication with remote repository"
LICENSE = "CLOSED"
DEPENDS = "package-index ca-certificates-native"
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += "\
file://myrepo.gpg \
file://myrepo.crt \
"
do_install_append() {
install -d ${D}${sysconfdir}/${PN}
install -m 0644 ${WORKDIR}/myrepo.gpg ${D}${sysconfdir}/${PN}/
install -m 0644 ${WORKDIR}/myrepo.crt ${D}${sysconfdir}/${PN}/
install -d ${D}usr/local/share/ca-certificates
ln -s ${sysconfdir}/${PN}/myrepo.crt ${D}usr/local/share/ca-certificates/
}
In the recipe, I am trying to copy the GPG key (myrepo.gpg) and the self-signed certificate (myrepo.crt).
Regarding the CRT key: I have followed these instructions to manually add the certificate, but when I do it, the certificate is not working on the device.
Regarding the GPG key: I successfully copy the key in the device, but I am not able to use it. For using it, the file /etc/apt/sources.list must contain the signed-by directive specifying the path to the gpg key. Ex: deb [signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com/all ./, but if I add the directive in my local.conf like this:
PACKAGE_CLASSES ?= "package_deb"
PACKAGE_FEED_URIS = "[signed-by=/etc/myrepo/myrepo.gpg] https://myrepo.com"
The result is the directive treated as a new repository:
deb [signed-by=/etc/myrepo/myrepo.gpg] ./
deb https://myrepo.com/all ./
Could anyone help me with the recipe to automatically configure the repository?
I finally found a way to add the https certificate and to add the GPG signature.
I added the certificate and key files on build time using do_install_append function, and I have to use the function pkg_postinst_ontarget_${PN} (see mega-manual) to change the apt repository configuration on runtime (only the first run). Could not find a way to change the sources.list on build time which could be a more elegant way, but this works perfectly:
;; This buffer is for text that is not saved, and for Lisp evaluation.
;; To create a file, visit it with C-x C-f and enter text in its buffer.
SUMMARY = "Install files for APT myrepository repository"
DESCRIPTION = "Copy security configuration files for enable secure APT communication with myrepository repository"
LICENSE = "CLOSED"
DEPENDS = "ca-certificates-native"
RDEPENDS_{PN} = "apt"
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI += "\
file://myrepo.gpg \
file://myrepo.crt \
"
do_install_append() {
install -d ${D}${sysconfdir}/${PN}
install -m 0644 ${WORKDIR}/myrepo.gpg ${D}${sysconfdir}/${PN}/
install -m 0644 ${WORKDIR}/myrepo.crt ${D}${sysconfdir}/${PN}/
}
pkg_postinst_${PN}() {
echo "192.168.200.6 myrepo.com" >> $D/etc/hosts
cat $D/etc/myrepo/myrepo.crt >> $D/etc/ssl/certs/ca-certificates.crt
}
pkg_postinst_ontarget_${PN}() {
sed -i 's/https/[signed-by=\/etc\/myrepo\/myrepo.gpg] https/g' $D/etc/apt/sources.list
}
I am trying to install vscode using code-server and extensions like python, jupyter and it is giving me error
[2022-03-24T06:31:01.822Z] info Wrote default config file to ~/.config/code-server/config.yaml
Installing extensions...
self signed certificate in certificate chain
Steps that i am following are:
ARG IDE_HOME="/opt"
ARG CODE_SERVER_VERSION="v4.2.0"
ARG CODE_SERVER_FILE="code-server-4.2.0-linux-amd64.tar.gz"
WORKDIR $IDE_HOME/code-server/
RUN wget -qO- https://github.com/cdr/code-server/releases/download/${CODE_SERVER_VERSION}/${CODE_SERVER_FILE} | tar zxvf - --strip-components=1
ENV PATH=$IDE_HOME/code-server/bin:$PATH
RUN code-server --install-extension ms-toolsai.jupyter
Also, on UI it shows the same:
Any idea how to fix this?
I have the following .json configuration for my Windows Terminal:
{
"guid": "{926758ba-8c4a-5c36-a9c6-0c4943cd78a1}",
"hidden": false,
"name": "Fedora-33",
"source": "Windows.Terminal.Wsl"
},
This was generated automatically from the WSL database.
I would like to add wsl command line option -u user as it starts now as root. I tried adding
"user" : "hxv454"
to no avail. How can I configure WT to start my wsl instance with a specific user?
Learning from
How do I get Windows 10 Terminal to launch WSL?
searching for "wsl" I have found and used
"commandline": "wsl -d Fedora-33 -u hxv454"
and it worked.
I'm attempting to use vsts-npm-auth to get the authentication token for our VSTS package repository. On my development machine I can run the commands
npm install -g vsts-npm-auth
vsts-npm-auth -config path-to-my\.npmrc
and it succeeds in providing me with an authentication token. I'm now trying to recreate this as a build step on VSTS, so I create the powershell script auth-vsts.ps1
$npmrcFile = "$PSScriptRoot\path-to-my\.npmrc";
npm install -g vsts-npm-auth;
vsts-npm-auth -config $npmrcFile;
and add it as a powershell task. However, the task fails as follows
2017-05-30T09:37:41.1082686Z ##[section]Starting: auth-vsts
2017-05-30T09:37:41.1092712Z ==============================================================================
2017-05-30T09:37:41.1092712Z Task : PowerShell
2017-05-30T09:37:41.1092712Z Description : Run a PowerShell script
2017-05-30T09:37:41.1092712Z Version : 1.2.3
2017-05-30T09:37:41.1092712Z Author : Microsoft Corporation
2017-05-30T09:37:41.1092712Z Help : [More Information](https://go.microsoft.com/fwlink/?LinkID=613736)
2017-05-30T09:37:41.1092712Z ==============================================================================
2017-05-30T09:37:41.1112679Z ##[command]. 'd:\a\1\s\auth-vsts.ps1'
2017-05-30T09:37:47.3792461Z C:\NPM\Modules\vsts-npm-auth -> C:\NPM\Modules\node_modules\vsts-npm-auth\bin\vsts-npm-auth.exe
2017-05-30T09:37:47.3792461Z C:\NPM\Modules
2017-05-30T09:37:47.3802239Z `-- vsts-npm-auth#0.25.0
2017-05-30T09:37:47.3802239Z
2017-05-30T09:37:47.3802239Z
2017-05-30T09:37:47.3802239Z vsts-npm-auth v0.25.0.0
2017-05-30T09:37:47.3802239Z -----------------------
2017-05-30T09:37:47.3802239Z Creating npmrcFile. Path: D:\a\1\s\.npmrc
2017-05-30T09:37:47.3802239Z Getting new credentials for source:https://our-domain/_packaging/SharedLib/npm/registry/, scope:vso.packaging_write vso.drop_write
2017-05-30T09:37:49.8729702Z Caught exception: The prompt option is invalid because the process is not interactive.
2017-05-30T09:37:49.8729702Z Parameter name: PromptType
2017-05-30T09:37:49.8729702Z Caught exception: The prompt option is invalid because the process is not interactive.
2017-05-30T09:37:49.8729702Z Parameter name: PromptType
2017-05-30T09:37:49.8729702Z Couldn't get an authentication token for //our-domain/_packaging/SharedLib/npm/registry/:_authToken.
2017-05-30T09:37:50.1769711Z ##[error]Process completed with exit code 1.
2017-05-30T09:37:50.1809715Z ##[section]Finishing: auth-vsts
The error gives no indication as to why it can't obtain the credentials. Any ideas why this might be?
I faced this issue while trying to execute via Visual Studio Code`s powershell terminal
vsts-npm-auth -config .npmrc
But running the same command via simple console solved this issue and I was redirected to authentication window.
Can suggest that due to internal limitations powershell disabled to open another windows.
The error did indicate why it cannot obtain the credentials:
The prompt option is invalid because the process is not interactive.
This could be caused by the build agent does not run in interactive mode which make the credential dialog cannot be prompted. If you are using Hosted Build Agent, the build agent is run as service and there isn't any way to change to interactive mode.
However, the issue here is that if you want to use the feed in a build step, it does not make sense to prompt a credential dialog during the build process since the build step cannot enter the required credential automatically. Not sure if there is any specific requirement in your environment, but the general workflow should be uploading the .npmrc file generated in your local machine to the Source Control so that npm can use the auth token in the file to install/publish packages to VSTS Feed.
Inside your project, you can open a terminal and run
vsts-npm-auth -F -C .npmrc
This script refreshes the npm token. Here I set two parameters: -F forces the refresh (if not set, the token is refreshed only if it is already expired), while -C fileName defines the configuration file.
The vsts authentication system sometimes authenticates the use by popping up a browser window. If the terminal you're running the command from is not interactive (e.g., ssh terminal, vscode terminal) it won't be able to pop up that window, and the authentication will fail.
This worked for me
npx vsts-npm-auth -config .npmrc
After I have upgraded both Xcode (to 6.0.1) and OS X Server (to 3.2.1) I can't figure out how to add certificates for the provisioning profiles so the Xcode bot can find them.
I have successfully added the provisioning file by copying the .mobileprovision file to /Library/Developer/XcodeServer/ProvisioningProfiles
But the error I get in the log is now:
CodeSign /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Products/Server\ build-iphoneos/Test.app
cd /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/Source/TEST
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin"
Signing Identity: "iPhone Distribution: Greener Pastures ApS"
Provisioning Profile: "Greener Pastures Enterprise TEST"
(03F7CD73-FB25-422E-22A4-A80F12041005)
/usr/bin/codesign --force --sign 746ADC85C62D54BEC9FA874A8D777A38D4DB95CA --keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain --resource-rules=/Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Products/Server\ build-iphoneos/Fnug.app/ResourceRules.plist --entitlements /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Intermediates/Fnug.build/Server\ build-iphoneos/Fnug.build/Fnug.app.xcent /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Products/Server\ build-iphoneos/Fnug.app
746ADC85C62D54BEC9FA874A8D777A38D4DB95CA: no identity found
Command /usr/bin/codesign failed with exit code 1
Which looks like: "I can't find the certificate for the specified provisioning profile".
And it looks like the certificate should be in the file /Library/Developer/XcodeServer/Keychains/Portal.keychain – which, unfortunately I am unable to edit.
I have tried adding the certificate to the file by using
sudo security import "/Users/administrator/Desktop/Greener Pastures Enterprise Distribution TEST Certificate.p12" -k /Library/Developer/XcodeServer/Keychains/Portal.keychain -A -T /usr/bin/codesign -T /usr/bin/xcodebuild -T /usr/bin/pkgbuild
But that prompts me for the "keychain password". Which I don't have (no, it is not the administrator account's password or the certificate password).
Does anyone know how to fix this?
Try to add your server to the developer portal first and remove all restrictions like explicit provisioning files from your project.
If this doesn't work, file a Radar explaining your configuration and why you think it should be supported by Apple.
If you are really, really sure it's a good idea to hack your server, possible breaking it, open a terminal on your server from an account with administrator privileges and:
Copy the Portal keychain to your desktop:
> sudo cp /Library/Developer/XcodeServer/Keychains/Portal.keychain ~/Desktop/
Password: your-administrator-password
> sudo chown `whoami`:staff ~/Desktop/Portal.keychain
Set the Portal keychain password to “123”
> security set-keychain-password -o "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain
New Password: 123
Retype New Password: 123
Open the Keychain in Keychain Access:
> open -b com.apple.keychainaccess ~/Desktop/Portal.keychain
Unlock the “Portal” keychain using password “123”
Copy the needed keys from your personal “login” keychain to the “Portal” keychain.
Make sure the private keys have the right access rights (in the “Access Control” tab), “xcsbuildd”, “xcscontrol”, “xcodebuild” and “codesign” should be listed
Lock the “Portal” keychain, quit “Keychain Access”
Reset the Portal keychain password:
> security set-keychain-password -p "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain
Password: your-administrator-password (optional step)
Old Password: 123
It may or may not ask you for your administrator password again, pay attention to the prompt.
Copy the Portal keychain back
> sudo chown _xcsbuildd:_xcs ~/Desktop/Portal.keychain
> sudo cp ~/Desktop/Portal.keychain /Library/Developer/XcodeServer/Keychains/
Since the system caches open keychains, restart you computer.
Don't just blindly copy keys to the Portal keychain. Try other solutions first and ask on stack overflow if you need help. Only follow this procedure after filing a Radar, not just because “things don't work”. You will destroy your system when you are not exactly sure what you're doing here.
Alternate procedure (for the advanced):
Copy the following script as importP12.sh:
#!/bin/sh
importP12()
{
P12FILE="$1"
XCS="/Library/Developer/XcodeServer";
XCBIN="$XCS/CurrentXcodeSymlink/Contents/Developer/usr/bin";
PORTALKC="$XCS/Keychains/Portal.keychain"
PORTALKCS="$XCS/SharedSecrets/PortalKeychainSharedSecret"
sudo security -i <<IMPORT
unlock-keychain -p "`sudo cat $PORTALKCS`" $PORTALKC
import "$P12FILE" -k $PORTALKC -T "$XCBIN/xcsbuildd" -T "$XCBIN/xcscontrol" -T "$XCBIN/xcodebuild" -T /usr/bin/codesign
lock-keychain $PORTALKC
IMPORT
}
echo "Please enter your account password:"
for p12 in "$#"
do
importP12 "$p12"
done
And do
> importP12.sh your-P12-file.p12
Password: your-administrator-password
A dialog asking you for the P12 import password should appear and you are set.
This answer from Matt Moriarity brought me to a solution: https://devforums.apple.com/message/1022214#1022214
I just re-connected the build server with our development team. This made the Xcode-service to re-initialize all certificates and provisioning profiles it needs. Now the integration builds run without errors.
In Server > Xcode > Settings > Builds > Development Teams click on Edit...
Remove your development team(s) from the list and press OK
After ther Server.app finished its work, there should be no entry behinde "Development Teams" and the list of devices is also empty.
Now open Server > Xcode > Settings > Builds > Development Teams > Edit... again and add your development team
After your team and devices re-appeared, you can start the integration build
It's important not to use your own provisioning profiles. Take the "iOS Developer (Automatic)" setting.
If you had it working with the old osx server and xcode 5. You just do:
$ mv /Library/Developer/XcodeServer/Keychains/Portal.keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain.bkp
$ ln -s /Library/Keychains/System.keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain
The old server used the system keychain.
When you export a .p12 file Keychain Access will ask you for a password. Try adding the password for the p12 file to your command. Like so,
sudo security import "/Users/administrator/Desktop/Greener Pastures Enterprise Distribution TEST Certificate.p12" -P PASSWORD -k /Library/Developer/XcodeServer/Keychains/Portal.keychain -A -T /usr/bin/codesign -T /usr/bin/xcodebuild -T /usr/bin/pkgbuild
I have a script on our build server that imports p12 files from a drop off folder. The import line looks like this:
security import $_ -k /Library/Developer/XcodeServer/Keychains/Portal.keychain -P PASSWORD -A
I had the same issue. I fixed it through the following methods :
Xcode > Preferences > Accounts > View Details > And just refresh the Provisioning Profile
Then Restart the Xcode and Clean & Build.
For OX X Server 4.0 and XCode 6.1 is a much easier way:
Open your Project with XCode on the Server add your Developer Account to "Accounts" and download all required provisioning profiles.
Copy your Privisioning Profiles from /Users//Library/MobileDevices/Provisioning Profiles/ into /Library/Developer/XcodeServer/ProvisioningProfiles/
Give read and write access for administrators for the folder /Library/Developer/XcodeServer/ProvisioningProfiles/
Open KeyChaine Access double click on the provisioning profile keys (for example iOS Developer: XY) and allow access for all apps.
Done.
Install certificates(*.p12) to keychain on machine with Xcode server
In Keychain.app copy "Login-My Certificates" to "System-My Certificates"