Code sign...revoking certificate... problem

Hi,
I am having a breake down. I had the folowing problem:
Code Sign error: The identity 'iPhone Developer' doesn't match any valid, non-expired certificate/private key pair in your keychains
So i folowd the steps to solve this problem:
1) Open up Keychain Access app within /Applications/Utilities and click "All Items" under the Category sidebar. Type "iPhone" into the top-right search bar.
If you are replacing your Developer Certificate, delete your "iPhone Developer: <your_name>" Certificate by right-clicking and choosing "Delete"; if you have multiple "iPhone Developer: <your_name>" certificates, delete them all.
If you are replacing your Distribution Certificate, delete your "iPhone Distribution: <your_name>" Certificate by right-clicking and choosing "Delete"; if you have multiple "iPhone Distribution: <your_name>" certificates, delete them all.
2) Clean out your profile library according to the steps in section: Keep Your Profile Library Clean.
3) Log into the iOS Provisioning Portal. Click the Certificates sidebar. Click the DEVELOPMENT tab if you are replacing your Developer Certificate, and pick the the DISTRIBUTION tab if you are replacing your Distribution Certificate. Click Revoke in the Action column.
4) Perform the steps in section Provisioning Profile Refresh. Xcode will prompt to create the new certificates; choose "Submit Request" to allow Xcode to create the certificates.
After step 4:
I folowd this steps:
"To invoke Provisioning Profile Refresh, open Xcode's "Window" menu > Organizer > Devices tab > "Provisioning Profile" sidebar under Library and click the Refresh button. The first time refresh is pressed, a prompt appears requesting your team member credentials. It is important to answer positively when asked to create your signing certificates if they are needed. To do that, click "Submit Request" when you are prompted and Xcode will create, download and install the certificate(s)."
I had no button "Refresh" so i clickt "add device to Profsioning Portal" and get a device with this muber already exists. When i login to Portal, i dont see my developer Certificate>Development anymore. Before revoke i downloaded the certificate!!!.
How do i get it back? How do i solve this problem?
alix

Crap, TN2250 seems to be gone. 
You may have used an outdated link or typed the address (URL) incorrectly. If you came to this page via a bookmark, please update it accordingly.
The page you requested: http://developer.apple.com/library/ios/technotes/tn2250/_index.html
The page to which you will be redirected: http://developer.apple.com/library/ios/index.html
Has it been replaced?  I'm having a code signing issue and this seems to be the doc i need.

Similar Messages

  • 3.6.16 can chain Verisign code signing intermediate certificate ("2010 CA") in an xpi file even though it is not installed int its cert store, but 4.0 does not. Why does 4.0 not chain this cert?

    Certs that are in FF 4.0 on the signing workstation using Key Manager (I imported the "2010 CA"cert):
    Company cert
    VeriSign Class 3 Code Signing 2010 CA
    52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
    VeriSign Class 3 Public Primary Certification Authority - G5
    25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
    Verisign Class 3 Public Primary Certification Authority
    70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf

    Turns out that Key Manager is apparently not compatible with 4.0. I uninstalled 4.0 from the signing workstation, installed 3.6.x and Key Manager again, then signings contained the chain for the client running either 3.6 or 4.0.

  • Regarding Code signing to my jar

    How to code sign(assign certificate) to my Java Desktop Application.
    plz reply

    i have a jnlp web start aplication, now everyone can access them and get my aplication, i need add some security, so we someone try to install the aplication by the jnlp file the server ask for user/password and it is posible go to de data base and authenticate this user, if the user is correct he can download all the jars and run the aplication.
    i hope you can understand my problem
    plz reply
    Thanks in Advance!!!

  • Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

    I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
    The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
    1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
    2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
    About the Code Signing Certificate problem:
    When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
    I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
    The Google Groups Adobe AIR page is here:
    http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
    Any ideas about these issues?
    Thanks!
    Oscar

    I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
    The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
    1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
    2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
    About the Code Signing Certificate problem:
    When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
    I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
    The Google Groups Adobe AIR page is here:
    http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
    Any ideas about these issues?
    Thanks!
    Oscar

  • Thawte code signing certificate problem

    Hi everyone!
    I wonder if someone here could help me out a little bit?
    I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
    I send this answer to Thawte too, but I´m not sure when they answer...

    Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
    See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
    I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

  • SDK 3.0 : code signing error : more than one certificate for my profile ?!

    Hi all,
    Since I installed the SDK3 with OS3.0, I'm not able to develop on the device because of a provisionning profile issue.
    So, I've revoked all my certificates, created properly a new dev certificate, associated to a developer provisioning profile. Every-thing's fine at this step.
    But in my app, when a assign this profile (also added in the iPhone), and I build, i get a code signing error which indicates that the associated certificate for the iPhone Developer: xxxx is more than once in my keychain !!??
    I've checked the keychain and there is only ONE iphone certificate. So, i really don't understand !
    I've redone this step few times, to be sure... But still the same issue !
    Any clue ?

    Same here.
    I installed SDK 3.0 yesterday and was about to remove and re-install certificate today, until I found this thread.
    SDK 3.0 seems to have problems with handling provisioning profiles. If you use Xcode in Japanese, the provisioning profiles are shown as "?" in the popup menu, while if you start Xcode in English, the correct provisioning profiles are selectable.
    First, I had the "?" issue, then after I switched the language to English, I faced this "more than one certificate in the keychain" problem ...

  • Java security error after 8u31 (Timestamped Jarsigned Applet within valid period of Code Signing certificate)

    Hello,
      I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
    Here is the warning message:
      "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
    What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
    When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
    s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
          [entry was signed on 27.01.2014 13:19]
          X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
          [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
          X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
          [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
          X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
          [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
          X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
          [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
    sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
    As you may see the timestamp was correctly done. And it is in the valid period of CSC.
    Than i started to check how Java confirms the Certificate, and found some flowcharts.
    Here is an example from DigiCert:
    Code Signature Verification Process
    After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
    The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
    If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
    So according to this scheme, my applet had to work properly, and without security warning.
    However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
    The optional timestamping provides a notary-like capability of identifying
    when the signature was applied.
        If a certificate passes its natural expiration date without revocation,
    trust is extended for the length of the timestamp.
        Timestamps are not considered for certificates that have been revoked,
    as the actual date of compromise could have been before the timestamp
    occurred.
    source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
    So, could anyone please explain why Java gives security error when someone tries to reach that applet?
    Here is a link of applet: http://85.105.68.11/home.asp?dd_056
    I know the situation seems a bit complicated, but i tried to explain as simple as i can.
    waiting for your help,
    regards,
    Anıl

    Hello,
      I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
    Here is the warning message:
      "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
    What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
    When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
    s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
          [entry was signed on 27.01.2014 13:19]
          X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
          [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
          X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
          [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
          X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
          [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
          X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
          [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
    sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
    As you may see the timestamp was correctly done. And it is in the valid period of CSC.
    Than i started to check how Java confirms the Certificate, and found some flowcharts.
    Here is an example from DigiCert:
    Code Signature Verification Process
    After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
    The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
    If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
    So according to this scheme, my applet had to work properly, and without security warning.
    However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
    The optional timestamping provides a notary-like capability of identifying
    when the signature was applied.
        If a certificate passes its natural expiration date without revocation,
    trust is extended for the length of the timestamp.
        Timestamps are not considered for certificates that have been revoked,
    as the actual date of compromise could have been before the timestamp
    occurred.
    source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
    So, could anyone please explain why Java gives security error when someone tries to reach that applet?
    Here is a link of applet: http://85.105.68.11/home.asp?dd_056
    I know the situation seems a bit complicated, but i tried to explain as simple as i can.
    waiting for your help,
    regards,
    Anıl

  • Code Signing certificate expired

    Hello,
    I please need an information about SGDEE 4.1 login applet: it seems
    applet code signing certificate was expired on September 2, 2005.
    I have no problem (after I deleted all expired root certificates from
    local client repository) with Internet Explorer 6SP1, but Mozilla Firefox
    always prompt me a warning with this contents:
    Serial:     
    [62374265099632433790334794162326322759]
    Issuer:
    N=VeriSign Class 3 Code Signing 2001 CA,
    OU=Terms of use at https://www.verisign.com/rpa (c)01,
    OU=VeriSign Trust Network,
    O="VeriSign, Inc."
    Valid From: Wed Sep 01 02:00:00 CEST 2004,
    To: Fri Sep 02 01:59:59 CEST 2005
    Subject:
    CN="Tarantella, Inc.",
    OU=Digital ID Class 3 - Netscape Object Signing,
    O="Tarantella, Inc.",
    L=Santa Cruz,
    ST=California,
    C=US
    Thank you very much in advance,
    Best Regards,
    Valerio Morozzo

    I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.
    But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying
    'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.
    On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.
    I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.
    I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.
    I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.
    Any ideas? Or somebody having the same issue?
    Thanks

  • Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

    Hi,
    basically I am trying to achieve what's documented in
    http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704
    (using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)
    I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.
    I can indeed verify that it has been imported correctly by exporting it again:
      crypto ca export CodeSignerBundle pkcs12 1234
    It shows me the private key and all the certificates.
    However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:
    Using jarsigner -verify I see on a random file from the jar:
    sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class
          X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY
          [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]
          X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU
          [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]
          [CertPath not validated: Path does not chain with any of the trust anchors]
    Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).
    What could be the problem here? (ASA v8.2(5))
    Thanks for any help,
    Marki

    It may be that a ip address pool is not assigned to the default webvpn group:
    tunnel-group DefaultWEBVPNGroup general-attributes
    address-pool testpool

  • ADT error with comodo code signing certificate

    Hello,
    I'm trying to sign an AIR app with a Comodo code signing cert.
    - SHA-256 with RSA Encryption
    - Java 1.8 (same problem with 1.6)
    - AIR 15 (same problem with older versions)
    My command :
    java -jar -Xmx1024m /data/sdk/AIRSDK_Compiler15/lib/adt.jar  -sign -storetype pkcs12 -storepass ******* -keystore cert/air-distrib.p12 bin-release/TestCert.airi bin-release/TestCert.air
    I get the following error :
    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
        at java.util.Arrays.copyOf(Arrays.java:3181)
        at java.util.ArrayList.grow(ArrayList.java:261)
        at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
        at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
        at java.util.ArrayList.add(ArrayList.java:458)
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2026)
        at java.security.KeyStore.load(KeyStore.java:1433)
        at com.adobe.ucf.UCF.processSigningOptions(UCF.java:313)
        at com.adobe.ucf.UCF.parseSigningOptions(UCF.java:298)
        at com.adobe.air.ADT.parseSign(ADT.java:1589)
        at com.adobe.air.ADT.parseArgsAndGo(ADT.java:598)
        at com.adobe.air.ADT.run(ADT.java:435)
        at com.adobe.air.ADT.main(ADT.java:485)
    When i increase java memory at 8go, java uses 6go and don't stop... (nothing after 20 minutes...)
    Any idea ?
    ADT or cert problem ? Other ?
    Thx.
    Jonas

    Yeah !
    The certificate was generated in firefox...
    Import it into IE and regenerate the certificate fixed the problem
    Jonas

  • A PKI Code Signing Certificate question.

    Hello,
    Can someone please help me with the following question.
    I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
    what I did.
    1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
    2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
    3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
    a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
    way I sorted this at the time was to take the whole certificate as above and import to this store.
    The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
    private key' into the trusted publishers store?
    Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
    is that correct i.e. is that what it mean to sign code?
    if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
    Is this correct?
    My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
    if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
    have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
    Basically I need to understand the above, in order to understand more about Crypto.
    I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
    in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
    I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
    Thanks very much
    AAnotherUser__
    AAnotherUser__

    > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
    yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
    >  is that correct i.e. is that what it mean to sign code
    exactly. Encryption with private key and decrypting with public key is called "digital signature".
    > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
    value. Is this correct?
    yes. Client uses only public part of the certificate to validate the signature.
    > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
    normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
    > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
    this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
    > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
    wouldn't, because if something happens -- you will never know who compromised the key.
    as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
    (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"

    What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"

    If you had Firefox save your Yahoo password, first try deleting that here:
    orange Firefox button ''or'' classic Tools menu > Options > Security > "Saved Passwords"
    The "signed out" message seems to be related to how Yahoo authenticates you. Some users have reported that disabling automatic proxy detection solves the problem, and it also resolves an issue of getting logged out every few minutes, if you have ever experienced that.
    To make the change:
    orange Firefox button ''or'' classic Tools menu > Options > Advanced
    On the "Network" mini-tab, click the "Settings" button, then choose "No Proxy" and OK your way back out.
    If your work connection requires you to use a proxy server, try the "Use system settings" option instead.
    Does that help?

  • NSUserDefaults stopped working after installing code sign certificates (?)

    The following code has worked fine in the iPhone simulator.
    NSUserDefaults *userDefaults = [NSUserDefaults standardUserDefaults];
    myFloat = [userDefaults floatForKey:@"myFloat"];
    myString = [userDefaults stringForKey:@"myString"];
    Today I installed the code signing certificates and all the updates necessary to deploy my code to a device. That part works fine, and I'm able to install and run my apps on the iPhone device.
    The problem is that the above code has stopped working. myFloat is now always 0.0 and myString is now always nil. If I go into the Settings app, my preferences UI is still there and I can change and persist the preference values. But my app no longer sees those values.
    I'm assuming this broke because of the changes related to code signing and device deployment, but I'm not sure since there is no way (?) to roll back those changes.
    Has anyone else encountered this problem?
    Thanks,
    Nick

    I have the same issue with SDK Beta 7, I can't get my preferences to persist (although in my case I'm not using the Settings app to alter settings). This is what I am doing:
    +(void) initialize
    NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
    NSDictionary *appDefaults = [NSDictionary dictionaryWithObject:@"YES" forKey:@"SomeValue"];
    [defaults registerDefaults:appDefaults];
    in initwithFrame:
    if ([[NSUserDefaults standardUserDefaults] boolForKey:@"SomeValue"]) {
    [[NSUserDefaults standardUserDefaults] setObject:@"NO" forKey:@"SomeValue"];
    } else {
    [[NSUserDefaults standardUserDefaults] setObject:@"YES" forKey:@"SomeValue"];
    and I synchronize in applicationWillTerminate. Settings just don't persist.

  • Problem with creating a third party signed x509 certificate

    Dear all
    I'm working on pki project, in which i need to generate a key pair and and using it to create a self-signed x509 certificate, it will act as the CA and using it private key to sign all other x509 certificate, I have no problem on creating the self-signed cert, but when try to create other cert using CA private, I got the following exception
    Caught exception: java.security.InvalidKeyException: Public key presented not for certificate signature
    I'm using bouncycastle to do the cert generation, here is an example of my code
       Security.addProvider(new BouncyCastleProvider());
       //be sign key pair
       KeyPairGenerator keyGen=KeyPairGenerator.getInstance("DSA");
       keyGen.initialize(1024, new SecureRandom());
       KeyPair keypair=keyGen.generateKeyPair();
       PrivateKey prikey=keypair.getPrivate();
       PublicKey pubkey=keypair.getPublic();
       //ca key pair
       KeyPair cakeypair=keyGen.generateKeyPair();
       PrivateKey caprikey=cakeypair.getPrivate();
       PublicKey capubkey=cakeypair.getPublic();
       Hashtable attrs = new Hashtable();
       attrs.put(X509Principal.CN, "Test");
       //generate cert
       X509V3CertificateGenerator certGen=new X509V3CertificateGenerator();
       certGen.setSerialNumber(BigInteger.valueOf(1));
       certGen.setIssuerDN(new X509Principal(attrs ));
       certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
       certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
       certGen.setSubjectDN(new X509Principal(attrs));
       certGen.setPublicKey(pubkey);
       //certGen.setSignatureAlgorithm("MD5WithDSAEncryption");
       certGen.setSignatureAlgorithm("SHA1withDSA");
       X509Certificate cert=certGen.generateX509Certificate(caprikey);
       cert.checkValidity(new Date());
       cert.verify(pubkey);
       Set dummySet=cert.getNonCriticalExtensionOIDs();
       dummySet=cert.getNonCriticalExtensionOIDs();I have no idea what problem is
    I hope that bouncycastle supporter or anyone could help me or give some guidance and I'm much appreciate that.

    Hi tkfi
    your problem is you'er not using the ca public key to do the verification, replace the
    cert.verify(pubkey);
    to
    cert.verify(capubkey);
    and it should be work

  • JWS gives 'failed to parse certificate' error for VALID code sign cert

    Hi,
    For my application, After downloading jar files from web server, JWS (1.2.0_02) gives a Security Warning asking user to trust the Signer.
    However, after clicking Start, it gives another Security Warning which says this:
    Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
    STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
    Sign App jar files with a VALID code signing certificate from Thawte or Verisign (don't use DST or RSA or any other CA as JWS supports only Versign/Thawte root CA entries by default).
    Download the app using JNLP, and you will see this warning.
    EXPECTED -
    It should not give the second security warning. First one is fine as user has to trust the signer.
    There are no logs anywhere to find out what error it encountered parsing the certificate.
    The certificate as such is valid, it was verified with keytool, openSSL and various other tools.
    ACTUAL -
    After downloading an application from web server, JWS gives a Security Warning asking user to trust the Signer.
    However, after clicking Start, it gives another Security Warning which says this:
    Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
    ERROR MESSAGES/STACK TRACES THAT OCCUR :
    Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.

    Hello,
    I had the same problem. Here are some additional things to check:
    - every jar in your app MUST be signed by ONE and ONLY ONE certificate.
    - every jar which is presigned should be checked on its own. I had a bad bcprov.jar which nearly drove me nuts. Maybe there are more such 'presigned' jars around.
    One recipe aside:
    Try halfing down the jars in your jnlp file further and further, until it runs again, then you'll probably find the jar which causes this. I would bet a specific jar.
    There's another Bug already known which makes JWS fail on checking the certs on jars with classes which have national characters (even Inner ones!). So you might be checking that, too.
    Hope that helps...
    Patric

Maybe you are looking for