Could not generate timestamp: Connection reset - air

I get the following error when compiling an adobe air application:
[java] Could not generate timestamp: Connection reset
This application previously compiled fine a few days earlier. I don't know of any configuration changes to the computer.

I added the following arguments to the build.xml file and the error went away:
<arg value="-tsa" />
<arg value="http://sha256timestamp.ws.symantec.com/sha256/timestamp" />
My guess is that symantec moved the timestamp service that air is using.
[EDIT]
We do builds from the command line using ant; ant uses a file called build.xml. If you are running the adt command from the command line or from a .bat script then you would add -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp to the existing command.

I encountered the same issue when trying to sign an application with multiple certificates when doing a certificate renewal.
Based on Michael Potter's answer, if you are trying to use ADT to multi-sign the certificate you can use the following command:
adt -migrate -tsa "http://sha256timestamp.ws.symantec.com/sha256/timestamp" -storetype pkcs12 -keystore old_cert.p12 myAppIn.air myAppOut.air
old_cert.p12 - the path to the certificate you want to add (this
would be the old certificate which is now expired)
MyAppIn.air - the app signed with the new certificate
MyAppOut.air - the new file to be created when this process is
complete

To fix my build.xml I added:
<arg line="-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp"/>

Before, lets say 6 months, similar issue was happening: "Handshake error"
It was due to Java 1.6 being used. Now, I did the same, just other timestamp URL:
<arg value="-tsa http://timestamp.digicert.com" />

Related

msbuild fails on Certificate could not be opened, network password not correct

I am trying to create a signed appx package as a test using a purchased code signing certificate. I cannot get it to build without installing the cert locally first (which I don't want to do given this will be done in a CI/CD environment).
I am executing the following on a solution containing an empty WPF project and WAP project.
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=true /p:PackageCertificateThumbprint=$myThumbprint
/p:PackageCertificateKeyFile=$myCert /p:PackageCertificatePassword=$myPassword
error: Certificate could not be opened
error: The specified network password is not correct
I have confirmed the password of $myPassword and thumbprint is $myThumprint by importing the cert and verifying it. I have also tried assigning "" to $myThumprint. I have confirmed the location of $myCert
It will build if I assign AppxPackageSigningEnable=false, but it will be unusable as it is not signed.
In appxmanifest, I have assigned Identity/Publisher to the publisher id of the cert (e.g., Publisher="CN=John Doe, O=Acme, L=TheMoon, S=OuterSpace, C=Universe") and Properties/PublisherDisplayName = the cert's CN (=John Doe)
I have tried exporting the pfx into a cer and using that, but that fails on the cert is not usable as it doesn't include a private key.
I have tried exporting the pfx into a base64 string and then creating a pfx from that - still fails (desperate measures).
Any tips greatly appreciated!
I read that a password protected cert needs to be stored in a cert store for msbuild to use it. Therefore, I ignored the cert on build and added it later by doing the following:
Remove all signing parameters from msbuild as follows
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=false
Given the name of the appx will change based on version and I couldn't find a way to pass wildcards to the SignTool, I used this to grab the built appx:
$Packages_2Sign = (Get-ChildItem -Recurse -Path $currentDirectory -Include *.appx).fullname
Finally, use the SignTool to sign the appx built from the prior step
SignTool sign /fd sha256 /a
/f $certificatePath /p $certificatePwd $Packages_2Sign

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>

I did the manual installation on python 3.7.5 on Debian 8, when I will run the script I get this error:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>
I saw several questions here in the stackoverflow more regarding MacOS, In my case this error is in Linux.
I had the same issue. Here is what I found helped my problem.
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
Please see here for the original answer from markroxor. Hope it will help your problem as well.
I had
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>
With python3 3.9.2-3, and other python related packages with the same, or similar, version. On Debian GNU/Linux 11 (Bullseye).
At first, using the suggested
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
managed to solve the problem. Though I do not know if, and which, down sides, or other side effects, this solution has.
Afterwards, I noticed the /etc/ssl/certs/ folder is empty. Installing the ca-certificates package fills in this folder. Which seem to be another solution, in which those 2 python ssl lines are not required. You can see here the detailed list of files the ca-certificates package installed. This article, from 2015, with a last comment from 2017, discusses the location of ca-certificates in various OSs/distributions. I think the ca-certificates package is rather basic, and is usually installed as part of the initial installation of the machine. I do not know how it was missing from that particular machine.
What worked for my MacOs:
Open the finder
Find the version of Python that you are using
Open its folder
Click on the "Install Certificates.command". It will open a terminal and install the certificate.
In my case (Dell computer), the SSL problem was caused by Dell software itself:
reported here. In that case, according to this answer to another question in the SE network, you can solve the problem by running the following command:
sudo cp /usr/lib/x86_64-linux-gnu/libcrypto.so.3 /opt/dell/dcc/libcrypto.so.3
And then, run this:
sudo update-ca-certificates --fresh
It worked for me on a Dell Latitude 7310, LinuxMint21. November 2022.
THIS IS NOT A SOLUTION:
I have encountered that several times, note however that i'm using windows, but i would assume that generally the resolving mehtods should be the same in principle for mac/linux.
What i used to do is to force it to not verify the certificate by using the below:
conda config --set ssl_verify false
Note this is not a solution to the issue, it's just a way to make the code run temporarily, or if you're trying to download a library then that should do the trick until you download it. Note that the suggested below is not usually recommended, if you do it, after running your code/ downloading your library, remember to turn it back on using the below:
conda config --set ssl_verify true
If this happened after you installed a python version manually, inside the python app folder, double click on the "Install Certificates.command" file and it should fix it.

xcodebuild: No certificate matching <cert name> for team

We have an macOS Xcode project that is built from scripts triggered by Bamboo CI. Recently, our builds have recently started failing with this message:
No certificate matching 'cert name' for team 'team id': Select a
different signing certificate for CODE_SIGN_IDENTITY, a team that
matches your selected certificate, or switch to automatic
provisioning.
Our project uses manual codesigning, and our build command is as follows:
xcodebuild -project ProjectName -target TargetName -configuration Release
CODE_SIGN_IDENTITY="Certificate Name" APP_VERSION="major.minor"
REVISION_NUMBER="build" CONFIGURATION_BUILD_DIR="output directory"
DEVELOPMENT_TEAM=${developmentTeam}
Upon running this instruction in the build script, the build fails at the Check Dependencies step with the aforementioned error message.
Running the build script locally works and the build completes successfully. This indicates that Bamboo is unable to see the signing certificate. What should I do to make the relevant certificate visible to Bamboo?
I've made sure of the following:
None of the certs are expired
The build is not waiting on a codesign dialog box
NB: Builds from as late as yesterday (Sept 11) have been successful, but those are from a different Bamboo plan branch. There have been several code changes between the branch I am building now and the previously successful branch, but none involving the project I am building.
Turns out it was my mistake.
The bamboo agent was started from a ssh prompt, causing it to be unable to see certificates for some reason, even though I was logged in as a local user (similar to this problem). Stopping the bamboo agent, then restarting it from a local terminal on the build server caused the bamboo agent to see the certs again, and builds to complete successfully.
I'm leaving this here in case others run into this problem and find this solution useful.

SignTool internal error when trying to repackage an APPX package?

I'm analyzing existing Windows Store applications and modifying them to make sure my company's obfuscator works with them.
I've ran into a bit of a problem doing that though. I can grab an APPX package from the store easily enough(requires Fiddler to get the URL). I can then just use any unzip program to extract the appx to a folder. I can then take the assemblies in the APPX and modify the IL a bit. I then remake and sign the package:
makeappx pack /d "mypackage" /p "mypackage.appx"
signtool sign /fd sha256 /f temporarykey.pfx mypackage.appx
I then get an error with signtool though:
SignTool Error: An unexpected internal error has occured
Error information: "Error: SignerSign() failed." (-2147024885/0x800700b)
And then of course get an error when trying to install it with the standard powerscript file created by Visual Studio for installing/sideloading any APPX package.
Found package: C:\....mypackage.appx
Error: The package is not digitally signed or its signature is corrupted
I've used this exact process for packages generated from Visual Studio. Are temporary keys tied to a particular package or something? What am I missing? Is this a bug in signtool?
Apparently, you can't just take any temporary key and sign the APPX with it. In particular the certificate subject lines must match(the "publisher name"). I do not know of a better way of determining what the subject line much actually be. First, try to use signtool and sign the APPX file with any temporary key. Now go to Event Viewer. Then to Applications and Services and then Microsoft and then Windows and then AppxPackaging and finally Microsoft-Windows-AppxPackages/Operational. There should be an error event that just happened from that build. Check it. It should say something like
Error 0x800700B: The app manifest publisher name (CN=random-hex-number) must match the subject name of the signing certificate (CN=MyWrongName)
So, now make sure to hang on to that random-hex-number. That needs to be the subject line of the certificate and is the cause of the error. To generate a working certificate:
makecert.exe mycert.cer -r -n "CN=random-hex-number" -$ individual -sv private.pkv -pe -cy end
pvk2pfx -pvk private.pkv -spc mycert.cer -pfx mytemporarykey.pfx
Now finally, you should have a temporary key that will work with signtool!
Hopefully this answers serves other people well.

Signing assemblies with PFX files in MSBuild, Team Build, and TFS

I get this error when trying to build a project using Team Build (MSBuild) on TFS 2010:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970):
Cannot import the following key file: CCC.pfx.
The key file may be password protected.
To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_C00C673BBB353901
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970):
Importing key file "CCC.pfx" was canceled.
It all builds OK in Visual Studio 2010. The assembly is signed with a PFX file. Usually in Visual Studio we are prompted for the password the first time we build, but then never again...
I've tried running:
sn -i companyname.pfx VS_KEY_3E185446540E7F7A
as other replies as suggested in Stack Overflow question Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'. I've tried importing into the personal certificate store as suggested in Stack Overflow question Using MSBuild to sign ClickOnce or assembly results in error MSB3321. But all to no avail, still the same error.
How do I do it? Do I have to somehow add the certificate to the Windows account the build service runs under or something like that?
Alternatively, how do I make the build done in Team Build not use signing? I just want to check it compiles and run the unit tests. I don't need signing for that.
You need to adapt this answer to your specific. Something like:
sn -i companyname.pfx VS_KEY_C00C673BBB353901
What I did is not that elegant, but works: log in as the user that runs msbuild on the build machine, manually invoke msbuild, and then type in the password when prompted. It'll now be saved in that user's certificate store, and now the builds can run unattended.
What finally fixed it for me was making the account under which TFS Build service runs an administrator on the local machine.
Don't know though if any of the other stuff I was trying before also needs to be done to get it working. But before it was admin it didn't work after it became admin it worked.
I was getting the same error, and after reading your "administrator" comment - I just ran VS Command Prompt as Admin and it now works fine.
I have faced similar issue
Scenario 1: While building project in local system
In my case i was getting the manifest signing error once i download the project from TFS and build it.
To avoid this issue I right clicked on the project ==> Properties ==> Signing
then unchecked "Sign the ClickOnce Manifests"
OR
You can click Select from store button and select your login id from the dialog box open.
OR
You can install the PFX file manually and later click on More Options button to install those certificate.
Scenario 2:- Manifest error during Build
Here to resolve this error i first clicked Select from store button and select my login id from the dialog box .Then I committed that project in TFS first and then run the build.
I had following settings:
<PropertyGroup>
<SignAssembly>false</SignAssembly>
<AssemblyOriginatorKeyFile>MyKey.pfx</AssemblyOriginatorKeyFile>
</PropertyGroup>
Assembly signing was turned off, but AssemblyOriginatorKeyFile caused error during manifest sign. Removed AssemblyOriginatorKeyFile to fix it.