if you run codesign -d -r- myapp.app you'll get information about the code signature. A piece of the information displayed is the certificate root, something like certificate root = H"14bbf142a9bcc11abd868458e4ab6419ae8c170c"
Is there any function that can return that information given the path to an app? I've checked Apple's Code Signing Services Reference but I couldn't find anything.
I am using SecRequirementCreateWithString and SecStaticCodeCheckValidity to check the certificate from within my own app but I need to also check the rest of the binaries that form the entire app.
Thanks
As far as I am aware there are no available public APIs for managing Code Signing. You have to parse the output of the codesign tool.
Related
My custom search command required some credentials to work (third party lib auth) and I don't want to have it hardcoded.
What is the best practice to pass the credentials inside this custom search command?
I'm looking to do some similar to set-up page from add-on builder.
Any thought on this?
Assuming there is a script running behind the custom search command, you can have your credentials stored in a file(eg: json format) and then encrypt the file using a key(GnuPG library). your hard coded credential file will not be required after this.
In the script, decrypt(use GnuPG library) the encrypted file using the key used for encryption and then use it for authentication.
I am trying to get data from the DC Metro's API tool. I am using the "Train Position" link.
I need to configure my SSLContextService, but I only have a Primary and Secondary key provided by the website. For example, the keys are in this form:
5bcf1f7d091f4f618f1eefbefe23a56e
f15633bd2dd44a1f944c96361c0ab26f
How do I configure this in the SSLContext part of NiFi? I am using GetHTTP. Here is a picture of what I currently have, first the GetHTTP config and then the SSL config:
Next Config:
I have no idea how to use those keys above as the Truststore or Keystore, or if that's even what I'm supposed to do. I have my Keystore filename pointed at cacerts, but I know those keys are not in there. I've tried to convert them to .pem, and that was a mistake, especially when I put them in keystore.jks.
I get this error:
How do I get access?
Useful link on API link.
Note that API keys as you've given are considered sensitive information just like a password.
These keys are used to access the API, and are unrelated to NiFi keystore/truststores which are used for SSL negotiation. Using Java cacerts in this case is correct but you do not need to add an API key to a truststore.
This page describes the form the request needs to take: https://developer.wmata.com/docs/services/5763fa6ff91823096cac1057/operations/5763fb35f91823096cac1058#TrainPosition
I suggest you read into how to use web APIs and making web requests to then understand how your API keys are used. They give an example curl at the bottom:
curl -v -X GET "https://api.wmata.com/TrainPositions/TrainPositions?contentType={contentType}"
-H "api_key: {subscription key}"
--data-ascii "{body}"
The {subscription key} is your API key, the {contentType} is the HTTP response content type. If you're unfamiliar with these terms you may need to look into them. I recommend getting the above curl command to work first, then carry that across to NiFi.
curl -v -X GET "api.wmata.com/TrainPositions/TrainPositions?contentType=json" -H "api_key: e13626d03d8e4c03ac07f95541b3091b" works for me. (This is a test API key from wmata website).
In InvokeHTTP, you would add a processor property (hit the plus symbol top right) called 'api_key' with the value set to your subscriber key (I don't know if this is the primary key), and set the "Attributes to Send" property value to "api_key". This will send the api_key attribute (the key) as a header called api_key just as we did above in curl with -H "api_key: e136... ".
Can anyone shet some light on how I can debug the matching of certificates configured in Postman?
Problem:
I’m trying to connect to a REST service using a SSL client certificate. I configured it in the settings tab the same way as in set-and-view-ssl-certificates-with-postman
When checking the console I don’t see the certificate being sent and get failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:1494:SSL alert number 40
Context:
Postman v 6.4.2 running on windows 10
(for security reasons some information below replaced by dummy info)
Using the same certificate/key/password I can setup a connection using openssl. (checked for validity of certificates, TSL v1.1 and v1.2 supported, no SNI issues)
The server certificate is signed by a trusted CA (I tested with both --SSL certificate verification-- on and off )
In the Postman console I dont see the certifciate being sent.
---- [console output] ----
GET https://somehost:443/somepath?someparameter=9076443&somedate=2017-02-17T00:00:00.000
Error: write EPROTO 101057795:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:1494:SSL alert number 40 101057795:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:659:
Request Headers:
appid:“42”
cache-control:“no-cache”
ipaddress:“192.68.1.1”
postman-token:“some-token”
role:“Applicatie”
userid:“6x9”
---- [end console output] ----
image of certificate configuration
I matched, matched and rematched the hostname
A search on the interweb did not learn me anything I did not try yet…
Questions
Is there any debug option that will show the way the certificates are matched
is there any way I can force postman to pick a configured certificate
any other ideas on how to proceed on this problem
any help appreciated
Additional info
Monitoring with wireshark shows no certificate is sent.
(Postman console did not show a certificate being sent. I assume from examples that it will log which certificates it will/does send for a given request)
snippet wireshark output
Postman app in chrome
it does work from chrome, using the chrome keystore
Using the pk12 form of the same key (original postman request uses the .cer form) imported into the chrome keystore, the requests work.
Chrome app will not do
Obvious question is: “why not keep using the chrome app”
because its depricated and we use the newer 6.x test functions not supported in version 5.x
Question posted on Postman help forum with no answer about a week ago:
OP on postman helpforum
Additional additional info
It works on newman
I had same issue when I typed path to CRT and KEY files instead of using file dialog.
Just click Choose File button instead of pasting file path when adding certificate.
If you can download postman app then there is an option under preference/certificate and under there is an option 'Client Certificate'.
You need to provide both .cert and .key file into respective section, provide host name and key password if any. Click "save". next time you send a request matching hostname , postman app will send the certificate along with the way. You can validate in console output.
I want to create a helpdesk project following this great tutorial : http://blog.jetbrains.com/youtrack/2014/02/using-youtrack-as-a-help-desk/
I want to set the parameters of my mailbox using a Gmail adress but I don't know how to obtain a SSL key from Gmail.
Without it, I have "Connection timed out" error. I know where to add the SSL key in Youtrack, but I need a file (JKS or PKCS12 format).
My settings:
Protocol:IMAPS
Host:imap.gmail.com
Port:993
Login:mylogin
Password:mypassword
Select SSL key: nothing
Connection timeout:60
Socket timeout:60
Please help :)
Here how to obtain Gmail trusted root keys (from Google PKI FAQ):
Google may decide to have its intermediate signed by another root at any point in time, so you should have an update mechanism in place for the trusted roots you ship with your product. If you are developing code intended to connect to a Google property, we recommend you include a wide set of trustworthy roots. We made an example available as a PEM file here.
PEM file provided can be manually converted to PKCS12 with, for instance, OpenSSL tool.
I suspect, however, that installing a cert won't solve the issue. "Select SSL key" likely stands for client (i.e. YouTrack) certificate, which is not required by Gmail. Please check the following:
If IMAP is enabled in your GMail account
this recipe to make sure Gmail is not blocking new client application explicitly
I recently got a new code signing certificate. I'm using MSBuild's SignFile task to sign an application manifest. For some reason the task is returning:
MSB3481: The signing certificate could not be located.
Ensure that it is in the current user's personal store.
The certificate is definitely in my personal store, I can see it in certmgr.msc. And I believe that I'm logged in as the same user since I'm able to sign the manifest using a different certificate that is in the same personal store. Not sure why this new certificate cannot be found.
I'm even able to use signtool.exe with the new certificate's SHA1 to sign files just fine. But I would really prefer to use our existing MSBuild with the SignFile task. Any ideas what could be going wrong here?
I've also tried importing the certificate with and without the complete certification path.
I not sure that this could help, but I remember that if you are copying thumbprint from snap-in field, there is an "invisible" symbol in first position.
So this thumbprint with that non-printable can't be located in your store. Try to remove 3-5 symbols from beginning of certificate thumbprint (including quotes) and type them manually.
Also take in account that thumbprint should be all uppercase (despite that property displayed in lowercase).