We do our builds and sign them within our windows server using Jenkins
Recently our code signing provider stopped sales/renewals and we had to find another provider but it seems all certificates now come in tokens (USB, hardware). So we decided to get an EV certificate to solve the Microsoft SmartScreen warning as well.
Since Jenkins is in cloud VM I wasn't able to get the token there and we had to do the builds locally, now its about to expire and I've been looking for solutions and it seems that HSM might be the solution to host token/certificate by the cloud provider like Azure then use it (somehow?) to sign the files
I also came across a cloud sign service which was clear but a lot more expensive! (unless I didn't understand HSM cost!)
Can someone explain how HSM works for code signing with Azure/Jenkins?
If I give up on the EV and back to a standard certificate, can this process be automated easily
Any other recommendation
Related
I have a windows service and part of business logic it generates a desktop file setup. Now, I want to code sign that desktop file setup Programmatically so that Windows will not warn the end user about an application from an "unknown publisher".
I also know its very straight forward process as I can do it by Microsoft signtool by taking certificate from local system and also can use Azure signtool by taking certificate from azure Key Vault for sign setup.
now, I have following doubts:
Now my problem is certificate security as windows service installed on client system and signing process will go on client system so, Its possible to misuse certificate by anyone.
currently using AzureSigntool which takes certificate from azure Key Vault directly but we doing it programmatically so we need to pass some sensitive info. like client Id, key vault Url, and secret Key with windows service code to access certificate during signing process. another point is that we doing signing by AzureSigntool on client system. does anyone can make forgery of my certificate from Azuresigntool during signing process?
If do not hesitate to suggest any other best possible approach also.
I have developed MVC application with the single sign on as an authentication (Company Azure Active Directory) and hosted on Azure as a Cloud service. It was working till now. But before few days, i got the below error in my production
No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://sts.windows.net/{TenantID}/'
Then I searched on the internet and found the below blog
WIF10201: No valid key mapping found for securityToken
Then as suggested in the blog, i have fetched the thumbprint and updated my web.config and it worked.
Now again i got the same error today and i needed to do the same steps and found that thumbprint has been changed.
So can anyone please suggest me the permanent solution as it is affecting my production environment.
It seems that the application were not supported signing key rollover automatically. To support the signing key rollover automatically from old project, it depends on how the app integrate with Azure AD.
Based on the description, it seems you were integrate the application with Azure AD for SSO. We can use the .Net OWIN OpenId connect which already has the necessary logic to handle key rollover automatically to authenticate with Azure AD. More detail about this topic, you can refer the document Signing key rollover in Azure Active Directory.
I have created a project in MVC that connects to TFS and brings the work items , i am displaying those work items according to my requirement. My project worked well on localhost , as soon i deployed it on some server , i am failing to connect to TFS , all it says is "Unauthorised".
Any help ?
You are running into the dreaded double hop authentication problem.
In AD you are authenticated by virtue of a Kerberos token. That token is issues to the machine that you are logged into and is only valid on that machine or one it directly connects to.
So you can use your local host token to authenticate to TFS, but as soon as you have a second hop (local->webserver->tfs) your authentication fails.
This is security by design.
To resolve this you need to use SetSPN to create a Service Principal Name (SPN) in AD that allows you to reuse the token on the web server.
You can create an SPN that only works for the webserver but you can't then deploy elsewhere. A better way is to create an SPN for the service account that you run the WebServer AppPool under. Then you can run it anywhere.
I am using IMAP 4 protocol in my c# dotnet windows service, which continuously monitor a configured mail account for downloading mail and then performs a series of business logic. Everything works fine as long as the windows service is installed and configured with in the domain to which the mail exchange is part.
Once the service is installed outside the domain I get certificate issue and I am aware since the mail exchange have a test certificate the below error is logged, I tried to ignore the certificate validation, but this has not worked and also installed the mail exchange test certificate on the machine in which the service is installed but even this failed to work.
The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.ValidateCreateContext(Boolean isServer, String targetHost, SslProtocols enabledSslProtocols, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, Boolean remoteCertRequired, Boolean checkCertRevocationStatus, Boolean checkCertName)
I wanted to know if there are any other protocol(component) apart from IMAP4, which I can use and that allow me to ignore the certificate validation issue.
Any suggestion or help on this would be of great help.
I want to proxy traffic from an ios application to Fiddler (or Burp). It looks like the application sends a client certificate to the server.
I will need to retrieve this cert from the phone(it's jailbroken) and import it to my proxy. Is there a way to do that ?
The client certificate is used to identify the client. If the programmer of the app made his job well, you will face difficulties (hopefully). Likely, and most secure, the private key and identity resides in the key-chain. Less secure, it resides in a secured archive (.p12, .pkcs12, .pfx) in the bundle, whose password resides in the key-chain.
If the programmer did his job not so well, you might find the password of the secured archive in the clear somewhere in the apps binary (there're actually floating samples around which do exactly this).