I'm trying to sign a Windows 8 appx package with a pfx file I have. I'm using a command like so:
signtool.exe sign /fd sha256 /f "key.pfx" "app.appx"
And from this, I get:
SignTool Error: No certificates were found that met all the given criteria.
What "criteria" am I not meeting? This is only for testing so these are self-signed certificates. I've tried importing the key and then signing it, but it always results in the same error. How do I fix this?
When getting this error through Visual Studio it was because there was a signing certificate setup to match the computer it was originally developed on.
You can check this by going to the project properties > signing tab and checking the certificate details.
You can uncheck "Sign the ClickOnce manifests" to disable signing.
If you don't want to turn this option off you will have to install the certificate.
Try with /debug.1,2 As in :
signtool sign /debug /f mypfxfile.pfx /p <password> (mydllexectuable).exe
It will help you find out what is going on. You should get output like this:
The following certificates were considered:
Issued to: <issuer>
Issued by: <certificate authority> Class 2 Primary Intermediate Server CA
Expires: Sun Mar 01 14:18:23 2015
SHA1 hash: DD0000000000000000000000000000000000D93E
Issued to: <certificate authority> Certification Authority
Issued by: <certificate authority> Certification Authority
Expires: Wed Sep 17 12:46:36 2036
SHA1 hash: 3E0000000000000000000000000000000000000F
After EKU filter, 2 certs were left.
After expiry filter, 2 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
You can see what filter is causing your certificate to not work, or if no certificates were considered.
I changed the hashes and other info, but you should get the idea.
1 Please note: signtool is particular about where the /debug option is placed. It needs to go after the sign statement.
2 Also note: the /debug option only works with some versions of signtool. The WDK version has the option, whereas the Windows SDK version does not.
I got the same problem in my console application development and as a quick workaround,
go to project properties then,
click on signing tab and uncheck "Sign the ClickOnce Manifest".
Image Description:
FYI You can also see this less one minute video solution. The above picture is taken form the video.
Please always check your certificate expiry date first because most of the certificates have an expiry date. In my case certificate has expired and I was trying to build project.
If you do not have to sign the app, right click on your project
Project Properties -> Signing -> uncheck "Sign the ClickOnce Manifest"
Also as this MS article suggests,
If you are using Visual Studio 2008 and are targeting .NET 3.5 and using automatic updates, you can just change the certificate and deploy a new version,
In my case I have the wrong type of certificate that I am trying to associate. I had "Server Authentication" rather than "Code signing".
You should be able to see this in Certificate snap in the Intended Purpose section. After that, it just work fine.
Got the same issue, turned out that the private key to the certificate had no permission.
To fix - open the certifacte management, find your certificate, right click -> Manage Private Keys and then in security on top be sure that your user is added and given permissions, that fixed it for me.
In case anyone else runs into this: My problem ended up being that I needed to run the command prompt as administrator before using the signtool.exe app. Then everything works wonderfully.
just uncheck the 'Sign the click once manifests' from the signing tab in project properties,it will remove the error and you can create a new one as from there.
I had this problem and I'm not entirely sure which step below made it work, but hope this helps somebody else...this is what I did:
Install the downloaded certificate (.crt) into certificates (I put it into “personal” store) - right click on .crt file and click Install Certificate.
Run certmgr.msc and export the certificate (found in whichever store you used in the 1st step) as a pfx file including private key and extended properties
Use the exported .pfx file when signing your project
Example signtool: signtool sign /f "c:\mycert.pfx" /p mypassword /d "description" /t http://timestamp.verisign.com/scripts/timstamp.dll $(TargetPath)
where the password is the same as provided during Export
I solved this by using the /sm flag to specify to look in the machine store instead of the default, which is My (Local User) store. Also, it can help to turn on debug for signtool by using /debug.
I'm having the same problem, reading some answers (posted here), I saw my certificate expired.
Just create a new one from my start project. Then at certificates manager deleted the expired certificate.
Now everything compiles fine.
The criteria include account name (whose private key it is associated with), domain, company, expiration date, intended purposes, among other things.
There are many different possible reasons for this error to occur, some have been listed already. Here is another tip: When importing a certificate, be sure you work with the original file received from the certificate authority (CA), or else some of the properties might be lost.
Example: recently I tried to import a certificate exported from a different account on the same machine. The certificate became visible to my account but was not associated with my account, and as a result signtool refused to recognize it without explicitly providing the file name and a password. Which, when done as part of the build process and written out explicitly in a batch file or source file, may not be sufficiently secure. (Importing the original CA-issued certificate solved it.)
I had the same "After Private Key filter, 0 certs were left" message and spent too much of my life trying to figure out what the message meant.
The problem was that I had installed the certificate incorrectly in the Windows Certificate store so there was no private key associated with the code signing certificate.
What I should have done was this:
Using either Firefox or Internet Explorer, submit the
request to the issuer. This generates a PRIVATE KEY which is stored silently by the browser (a dialog appears for a fraction of a second in Firefox). Note that other browsers may not work: your life is too short to find out if they do.
Submit the request, jump through the issuer's validation hoops and loops, sacrifice a goat, pray to the gods, submit a signed statement from your great grandparents, etc.
Download the certificate (.crt) and import it into the same browser. The browser now has both the private key and the certificate.
Export the certificate from the browser as a Personal Information Exchange (.p12) file. You will be asked to supply a password to protect this file.
Keep a backup copy of the .p12 file.
Run the Certificate Manager (certmgr.msc), right click on the Personal certificate store, select All Tasks/Import... and import the .p12 file into Windows. You will be asked for the password you used to protect the file. At this point, depending upon your security requirements, you can mark the key as exportable so you can restore a copy from the Windows store. You can also mark that a password is required before use if you want to break batch scripts.
Run signtool successfully, breathe a sigh of relief, and ponder how much of your life you have wasted due to bad error messages and poor or missing documentation.
My problem ended up being that I did not understand the signtool options. I had provided the /n option with something that did not match my certificate. When I removed that it stopped complaining.
I have had this issue too, tried a lot. Used SDK as well as Visual Studio signing, but everywhere I got "No certificates were found that met all the given criteria".
Solution:
Be aware that, if "after private key filter": '0 left' shows up with option signtool sign /debug..., the cause is your PC doesn't has the CA itself in the store. To solve this, install the CA first (in my case a .crt file), then run the sign again. It should work right now!
Signtool only can be used with a CA which is requested ánd owned by the same PC.
I had a similar problem my computer name had change and the certificate had expired. I was able to resolve this issue by creating a new test certificate.
In Visual Studio, right click on project in solution explorer. Select properties. Select Signing in properties window. Click "Create Test Certificate....". Enter password information for test certificate and click ok.
With /debug, when you get this message "After Private Key filter, 0 certs were left.", one reason could be that the pfx file doesn't have the private key.
When you export the installed certificate to pfx file ensure to enable the check box to also include the private key.
Go to project properties and uncheck all fields from the Firm before init the compilation
The digicert Token I use, must be recognized as "Microsoft Usbccid-Smartcard-Leser(WUDF)".
In case not, I get this error message 'No certificates were found that met all given criteria ...'.
That kept me searching in SignTool options and the properties of the certificates quite long with no effort at all. So I hope it helps someone :-)
I got this error when using Git Bash.
Using PowerShell succeeded.
If it helps anyone.
I am trying to ignore the certificate warning on remote desktop connection - the one in the image:
So far I have found that when I check the "don't ask again" checkbox it is generating registry key over here:
HKCU:\Software\Microsoft\Terminal Server Client\Servers
A new record is generated with the name of the server and key name CertHash that contains a value that is specific for a machine. The key is the same for a machine - if I delete it and check the checkbox the same value is again generated. There is a new value in case I recreate the virtual machine so I think it is something machine specific.
Can someone tell me how is this hash generated so I can populate the key from command line? Adding certificate is not an option and the machines will be frequently regenerated so I need an option to ignore this automatically as I need to connect a user to the machine and run some programs in it.
I know this is an old question. But this may help someone who is looking for the same solution.
Method 1
You may over ride the certificate check for ALL RDP connections (use it at your own risk)
Just add a new registry key as below.
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f
Method 2
Considering if you have admin rights on the remote machine, you could actually get the crethash value from the remote machine using the below wmic command. So you could make a small batch file to get this value before you launch the mstsc and add this value in registry. I haven't included the complete batch file but thats the idea.
wmic /node:Testserver /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting get SSLCertificateSHA1Hash
See this link.
Run Microsoft Management Console (mmc) and add the Certificates snap-in if you don't already have it for the computer you would like to connect to. In the Certificates, find the Remote Desktop folder, and open the certificate in that folder. On the Details tab, scroll down to find the Thumbprint value - this is the value you should copy to the registry.
The release notes for NuGet 1.5 state
NuGet now supports connecting to private repositories that require basic
or NTLM authentication.
However, the link contained in there simply leads to the hosting your own nuget feeds page, without any further mention of how to set up authentication.
I would like to set up a NuGet server that is accessible via https from the internet, but only allows people who can successfully authenticate to view or download the packages on the server.
I did create an application without auth as described in the Creating Remote Feeds section in the documentation, and it works nicely on the intranet. What do I have to do to enable authentication on this repo?
An additional requirement would be that solution should not cost hundreds of dollars (the first two answers promote products that might solve the problem but cost a lot).
This can be done by enabling Windows Authentication on the Web Site and adding credentials on the build server via the Sources command-line option, by default the credentials are stored using a DPAPI key restricted to the current user on the current machine (thus, for a build server, you would need to add credentials while logged in under the service account.)
For Developer workstations you only need to add the feed in NuGet Package Manager and then input/store credentials when refreshing the feed (you should be prompted.)
Step 1 - Require Authentication on NuGet Server (IIS Configuration)
You need to make sure the authentication module you wish to use is installed for IIS, for NTLM auth you will need the Windows Authentication module. Once installed you can open IIS Manager and drill down to your website, open the Authentication settings and Enable Windows Authentication, be sure to disable any authentication modules you do not want to support (such as Anonymous, Basic, etc.)
To ensure that user credentials are used, right-click on the Site and select "Advanced Settings", then click on the button for "Physical Path Credentials". In the dialog ensure that "Application User (pass-through authentication)" is selected.
More detailed information about standard IIS configuration for Windows Authentication can be found on TechNet including configuring from a command-line and enabling Negotiate (if that was your goal.)
Step 2 - Add Sources to NuGet Config (Build Server, Publishers)
nuget.exe sources add -Name "Fabrikam Feed" -Source "https://nuget.fabrikam.com:443/nuget/"
nuget.exe sources add -Name "Fabirkam Publish" -Source "https://nuget.fabirkam.com:443/"
Here we are adding two entries, one which will be used as the normal, authenticated Feed URL (for fetching packages from the server.) The second will be used for publishing to the server (adding or updating nupkg files.)
Step 3 - Update Credentials for Added Sources (Build Server, Publishers)
nuget.exe sources update -Name "Fabrikam Feed" -Source "https://nuget.fabrikam.com:443/nuget/" -UserName "Developer" -Password "g0d"
nuget.exe sources update -Name "Fabrikam Publish" -Source "https://nuget.fabrikam.com:443/" -UserName "Developer" -Password "g0d"
Here we have added credentials to the config, if you view %APPDATA%\NuGet\NuGet.config you should see the feeds you have added as well as encrypted credentials.
If you do not have the ability to log in as the server it is possible to store credentials in clear text by utilizing the StorePasswordInClearText option, but this is not advised in a shared environment.
Step 4 - (Optional) Disable the Publish URL in Visual Studio (Developers)
Open Visual Studio and navigate to the NuGet Package Manager Settings Dialog, untick the "Fabrikam Publish" feed. This will not affect your ability to publish, however, if you do not disable this feed you will receive errors when you try and refresh packages for "All" sources (as it is a publish URL, not a feed URL.)
Step 5 - (Optional) Store Windows Credentials in Visual Studio (Developers)
Open Visual Studio and navigate to the NuGet Package Manager, click on "Fabrikam Feed". You should be prompted for credentials. You can enter credentials here and tick the save/remember options. This ensures that attempting to refresh the feed in Visual Studio doesn't constantly ask for credentials. In the latest releases of NuGet Package Manager the feed is fetched using a standard HTTP request and the credentials you've stored to nuget.config are NOT used.
Notes:
You do not need a third party solution to host private, secure feeds. NuGet server is freely available and NTLM/AD/Windows security is supported by both IIS and NuGet tooling.
Developers who do not need to publish to the feed do not need to store credentials in their config. They also do not need a 'Publish' feed configured. This is only necessary for build servers or other publishers (re: Steps 2 and 3.)
All developers who will use the package feed will be interested in Step 5, this should be all that is required for most developers. They can simply add the feed from within Visual Studio, then enter their credentials when prompted.
If credentials change you can navigate to Start -> Manage Windows Credentials and delete "VSCredentials_nuget.fabrikam.com".
Step 2 can be performed in visual studio, but for clarity I've given the command-line here. Step 3, however, must be performed via command-line (or using the NuGet APIs.)
In a future release of NuGet rumor is credential information can be stored at the solution or project level (details are unclear), this is likely only of interest to people in a multi-tenant build environment where they do not have access to the build server.
Hope this helps someone else out there!
The solution I actually chose was to use TeamCity as NuGet server; while it's a bit of a hassle to set up because it lacks nuget push functionality, it now works nicely and at no additional cost serving NuGet packages to authenticated users only.
I have implemented a windows service that runs every 3 minutes and polls a database for notifications that are ready to be sent. I collects them into a list determines whether it is an ios or an android notification and then call the PushBroker (PushSharp solution is included as a compiled solution in my solution project) I then iterate the items in the list to process as follows:
static void ProcessIOS(List<Client> IOS)
{
PushBroker push = new PushBroker();
push.OnNotificationSent += NotificationSent;
push.OnChannelException += ChannelException;
push.OnServiceException += ServiceException;
push.OnNotificationFailed += NotificationFailed;
push.OnDeviceSubscriptionExpired += DeviceSubscriptionExpired;
push.OnDeviceSubscriptionChanged += DeviceSubscriptionChanged;
push.OnChannelCreated += ChannelCreated;
push.OnChannelDestroyed += ChannelDestroyed;
foreach (var entry in IOS)
{
string dev = entry.Device_Id.ToString();
string load = entry.Push_Payload.ToString();
int count = entry.Unread_Count;
var appleCert = File.ReadAllBytes(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "../../../productionfile.p12"));
push.RegisterAppleService(new ApplePushChannelSettings(true, appleCert, "password")); //Extension method
push.QueueNotification(new AppleNotification()
.ForDeviceToken(dev)
.WithAlert(load)
.WithBadge(count));
}
}
The messages are sent successfully, however, the issue I am having is
1. trying to retrieve the responses when message was sent successfully, or failed, reason for failure etc... these are delegates within the pushsharp code so that I can log the responses to our database. For clarification... I need to know what entry attempt(deviceID) the error responses are from. I am unable to tell by the generated messages from the notificationsent delegates since the data is not linked to any particular deviceid delivery attempt.
2. I also want to be able to keep the pushsharp code as is without modifications and call methods from my code to reduce merging issues when any updates are made to pushsharp code in future.
Any Suggestions?
If anyone can give me any examples on how to use the response events and delegates to retrieve information for each notification send attempt, I would appreciate it.
thank you.
I did not get any replies but with further research I was able to resolve my issue with the failed sucesses and was able to successfully send out notifications with no errors. The solution was to regenerated my certificates. Since I am using a windows server for my push notification server The following steps will guide you to generate an APNs certificate from a Windows Server.
If you have already generated your certificate from a Mac OS X workstation, you can skip this
section and upload your certificate to the Push Notification Server.
Step 1—Generating a Certificate Signing Request (CSR)
1. Go to Start > Administrative Tools > Internet Information Services (IIS) Manager, and select the
server name.
2. Double-click Server Certificates.
Note: The version of IIS server is 7.0 in this document.
From the Actions pane on the right, click Create Certificate Request. The Request Certificate
wizard appears.
In the Distinguished Name Properties window, type the following:
• Common Name—the name associated with your Apple Developer account
• Organization—the legally registered name of your organization/company
• Organizational unit—the name of your department within the organization
• City/locality—the city in which your organization is located
• State/province—the state or province in which your organization is located
• Country/region—the country or region in which your organization is located
Click Next. Cryptographic Service Provider Properties window appears.
Select Microsoft RSA SChannel Cryptographic Provider in the Cryptographic service provider
field and 2048 in the Bit length field, and then click Next.
Select a location where you want to save the certificate request file. Make sure to remember
the filename and the location where you save the file.
Click Finish. You have now created a CSR request and are ready to upload it to your Apple
development portal.
Step 2— Uploading CSR to your Apple development portal and generate the
APNs certificate
Step 3— Downloading and Installing your APNs certificate
Click Download to save the .cer file to your computer.
Copy the .cer certificate file to the same Windows Server computer where you created the
certificate request file.
Go to Start > Administrative Tools > Internet Information Services (IIS) Manager, select the
server name, and then double-click Server Certificates
From the Actions pane on the right, click Complete Certificate Request. The Complete
Certificate Request wizard appears.
Select the .cer certificate file that you downloaded from the Apple Developer Portal, and type
the name of your application (e.g. com.xxxx.xxxxx) in the Friendly name field.
Tip: The friendly name is not a part of the certificate itself, but is used by the server
administrator to easily distinguish the certificate.
6. Select OK. The certificate will be installed on the server.
7. Verify that your Apple Production Push Services certificate appears on the Server Certificates
list.
A. If you can see the certificate, follow the next steps to export the certificate and upload it to
the Push Notification Server.
8. Right-click on the certificate in the Server Certificates list, and then click Export.
Select the location where you want to save the file, choose a password for exporting, and then
click OK. (Export as a .pfx)
Tip: If you only have the option to save as a .cer file rather than a .pfx, then you are not
correctly exporting the certificate. Make sure you selected the correct file to export. If you still do not have the option to export as a .pfx go to step B. below.
Note: Make sure to remember the password, or keep it in the secure place. The password will
be required when uploading the certificate to the Push Notification Server.
After completing all these steps, you should have the following items:
• APNs certificate (.pfx format, not .cer format)
• The password that you set when exporting the certificate
You are now ready to upload your certificate to Push Notification Server if you are not on that server already.
B. If you DON’T can see the certificate in the Server Certificate UI as shown above or DO NOT have the option to export as a .pfx from that UI, follow the next steps to export the certificate and upload it to the Push Notification Server.
8 . Go to Microsoft Managenment console
9. On the Start Menu, click Run, type MMC, and then click OK. Microsoft Management Console opens with an empty console (or administrative tool) as shown in Figure 1 below. The empty console has no management functionality until you add some snap-ins. The MMC menu commands on the menu bar at the top of the Microsoft Management Console window apply to the entire console.
Click File->Open and select Console1.msc and Open
Right click on the certificate you want to export select All Tasks-> Export
Click Next on the Certificate Export Wizard
Choose Yes, export the private key
Warning: DO NOT select Delete private key
Select, Personal Information Exchange - PKCS #12 (.PFX) if not already selected by default.
Browse to the location where the .cer is residing on your machine
Select the location where you want to save the file, choose a password for exporting, and then click OK. (Export as a .pfx)
Go to the exported .pfx file and rename extension to .p12.
Place file in root directory where Push Notification Engine is installed (e.g. C:\ or D:)
So here's a bit of context for the horror story:
Win 2003 SP2 64bit running on a VM exposed to outside world for web access.
SQL Server 2008 Std SP2 64bit with Reporting Services (RS) installed for native mode (i.e. not sharepoint mode).
IIS 6 .NET 3.5 web site app written to use the web services from RS. The site has been set to use Windows Authentication and nothing else.
To save writting custom authentication since I don't need it for this demo I have set-up a local account in Win 2003, i.e. servername\myDemoUser, effectively allow fake Windows Authentication.
Default.aspx lists folders on RS and the reports from each folder. It also has a link to the Report Builder 2 on the server.
The rsreportserver.config has been changed so that the only <AuthenticationType> is <RSWindowsNTLM> since <RSWindowsNegoiate> can't work since it's across the internet and users will not be on the same network (hence the local account myDemoUser).
The web site app has url of the form: http://mysite.mydomain.co.uk/ and the link on it to the Report Builder is of the form: http://mysite.mydomain.co.uk/services/reportbuilder/reportbuilder_2_0_0_0.application, in this case RS has been configured so the Web services virtual directory is "services".
The web.config for the website app has been set to <identity impersonate="true /> for <locations> for the ASPX pages that access the RS webservice. I even added a <location path="services/reportbuilder"> with the same thing and also to allow anonymous users.
So after all the above I go to the site from a machine that isn't on the network, I get prompted by IE8 for username/password and I enter servername\myDemoUser and the correct password. The homepage is displayed and correctly shows the list of folders and reports from RS. HOWEVER if I click the RS report builder link I get the pop window saying it's doing it's clickonce verfication stuff but after a couple of seconds it shows simple message box saying there was an authentication error. The details button then shows a text file with a bunch of stacktrace stuff in which eventually says that the server returned 401 while accessing the .application file mentioned above.
I turned on failure auditing for logins on the Win 2003 VM and I can see that when the clickonce fails it is trying to use the local machine account I logged into on the external (to my network) machine instead of the credentials I entered into the browser on that machine when testing it.
Much Googling and granting of permissions to Network service, everyone etc... on various folders involved later nothing the Report Builder bit just won't install via clickonce due to permissions or the incorrect use there of.
I'm looking into maybe changing something in the RS to try and grant permissions to the report builder to anonymous but at this point I'm pretty pessimistic that I'll actually find anything. The annoying thing about this is that this a test that doesn't represent the final thing (we'll be using custom authentication in RS) but unfortunately I have to do it, 8(.
Any ideas would be most appreciated.
It turns out that when using fake Windows authentication in this way when the machine you are accessing the site from a machine where you have not logged into the domain then clickOnce won't work because it won't pass the details you enter into the browser as found.
So the solution is to:
1) Log into a (any) domain on the machine that is going to access the clickonce link on your site.
2) In Control Panel go to User Accounts (XP)/Store Users and Passwords (Win 2003), and manage the network passwords for a user (XP) and add in the URL, username and password.
Whenever clickonce fires up for this URL it will pass the username/password specified as opposed to the local machine account.
Either of the above will solve this problem.