I am using Visual Studio 2015, just created a new MVC / Web Api project to experiment using https. The sites I am currently using as a walkthrough (https://azure.microsoft.com/en-us/documentation/articles/web-sites-dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database/) and (http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on) seem pretty straight forward.
I have accepted the self signed certificate VS 2015 IIS Express creates however I am getting Warnings in Chrome that it uses a deprecated signature algorithm based on SHA-1. Other research suggests that chrome is phasing out support for SHA-1 certificates.
What do I need to do inside Visual Studio to upgrade the signature algorithm creating the Self Signed SSL Certs from SHA-1 to SHA-256 for any new certificates that get created in the future?
there is a link here but i couln't do it myself. maybe it will work for you
https://msdn.microsoft.com/en-us/library/br230260.aspx
In Solution Explorer, open the shortcut menu for the .appxmanifest
file, choose Open With, and then choose App Manifest Designer.
In the App Manifest Designer, choose the Packaging tab, and then choose
the Choose Certificate button.
In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose one of the following options:
Pick from certificate store
Pick one of your Personal certificates from the certificate store in the operating system.
Select from file
Pick an existing certificate file from the file system.
Create test certificate
Create a certificate with a Publisher ID of your choice. You can also create a password.
UPDATED (26.07.2018): Actually there is Let's Encrypt certificates you could use for free.
There one cmd option: win-acme
and there is another with gui: certifytheweb
Related
This is my first time trying to deploy a VSTO add-in to a user's system, and I am running into a security barrier. The add-in was built in Visual Studio 2019 Community Edition and is meant to integrate with Microsoft Excel. The user runs Office 365.
On running Setup.exe, user receives the initial confirmation prompt and clicks "Install." A progress bar briefly appears and runs about 25% of the way, then an error message pops up: "Customized functionality in this application will not work because the certificate used to sign the deployment manifest for [the add-in] or its location is not trusted."
I understand that Microsoft would like me to pay for a signing certificate, but I am hoping to get this to work while avoiding that expense.
This article from Microsoft describes the use of a digital certificate as "an optional step": ClickOnce and Authenticode. This article states that an alternative route is for the user to click the "ClickOnce trust prompt" during installation: Grant trust to Office solutions. But as far as I understand the process, it is halted before it even gets to the ClickOnce trust prompt, so the user never gets that option.
For comparison, the user ran the installation on an older system. On that system he received the ClickOnce prompt, approved the software, and the installation ran successfully to the end. This indicates very strongly that the problem on the newer system is a security setting.
I instructed the user to open Excel and go to Options > Trust Center > Trust Center Settings > Add-Ins and remove the check mark from "Require Application Add-Ins to be signed by Trusted Publisher." There was no check mark to begin with, so that setting was not the issue.
I have instructed the user to go to the command prompt and clean out any remnants of the failed install with rundll32 dfshim CleanOnlineAppCache before each new installation attempt.
I'm at a loss as to where to look next. Any help would be much appreciated.
One relatively easy workaround: you pack the "publish" folder as ZIP file, disable any online checks or deployments (in the project settings, select to publish locally, not to a website. Installing from a website or auto-update won't work without normal certificate). Then give your user that ZIP. User downloads that ZIP, then right-click the ZIP file and checks "Unblock". Then unzips and installs normally. Now any certificate should do. This applies if your user downloads your file from the internet.
So the idea is very simple: Just tell your user to click "Unblock" checkbox before extracting files from the ZIP archive you have sent and running them.
Another solution, you simply tell the user's system to trust your "self-signed" developer's certificate (add your certificate to "Trusted Publishers" store on the user computer). For that you need admin rights. Please note that user's admins probably won't like this idea, unless you and your user work in the same organization. Here are the instructions: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
The best and easiest of course would be if you buy a normal code signing certificate. They are not that expensive, you can get one from COMODO (SectiGo) for example for something like $70/year though their resellers.
On the target machine. you need to install and trust the certificate used to sign your addin (see Signing tab of your project options)
What is required for the certification process, is it a quick process? Are they certifying me/ my business or the code??
It is a quick process for the process:
Sign with valid certificate when publishing.
Add the publisher into Trusted Publisher before installing when Macro Settings is a high security level.
Finish installing.
You can obtain a certificate for code signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating digital certificates.
Generate your own certificate with MakeCert.exe, which is included with the Windows Software Development Kit (SDK).
I'm developing C++ program. I generate a certificate from our PKI Solution configured in our company(Microsoft). I sign my .exe using the certificate(generated). But when I make my file on the server (internet) and download it, I have the problem of displaying SmartScreen.What should I do to make my .exe works well in all computer of our company? Should I buy a certificate to sign my code? Sign my code with root certificate?
I think problem is your application has downloaded a few users and the reputation is unknown to Microsoft
P.S. And you can distribute your program in Microsoft Store
I'm working on an iOS enterprise app that relies on an Configuration Profile being put on the phone. Unfortunately, the user can "cancel" this profile, which really screws with our app.
So I was wondering if a) is it possible to prevent a configuration profile from being deleted OR
b) is there a way to check to see if a configuration profile is installed already (say, at runtime, then we can just install it again if it's not there)?
If you want the configuration profile not to be tampered with / disabled by the user, this is possible! If you're using Apple Configurator to build your .mobileconfig file in the generals tab select security as never. Be aware: once the profile is installed on the device it cannot be reverted unless you restore the device
The long story short is there is no current documented way to even programmatically call / install a configuration profile (.mobileconfig) file onto the device: so if you're thinking about checking whether the profile exists and if not to install it, it's impossible (as for available documentation thus far) - if you do find a way let me know
Note:
.mobileconfig files can only run through Safari / Mail.
This similar SO discussion may help: Installing a configuration profile on iPhone - programmatically
It is possible to check is .mobileconfig is installed.
What you need to do is:
Create CA (certificate authority) and export it as .cer.
Issue certificate using created CA and export is as well as .cer.
Using Apple Configurator app add CA .cer in the certificates area.
Mobile configuration profile will have CA .cer.
Issued certificate (on step two) add to app bundle.
Using Security framework evaluate (SecTrustEvaluate) issued
certificate on step 2.
I am developing an AIR application. I am exporting the release build as native installer by signing it with a digital certificate that was bought from TC Trust Center. Following flow happens with the setup.exe created.
This setup.exe is now uploaded to a host to enable users to download the setup file.
A user downloads this using browser and double clicks on the downloaded setup.exe.
Windows shows up a security warning pop up and states that the publisher is unknown.
After clicking continue, the AIR installer shows up the correct publisher name
And when the program is installed the control panel also shows up the correct publisher name.
I would like to know why is Windows security warning unable to detect the publisher name? And how can this issue be resolved. Kindly help. Thanks in advance :)
Publisher name must not necessarily be taken from the signature. In fact, in Control Panel it's taken from the registry record rather than from the signature, so this is not a proof.
Most likely you needed to include intermediate CA certificates with the signature, and the tool didn't do this automatically.
Open Explorer, and right-click on your setup.exe and invoke Properties dialog. If the signature is present and recognized, Digital Signature tab will appear in the properties. This doesn't mean that the signature is valid, though. You need to go to this Tab and check the certificates used for signing, their status and the certificate chain. The certificate chain must be complete and lead up to recognized root or trusted CA certificate (recognized means that Windows has it in it's trust list).
I want to develop an app using Adobe AIR. But I have to sign it using a code signing certificate. I don't wan to buy a code signing certificate. Would it be OK if I distribute my app with a self-signed certificate?
The only difference between using a real certificate and a self-signed certificate is what the user sees in the initial installation dialog. With a real certificated they'll see a yellow "!" and the app will shown to be of "KNOWN" origin, and your company name will be shown. With a self-signed cert, there will be a red "?", and it will say the app's publisher is "UNKNOWN". You can see samples of the two dialogs at the very bottom of this page.
So realistically, it comes down to whether you're okay with people seeing a scary warning at install time. If you're only offering up the apps as a "use at your own risk" thing, or the app will be used mainly by a small group of people who already know who you are (an internal company app, e.g.) that may not be an issue, but if you hope for random internet people to come use your app and trust it, a cert may be a good idea.
That depends on your definition of "OK", but most likely no.
A self-signed certificate will not have been issued by a trusted CA, and your certificate will be considered untrusted by the client. I don't think (but have not tested) that the user is actively prevented from installing an app with an untrusted certificate, but they would at least get a warning, and that doesn't give your user a good first impression of your app.
If it's just for yourself or for a small group of people who know and trust you, then a self-signed certificate is most likely not a problem, but if you're distributing it to the world, you will almost certainly prefer a proper certificate.
I have recently looked into developing an Air App for the company to distribute to customers. On OSX Mavericks - on my mac and my designer's mac a red warning signs pops up stating that we are an unknown publisher - This was using the self signed certificate. The whole process was clunky with the installation, I had to verify that we were legitimate, as this warning sign inferred we were a looking to distribute something underhand.
From a marketing perspective this looked terrible.
In addition to this I managed to find someone to test the whole process of downloading the air app with a self signed cert on windows with an 'average' amount IT skills and this is what they said:
"Nah I didn't download it... it looked like it wanted to put a virus on my computer." And that is where download ended.
Currently we are looking to get some seal of trust on the application for distribution purposes.
Verisign, Thawte look interesting, although costly.
http://www.symantec.com/code-signing/adobe-air
https://www.thawte.com/code-signing/
Or read this page for more information
http://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0.html