Code signing certification

Similar Messages

• Code Signing Certificate

  Generate a Code Signing Certification using he openssl application:
  * Generate code signing key
  * Generate code signing certificate request
  * Generate code signing certificate
  please can you help me in finding the commands for doing so plzzzzzzzzzzzzzzzzzzzzze

  These are called "code signing certificates" and are emitted by "certificate authorities", such as VeriSign, Entrust, Thawte, Digicert, Comodo and many others.

• Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

  Hi,
  basically I am trying to achieve what's documented in
  http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704
  (using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)
  I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.
  I can indeed verify that it has been imported correctly by exporting it again:
    crypto ca export CodeSignerBundle pkcs12 1234
  It shows me the private key and all the certificates.
  However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:
  Using jarsigner -verify I see on a random file from the jar:
  sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class
        X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY
        [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]
        X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU
        [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]
        [CertPath not validated: Path does not chain with any of the trust anchors]
  Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).
  What could be the problem here? (ASA v8.2(5))
  Thanks for any help,
  Marki

  It may be that a ip address pool is not assigned to the default webvpn group:
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool testpool

• Adobe Pro 11.0.10 patch has expired code signing cert

  I can not patch my Adobe 11.0.0 installation to 11.0.10 using the automated process.
  I manually downloaded 11.0.10 from this location: http://ardownload.adobe.com/pub/adobe/acrobat/win/11.x/11.0.10/misc/AcrobatUpd11010.msp
  The MD5 of this MSP per my own check is 4cb5979f49bc5112731da0cce036ac66, while the SHA1 is 8b4130df183f69ab77f9f6748f2e535be5d3336e.
  This download is signed with a code signing certificate issued by Symantec Class 3 Extended Validation Code Signing CA.  The signature has a thumbprint of 111aa9b0c6da43594bb2ad3052567c12ef8d9607.  This certificate expires later this year.
  During the install I receive an error because it extracts a file to c:\config.msi which is code signed with a code signing certificate issued by Verisign Class 3 Code Signing 2010 CA.  The certificate has a thumbprint of 70d566df844f3e2d9ac31e518256e7b6f2de9272.  The certificate expired 9/20/2013.  Today is 5/4/2015.  The install fails on this file.
  The certificate thumbprint for the Verisign Class 3 Code Signing 2010 CA intermediate authority is 495847a93187cfb8c71f840cb7b41497ad95c64f.   This itself is signed by VeriSign Class 3 Public Primary Certification Authority - G5 having a thumbprint of 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5.
  The failing file with the invalid code signing certificate has an MD5 checksum of bddf785233f9d2b3ae43d72822fb74bc and SHA1 of 78e7e15c8baea3c6befc7336d153254777912bd4.  This appears to be amtlib.dll which is part of Adobe AMT Licensing.   These hashes are available on services such as Virus Total and Herd Protect.
  Would it be possible for Adobe to release a 11.0.11 patch that has this issue fixed?  
  Thank you,
  Edwin Davidson.

  Back up all data.
  Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and this support article for instructions. If Font Book finds any issues, resolve them.
  From the application's menu bar, select
  File ▹ Restore Standard Fonts...
  You'll be prompted to confirm, and then to enter your administrator login password.
  Start up in safe mode to rebuild the font caches. Restart as usual and test.
  Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a Fusion Drive or a software RAID, you can’t start in safe mode. In that case, ask for instructions.
  Also note that if you deactivate or remove any built-in fonts, for instance by using a third-party font manager, the system may become unstable.

• Java security error after 8u31 (Timestamped Jarsigned Applet within valid period of Code Signing certificate)

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

• 3.6.16 can chain Verisign code signing intermediate certificate ("2010 CA") in an xpi file even though it is not installed int its cert store, but 4.0 does not. Why does 4.0 not chain this cert?

  Certs that are in FF 4.0 on the signing workstation using Key Manager (I imported the "2010 CA"cert):
  Company cert
  VeriSign Class 3 Code Signing 2010 CA
  52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
  VeriSign Class 3 Public Primary Certification Authority - G5
  25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
  Verisign Class 3 Public Primary Certification Authority
  70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf

  Turns out that Key Manager is apparently not compatible with 4.0. I uninstalled 4.0 from the signing workstation, installed 3.6.x and Key Manager again, then signings contained the chain for the client running either 3.6 or 4.0.

• AIR application code signing?

  I have a code signing certificate from StartSSL.com.
  After validation I only get a yellow question mark in the application installer.
  That is already better than the red exclamation mark with a self-signed certificate.
  Can someone give me an example of an AIR application out there that has ALL GREEN in the install dialog?
  What certification authority do I need to sign up with to get an ALL GREEN installation dialog?
  Thanks,
  David

  Hy David, this is an answer I got from StartSSL.
  Have you tried to install your application using the Adobe AIR 2.0 Runtime? It would be interesting to know, how your install dialog looks there.
  Hi Beat,
  On 05/10/2010 08:22 PM, From Beat Besmer:
  Dear Sir or Madam
  I have a rather simple question: Will I be able to sign an Adobe AIR Application with the “Start SSL Verified” Object Sign Feature? I have not found any information on this on your Website or the FAQs.
  It depends what the basis for the trust anchor is, but I suspect since Adobe doesn't support the StartCom root yet, there will be probably a warning for this type of application.
  So far Windows, Apple and Mozilla applications and extensions are supported.
  Regards
  Signer:
  Eddy Nigg, COO/CTO
  StartCom Ltd.
  Twitter:
  Follow StartSSL™
  XMPP:
  [email protected]
  Phone:
  +1.213.341.0390

• How to use Java code signing certificate in oracle 11i

  Hello,
  I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
  I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
  how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
  could you please give me some advice on it?
  Thanks
  Prince

  Hussien,
  I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting  warning error
  adogif() unable to generate Jar Filers under JAVA_TOP.
  executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
  Error JarSigner subcommand Exited With status 1.
  No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner         at java.net.URLClassLoader$1.run(URLClassLoader.java:202)         at java.security.AccessController.doPrivileged(Native Method)         at java.net.URLClassLoader.findClass(URLClassLoader.java:190)         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)         at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner.  Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output:   oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ...   About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
  Please let me know if you have any idea. Thanks Prince

• Third party CA and SCUP code signing

  All of the documentation I have seen out there regarding using a code signing certificate with SCUP assumes you are using AD CS. My institution uses a 3rd party CA and I requested a code signing certificate from them (the file had no file name extension,
  FWIW). I imported it into the local computer certificate store (on SCUP server/CAS) and see four entries:
  The blocked out item is our company name.
  Here is what I have done:
  I have exported the one with our company name as as the .cer file for clients, and placed it in the Trusted Publishers and Trusted Root Certificate Authorities stores on the SCUP server/CAS.
  I have exported various combinations of the 4 to generate the *.pfx file and imported it into SCUP but it always gives me an error when I try to publish an update. I initially exported all 4 certificates to get my .pfx, then tried just the ones with the
  purpose of "code signing." In both cases I get an error stating "Signature verification exception during publish, verify the WSUS certificates and advanced timestamp setting are properly configured."
  I am not getting an option to export the private key no matter what combo I choose. This is the biggest red flag I am seeing.
  Does anyone have any experience in this scenario? I am at a loss at this point. The server is 2008 R2 and I know I could use a self-signed one but I thought I would do it the "right" way since it is no longer supported.

  It turns out that after the code signing certificate was downloaded, the private key was somehow lost or damaged or not associated with it in the first place. That is why I was not seeing the option to export the key. We needed to use certutil to repair
  the key association.
  I suspect this is because the request was made from a web form and handled by the 3rd party CA as opposed to being done with certreq. Am I off base?
  Anyway, running this command on the code signed certificate allowed me to export it as needed for SCUP:
  certutil -repairstore my "SerialNumberofCert"
  There are some how tos here:
  http://support.microsoft.com/kb/889651
  http://blogs.msmvps.com/ivansanders/2011/07/26/restoring-a-certificates-private-key-without-the-certreq/

• Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

• Code-signing

  We are having some issues with our C Sharp .NET 4 Application
  We are using Visual Studio 2010 to build a Click Once Installation
  In addition, we use our code-signing certificate (.pfx) to sign the package
  However when attempting to install the application it is blocked by
  Windows 8 Smart Screen with an “unknown Publisher” message.
  We sign our package twice once on the actual files and afterward
  The manifest is resigned.

  Hi Rene,
  >>“unknown Publisher” .
  Please check whether you sign file in the correct directory.
  Reference:
  http://stackoverflow.com/questions/10392201/clickonce-de-signs-our-executable-and-says-unknown-publisher?rq=1
  A document shared us the detailed steps for "Certificate Expiration in ClickOnce Deployment".
  http://msdn.microsoft.com/en-us/library/ff369721.aspx
  In addition, since this issue is related to the Clickonce, I suggest you post a new case in this forum:
  http://social.msdn.microsoft.com/Forums/windows/en-US/home?forum=winformssetup , and there you would get dedicated support.
  Best Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a
  href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

• InCommon Code Signing Cert not working in Profile Manager

  We acquired a Code Signing Certificate from InCommon for signing profiles, and it doesn't want to work with Profile Manager.
  In the Certificates section we have our working SSL cert for the web server, and self-signed SSL and Code Signing certs.
  When I try to import the p7s file it lists four non-identity certificates and then says that it can't be used as a code signing certificate. 
  Has anyone ever managed to get an InCommon code signing cert to work with OSX Server?

  Hello,
  In RFC SAP-OSS, i maintained my S-user id and its password.
  As already told my router connectivity and   SAPOSS rfc working fine.
  regards
  Vinayag.K.C

• My Distribution Profile is grayed out in Code Signing Provisioning Profile

  Fellow developers, has anyone experienced this problem when you tried to compile your app for distribution:
  Did everything as suggested in this forum, including:
  - copying a distribution profile to the right folder and also draging over the Xcode icon
  - Adding a "Distribution" configuration
  - specifying the identity as "iPhone Distribution: My Name"
  However, in the "Code Signing Provisioning Profile" picker, when "Any iPhone OS" is selected, the only enabled choice is "Default ..." and the actual profile with my name is grayed out.
  More over, the moment I select "Distribution" and then select "Device" in the "Active Configuration" picker, Xcode closes. This behavior can be reproduced all the time.
  Any suggestions?
  Eugene

  It is normal that it is grayed out ( don't ask me why ). To activate the distribution build, duplicate your Release in Distribution, install all the required certificates ( please apple stop those, they're a nightmare to deal with ) , then in the build settings in the code signing you have to TYPE ( there is no drop down box as seen in some screenshots ) "iPhone Distribution" ( instead of "iPhone Developer" ) and tada a few lines below you should see your drop down modified with some distributions entries.
  Patricia.

• ERROR ITMS-9000: Missing Code Signing Entitlements when adding app to Apple App Store

  My client is getting the following error when sending my app (compiled in Flash Pro CC 2014 with AIR SDK 15.0.0.356) to the Apple app store:
  ERROR ITMS-9000: "Missing Code Signing Entitlements. No entitlements found in bundle
  'com.xxxxxx.xx.xxx' for excutable 'payload/xxxxx.app./xxxx'.""
  He is saying that I need to send them the entitlements file.
  I can't find out any information about this with regards to Adobe Air compiled iOS apps, apart from this old post:
  Adding iOS entitlements to AIR apps
  which states that 'the packager configures the entitlements file '
  Can anyone explain what might be missing here?
  Thanks,
  Alan.

  It looks as if this problem is solved by doing step 2 from here:
  http://dev.mlsdigital.net/posts/how-to-resign-an-ios-app-from-external-developers/
  It basically states that the client needs to produce the entitlements file and lists the following that the client will provide themselves:
  A “Mobile Provisioning Profile”
  An “Entitlements.plist”
  An “iOS Distribution Certificate”
  iReSign OS X app (or you could use command line)
  Hope this helps someone. We've run into quite a few problems trying to get the Flash Air compiled App to both enterprise and Apple Store as it can't come from us (the developers) it has to be signed and delivered from the client.

• No option in project info window for code signing Provising profile.

  Dear Developer forum,
  I have one issue wth my application regarding provisional Profile.
  I have installed Distribution certificate.After that I have entered all information regarding distribution provisional profile in program portal
  I have got provisional certificate from portal.I have installed it
  And I have also seen its entry in home/library/mobiledevices/.
  But Now problem is arising at place when I am opening my project or target info window on that time in BUild->code signing option, I have only code signing endity but no code signing provisioning profile.
  where I can give my distribution provising profile name
  So anybody tell me howz it come????
  Thanks

  Looking at this page:
  http://developer.apple.com/iphone/manage/distribution/index.action
  Make sure that you've done all the steps... "Generating a Certificate Signing Request", "Submitting a Certificate Signing Request for Approval", "Downloading and Installing iPhone Distribution Certificates", "Create and download your iphone distribution provisioning profile"...
  When I went through this process, I think I forgot to do the step "Downloading and Installing iPhone Distribution Certificates"... (skipping straight to "create and download your iphone disbritution profile") as a result the provisioning profile name wasn't appearing for me to select... When I completed that step, then the provisioning profile name appeared...
  Message was edited by: iphonemediaman