I would like to do Symbian programming with features that require an application to be signed with more then the standard self signed cert. I don't want to pay mony for a cert since I don't know if I will get to a point of selling an application. Is there a way to grant capabilities such as read and write device data to my application for use on just my phone?
If you don't have a Publisher ID the only option for you by now is Open Signed Online.
Open Signed Online allows you to sign an application for installation onto a single device. Unfortunately you will get the signed application, not a certificate itself.
Aside from Open Signed Online, which is pretty hopeless when you want to debug on the device, the only options at the moment are to find someone with a publisher ID to create a developer certificate for you device via Open Signed Offline, or wait for Symbian to come up with another way to get you a developer certificate. They are already planning to make publisher IDs cheaper and easier for individuals to get (currently you need to be a registered company) and wider availability for developer certificates is also on the cards.
Related
My software is intended to run on a Raspberry Pi.
After installing my software, a user can navigate to the webpage hosted by my software running on their Raspberry Pi from any device on their LAN.
I want my users to not have to worry about generating SSL certificates and such. Just install my software on their Raspberry Pi and navigate to the dashboard.
I can make my software automatically generate a self signed SSL certificate on the first run, but the users get warnings about self signed certificates in their browser and the site shows as insecure.
If I make my software use http instead, then chrome won't store cookies from the site so the users login doesn't last longer than one refresh.
I obviously can't distribute a CA signed certificate with my application since:
Anyone can get hold of this, so it won't be secure
It wouldn't work anyway since different users will have their Raspberry Pi on different IPs and hostnames
Is there any solution to be able to use secure HTTPS in this situation without getting warnings from browsers?
It's debatable whether this is a development question or not (it clearly isn't programming); personally I would say yes. However, it is certainly more topical in other Stacks where it has been discussed extensively e.g.:
https://serverfault.com/questions/1060268/ssl-for-devices-in-local-network
https://serverfault.com/questions/906015/how-to-setup-ssl-certs-for-a-lan-web-app-server
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://serverfault.com/questions/573528/ssl-tls-cert-get-alternative-name-to-work-with-lan-ip
https://serverfault.com/questions/447753/ssl-certificate-for-local-web-server
https://serverfault.com/questions/833178/ssl-with-no-warning-for-local-ips
https://serverfault.com/questions/1018020/distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
(some focussed on Windows and especially AD though)
and:
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication
https://security.stackexchange.com/questions/251308/do-i-need-to-create-ssl-for-https-over-a-local-network
https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites
https://security.stackexchange.com/questions/124235/deploy-intranet-application-with-ssl-certificate
I did find a few here, though, from years ago when topicality was wider:
HTTPS over intranet, what is the correct way of doing it
Are certificates useful for intranet SSL?
Do I need a SSL Certificate for an Intranet application
I'm creating an application for a select group of people to use. But since it'll be free-ware I can't afford to buy a digital signature to authenticate the source as me. Do I have any other option? Are there any tools in windows I could take advantage of? Any free (third party) tools that I could use to increase the chances my app wont be flagged as potentially malicious? I understand that obviously these things aren't the easiest to come by, but I'd like something to at least say the applications not been tampered with.
Can you please advise me on any tools or methods I could use.
No, in the end these things are about trust, and unless you can get a key trusted at the location where they want to verify the binary, you cannot confer trust of the library.
Key trust is normally established using a certificate that was created for you. Buying a signature would only make sense if there is a separate party signing the code as a service.
Of course there are other ways to trust an application; e.g. you can distribute the source and allow builds of the application at a location that the user can trust. But that won't be as convenient as receiving a signed binary, if the system has been setup to mark those as trusted.
I have a low volume (<500 PDFs/year) application for automated digital-signing of PDF files using iText in Java on Linux.
I've got iText adding a digital signature to PDFs using my SSL certificate. Is this a valid method to prove the PDF was generated by my domain (e.g. server)? Can it be used somehow to get the green checkmarks showing "trust" in Adobe Reader?
If not, I should use a certificate intended for PDFs (e.g. not my SSL certificate), so that the little green checkmarks indicating "trust" appear naturally when the user opens the PDF document.
The book http://itextpdf.com/book/digitalsignatures does a great job introducing this topic to me (I have very little experience in this area).
The book talks about a SafeNet Luna device (an HSM), but's it is much too expensive. I only require a minimal solution, and the Luna has a lot of bells and whistles. The Luna PCIe device is less expensive, but I don't require any features other than providing a certificate I can use to sign. Also, the USB-based SafeNet iKey device seems only to be marketed to Windows devices. Has anyone got iKey working with Linux? Is it even possible? Do other companies offer USB based devices that work on Linux?
I'm looking for a minimal solution for serving automated digitally signed PDFs on a Linux box. I'm sure a lot of small businesses have similar needs. I'm just trying to tap into existing knowledge out there. How do people solve this problem?
The solutions I see for automating this process assume large corporations using Adobe Live Cycle, and priced accordingly (see for example: https://www.globalsign.com/pdf-signing/compare-pdf-signing.html). But small businesses need to automate things too.
Ideally someone would sell a certificate similar to the SSL certificates, but for PDF files. Is there such a thing?
Is hardware (of some sort) a requirement (seems so)? If hardware is a requirement, are there any minimal solutions out there (e.g. with limited functionality other than enabling digital signing)?
Hoping someone can help me see the forest from the trees. What's the conventional wisdom?
Regarding signing with your SSL certificate: in a future iText version, we make require that the key-usage of the certificate indicates that the certificate can be used for non-repudiation. For now, we make checking the key-usage the responsibility for the developer, but in a perfect world, you should only sign with certificates suited for non-repudiation, and your SSL certificate probably doesn't allow this.
Regarding the green check mark: unless you can ask the consumers of your PDFs to add the root certificate of your certificate to the list of trusted identities, you'll always need a public/private key stored on hardware to get a green check mark.
Regarding the price of an HSM / USB key. USB keys are much cheaper, but usually they are meant for manual use (usually they have a limit of signing only once every second). I think that GlobalSign has a flavor of keys that work on Linux. As for HSMs, one of our customers told us that he bought one from Utimaco because it was less expensive (but I don't know what budget he had or spent).
No price info, but maybe a good read for inspiration: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf
I need to sign my Adobe AIR application which is a native installer. Right now I just have a Windows version, but soon I'll be porting it to other OSes including mobile OS.
My query is whether I need to get a separate code signing certificate for each one or is one enough? Also does 32-bit and 64-bit matter?
Verisign have categorized certificates for Windows (.exe) and Adobe AIR (.air and .airi) separately. So which one should I obtain?
CAs selling code signing certificates always pretend that you need different certificates to sign different kinds of applications. This is basically a scam. Most of the time the certificates are exactly the same, only the file format might differ. Even if the file format isn't supported by your code signing tool, there are ways to convert between different formats. So basically it doesn't matter which certificate you buy.
If you package your AIR app with a captive runtime, you can simply use a self-signed certificate with the adt tool. It's only important to sign the executable created with adt and your installer afterwards. If you create a native installer directly with adt, provide your certificate using the code signing options.
Under Windows, you should use Microsoft's signtool utility to sign the .exe file of your app and your installer if you want to package with a captive runtime. So I'd choose a code signing certificate for Windows. But as I said, it doesn't really matter (and there are cheaper options than Verisign).
Under Mac OS X ("Gatekeeper"), things are a little different. You can only use certificates issued by Apple. You have to enroll in the "Mac Developer Program" ($99 per year) to receive a code signing certificate for OS X. If you use a captive runtime, sign the application bundle created with adt using the codesign utility. If you create a .pkg installer, use the --sign option of the productbuild tool. There's a similar "iOS Developer Program" for iOS apps.
Under Linux, you don't sign packages with certificates issued by a CA. You simply sign them with a GPG key that you can create yourself for free. You have to publish your public GPG key so your customers can make sure that your packages are valid, though.
For Android apps, you can simply use a self-signed certificate, AFAIK.
32-bit and 64-bit apps can be signed in exactly the same way. You don't need separate certificates. But adt will only create 32-bit apps anyway.
I created a test domain, a CA and I issued a certificate with that CA. I also have fully functional CSP. For logging on, Windows are offering smart card as logon option. However, when I insert the card, after a few seconds of interaction with the card I receive the message "no valid certificates found". I did my homework by reading tons of MS documentation and generally whatever Google offered. Since I have no more options I'm trying here.
Added after posting: The certificate was created from the Smartcard Logon template.
Here are a few things I would check:
the authentication cert asserts the windows smartcard logon OID in the EKU.
the authenctication cert has a UPN in the subject alternative name (not stricly necessary for windows 7/server 2008).
the authentication cert key usage is digitial signature.
the domain controller has the certificate chain installed correctly.
How was the card issued?
* Follow-up *
How did the certificates make it on to the card? AFAIK, there is no card management built into Windows, so an external card management system is needed to load the certs on the card in whatever card applet you are using. Can you provide more specifics on the card you are trying to use?
* Follow-up *
You might find this link interesting; it's for PIV cards but the same ideas probably apply to your situation - the article describes a test lab setup for smart cards. In particular, check out which certs go in which trust stores.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427
You may find commercial software automating the binding process but no free ones. This way you won't have to check tons of support KB.
You can get a look at this demo (http://www.youtube.com/watch?v=OkMGXr-bls0) to see one of these tools in action.