I want to be clear with a question about Sideloading applications for Windows 8 (for use within the company.) Read some articles about it, always write the application before deployment must be cryptographically signed (http://technet.microsoft.com/en-us/library/hh852635.aspx). I found how to sign my app (http://msdn.microsoft.com/ru-RU/library/hh446592%28v=vs.85%29.aspx), but there was a question where to get the key for signature applications. It can be purchased from Verisign, Comodo or a another? If so, what will it take, how much time it takes? Do I understand correctly that the App Packager is not needed for signing app, because the app package generated a Visual Studio, after that you must use CertMgr install the certificate to the domain and sign this certificate application with SignTool? If I'm wrong - please correct me, please
Thank you.
You should be able to generate certificate using Active Directory Certificate Services.
Here is a quick walkthrough on how to generate certificate from AD CS
Active Directory Certificate Services Step-by-Step Guide
If you're doing this without access to AD CS, you may purchase a code signing certificate from any Certificate Authority that offers a RFC3161 timestamping service. The time it takes to get a code signing certificate varies based on how long it takes the certificate authority to verify you are who you say you are.
You will need to manually timestamp the appx file, however, as VS2013 doesn't support using a third party CA's timestamping service when generating appx files. You need to timestamp the appx because otherwise the software will expire the date your code signing certificate expires.
This is how I use the signtool:
signtool sign /fd SHA256 /a /f YourCertKey.pfx /p mypassword /tr http://timestampserver.yourca.com/somepath YourApp.appx
Here is more information on using signtool to sign app packages: http://msdn.microsoft.com/en-us/library/windows/desktop/jj835835(v=vs.85).aspx
If you're attempting to sideload these appx files, you may also need to enable sideload privileges on the computers in question. If you aren't using a domain-joined Windows Enterprise on the client computers, this may involve purchasing side load licenses from Microsoft volume licensing or a partner.
Here is more information about sideloading: http://technet.microsoft.com/en-ca/windows/jj874388.aspx
Related
We are generating document PDF's as part of our server application workflow. We need to be able to sign these documents to prove they are from us and have not been tampered with. We currently do this using a self-signed cert and using syncfusion's PDF module (excellent sw btw!). The problem is (of course) that the self-signed cert is not in the CA trust chain so although the document is secured, it doesnt automatically validate that its from us.
I have been researching where to purchase AATL certified certificates from and have found several vendors (Identrust being one of the more affordable options). However, they all share the same delivery method which is they ship it to you on a secure USB or similar token. What I dont understand then is how to use this token with our hosted VM. Does anyone have any experience in using these types of token ie. are we simply able to export the private key from the token onto the server?
Thanks
You cannot use the tokens in this scenario.
The certificate issuer should provide you with a web-based API that you integrate in your signing process. Usually you send the document hash and get back the signature, but the actual flow and ins/outs depends on the certificate provider.
Then the PDF library you use should let you embed in the PDF file the externally computed signature.
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
I have a code signing certificate from GoDaddy. I've used it successfully to sign the Inno Setup install packages that I use to distribute my Access databases. I'd now like to use it to sign the Microsoft Access databases themselves. The cert is imported into my Personal Store under both my administrator and non-privileged user accounts.
I tried the following:
Open an Access database (.accdb, .mdb, doesn't seem to matter)
go to VBA IDE, Tools --> Digital Signature...
Click on [Choose...]
I got the error message:
No usable signing certificates are available. Please insert your smart card, or contact your administrator to obtain a signing certificate.
Did I miss a step? Is this supported?
I deployed an UWP app on Raspberry with Windows IoT Core.
What will happen when the temporary PFX certificate expire?
the app can still to run on device as the default/startup App?
From: https://msdn.microsoft.com/en-us/library/ff369721.aspx
What do I do if my certificate has expired?
So you have already deployed your application, and now your certificate (purchased or unpurchased) has expired, and you’ve examined the flowchart and determined that your customers are going to have to uninstall and reinstall the application. You can’t even issue an update. Visual Studio will not let you deploy your application with an expired certificate. So what do you do now?
If you need to extend an existing certificate, you can use a program called RenewCert. For details, you can check out my blog post How to extend an existing certificate, even if it has expired.
You can also find a version of RenewCert code on MSDN. I have not tested that specific version, but I’ve heard that it works with test certificates but not purchased certificates. Here’s the link if you want to check it out: http://support.microsoft.com/kb/925521
If you are already using a test certificate, extending it solves your problem. You can sign your deployment with the extended certificate, issue updates, and it will work fine. You can go to lunch, and the rest of us with known publishers can eat at our desks while we continue on. (Can you bring something back for us?)
If you are using a purchased certificate and it has expired, you can use an extended certificate to sign and deploy an update to your application, but it will look like a test certificate. This will seem just like any other update to your customer who already has the application installed, because it does not show the trust dialog when installing an update. New customers will see “Unknown Publisher” in the trust dialog because you are now using a test certificate.
So if your purchased certificate has expired, this enables you to issue an update to the application that programmatically uninstalls the current version and installs a new version signed with the new purchased certificate.
I know this needs Code Signing Certificate. Just wonder if it must be the Code Signing Certificate from VeriSign?
Certification requirements for the Windows Store (Desktop Apps) mandates that files are signed with an Authenticode certificate, but doesn't specify which CA. Based on http://msdn.microsoft.com/en-us/library/windows/desktop/jj256845.aspx I would say that as long as its a reputable code-signing certificate (not self-signed, or a private CA) then it would pass certification.
I think it has to be Verisign, also according to Michael S: https://stackoverflow.com/a/13026302/921282
Also from first hand. I got the next quote when testing with Microsoft development kit. (You get the link to this information only when the test passes without FAILURE. The site is restricted and shows to MS services users only)
WARNING Install signed driver and executable files
"VeriSign Code-Signing Certificates for Microsoft Authenticode ($99 USD)
The Microsoft Authenticode certificate provided by VeriSign is the only accepted method of authentication, file signing, and code-signing. Microsoft will not be able to accept any other authentication method, including GeoTrust authentication required by the Windows Store. "