I recently got a new code signing certificate. I'm using MSBuild's SignFile task to sign an application manifest. For some reason the task is returning:
MSB3481: The signing certificate could not be located.
Ensure that it is in the current user's personal store.
The certificate is definitely in my personal store, I can see it in certmgr.msc. And I believe that I'm logged in as the same user since I'm able to sign the manifest using a different certificate that is in the same personal store. Not sure why this new certificate cannot be found.
I'm even able to use signtool.exe with the new certificate's SHA1 to sign files just fine. But I would really prefer to use our existing MSBuild with the SignFile task. Any ideas what could be going wrong here?
I've also tried importing the certificate with and without the complete certification path.
I not sure that this could help, but I remember that if you are copying thumbprint from snap-in field, there is an "invisible" symbol in first position.
So this thumbprint with that non-printable can't be located in your store. Try to remove 3-5 symbols from beginning of certificate thumbprint (including quotes) and type them manually.
Also take in account that thumbprint should be all uppercase (despite that property displayed in lowercase).
Related
I've just obtained the certificate from GoGaddy. It came in a .ZIP file, which has two files in it:
"certificate.p7b" & "cetificate.crt"
I've installed both of them, but when I try to lookup the private key on any of them, I get NULL, which means that they have no private.
Of course, all this is a part of the bigger problem, where I'm trying to install a certificate for AZURE web site and it doesn't take .crt file so, I need to export it into the .pfx
By the way, I'm on a work laptop, which has some preinstalled certificates and all them have private keys. This is the code I use to lookup the private key:
X509Store store = new X509Store(StoreName.My);
store.Open(OpenFlags.MaxAllowed);
foreach (var certin store.Certificates)
{
var pk = cert.PrivateKey;
}
WHERE IS THE PRIVATE KEY AND HOW CAN I OBTAIN IT?
You already have it. The first thing you did in this process was to generate a key pair. Then you generated a CSR from the key pair, then you got that signed by the CA, now you have a signed certificate, and you still have the original key pair.
When you order the certificate, you are sometimes asked if you want the CA to create a keypair for you OR you will generate the keys locally. If you were not asked (or have chosen the second option), then the browser generates a key and stores it internally. Then you pass the Certificate Request to the CA and they send you the certificate.
You still have the private key in your browser. There exist several options then: (1) visit the CA's site as per their instructions using the same browser that you used to create a Certificate Request. This will work when the CA instructs you to do so, and (2) CAs offer one free re-issue of the certificate for cases like yours. You can request the r-issue.
But in general you must carefully read all instructions and don't proceed further if you don't understand them. If the key was generated locally, then you could have been offered to save the private key in the safe place. If you didn't do this - you are the one to blame.
I have been asked to update an old project done in objective-c.
I'm having this issue with my distribution provisioning profile. It goes like this
Provisioning profile "XXXXXX" doesn't include signing certificate
"iPhone Distribution: XXXXXXXXXX (XXXXXXXXXX)".
The thing is I can see the certificate "iPhone Distribution: XXXXXXXXXX (XXXXXXXXXX)" in my keychain. But there are 2 of them. One has a private key and the other one doesn't and both have a different expiry date. When I checked the developer account, the distribution provisioning profile is signed with certificate that doesn't have a private key (the expiry date of the certificate shown on developer account is that of the one without private key)
What is causing this issue?
How can I fix it?
What if I can't get the private key from the older machine(as that machine is no more usable)
I tried deleting one of the certificates, and also automatically manage signing. Both didn't work.
Please help.
The problem is that the only valid provisioning profile you have tied to the distribution certificate for which you do not have the private key. Without the private key, it is not a valid signing identity, so Xcode won't use it.
To fix this, You will need to create a new private key / distribution certificate, and then create a new distribution profile using the newly created certificate. You can find instructions, starting with creating the cert signing request, here.
See 2 above. Without the key, you can't use the existing certificate. If you are needing to build from multiple Macs, you need to set up a sharing mechanism to provide the private key to any other Macs that will be downloading and using the certs / profiles from the Apple's site. I would also back up the private key so that you won't run into this in the future if something happens to your build Mac. Also, when the cert expires, it is helpful to keep the .csr file from answer 2 above. This means you can use the same private key for the new cert when your distribution cert expires.
Make sure you have selected right Code Signing identity.
In my case I had selected Distribution instead of Developer
I have created a Xero partner app and I have been asked to renew my Entrust Certificate. When I POST to oauth/RequestToken, I get this error:
oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature
Here are the steps that I took:
I downloaded the P12 Entrust Certificate from Xero.
In certmgr, I imported the P12 certificate into my personal certificate store.
I right clicked the certificate. I clicked all tasks and export.
I said do not export the private key.
I exported the file as a CER.
I logged into developer.xero.com and I clicked apps.
I uploaded the CER in the form and clicked save.
Are there any additional steps I must take?
I think where you went wrong is at stage 5.
The entrust cert isn't supposed to be uploaded into the developer portal.
The .cer file you upload into the developer portal conatins your public key and is used to decode the signature you provide on your API calls. This signature is signed by your application using the private key associated with it. If the certs are mismatched (which they will be now that the API is trying to decode with the wrong public key), you will recieve the "Failed to validate signature" error you are seeing.
You will want to either
Re-upload the previous .cer public key file you used for your application originally, as it will match the private key you are currently signing with (unless you changed this also)
Regenerate a new public/private key pair as described here: https://developer.xero.com/documentation/advanced-docs/public-private-keypair, upload the new .cer public key into the developer portal, and use the new private key in your application
I want to create a helpdesk project following this great tutorial : http://blog.jetbrains.com/youtrack/2014/02/using-youtrack-as-a-help-desk/
I want to set the parameters of my mailbox using a Gmail adress but I don't know how to obtain a SSL key from Gmail.
Without it, I have "Connection timed out" error. I know where to add the SSL key in Youtrack, but I need a file (JKS or PKCS12 format).
My settings:
Protocol:IMAPS
Host:imap.gmail.com
Port:993
Login:mylogin
Password:mypassword
Select SSL key: nothing
Connection timeout:60
Socket timeout:60
Please help :)
Here how to obtain Gmail trusted root keys (from Google PKI FAQ):
Google may decide to have its intermediate signed by another root at any point in time, so you should have an update mechanism in place for the trusted roots you ship with your product. If you are developing code intended to connect to a Google property, we recommend you include a wide set of trustworthy roots. We made an example available as a PEM file here.
PEM file provided can be manually converted to PKCS12 with, for instance, OpenSSL tool.
I suspect, however, that installing a cert won't solve the issue. "Select SSL key" likely stands for client (i.e. YouTrack) certificate, which is not required by Gmail. Please check the following:
If IMAP is enabled in your GMail account
this recipe to make sure Gmail is not blocking new client application explicitly
if you run codesign -d -r- myapp.app you'll get information about the code signature. A piece of the information displayed is the certificate root, something like certificate root = H"14bbf142a9bcc11abd868458e4ab6419ae8c170c"
Is there any function that can return that information given the path to an app? I've checked Apple's Code Signing Services Reference but I couldn't find anything.
I am using SecRequirementCreateWithString and SecStaticCodeCheckValidity to check the certificate from within my own app but I need to also check the rest of the binaries that form the entire app.
Thanks
As far as I am aware there are no available public APIs for managing Code Signing. You have to parse the output of the codesign tool.