I have a windows service and part of business logic it generates a desktop file setup. Now, I want to code sign that desktop file setup Programmatically so that Windows will not warn the end user about an application from an "unknown publisher".
I also know its very straight forward process as I can do it by Microsoft signtool by taking certificate from local system and also can use Azure signtool by taking certificate from azure Key Vault for sign setup.
now, I have following doubts:
Now my problem is certificate security as windows service installed on client system and signing process will go on client system so, Its possible to misuse certificate by anyone.
currently using AzureSigntool which takes certificate from azure Key Vault directly but we doing it programmatically so we need to pass some sensitive info. like client Id, key vault Url, and secret Key with windows service code to access certificate during signing process. another point is that we doing signing by AzureSigntool on client system. does anyone can make forgery of my certificate from Azuresigntool during signing process?
If do not hesitate to suggest any other best possible approach also.
Related
We do our builds and sign them within our windows server using Jenkins
Recently our code signing provider stopped sales/renewals and we had to find another provider but it seems all certificates now come in tokens (USB, hardware). So we decided to get an EV certificate to solve the Microsoft SmartScreen warning as well.
Since Jenkins is in cloud VM I wasn't able to get the token there and we had to do the builds locally, now its about to expire and I've been looking for solutions and it seems that HSM might be the solution to host token/certificate by the cloud provider like Azure then use it (somehow?) to sign the files
I also came across a cloud sign service which was clear but a lot more expensive! (unless I didn't understand HSM cost!)
Can someone explain how HSM works for code signing with Azure/Jenkins?
If I give up on the EV and back to a standard certificate, can this process be automated easily
Any other recommendation
I have an asp.net mvc app that needs to access a backend api and several services that is using self signed certs. Have no control over forcing client to use proper certs.
On my development environment, i am installing the self signed certs on Trusted Root Certificates to have it work.
However, I am facing SSL certification error when connecting to those services after publishing the asp.net mvc app to azure app services but I am unable to find a way to overcome this.
Is there any way that I can overcome this challenge like installing self sign cert on azure app services? I would not like to ignore ssl error in code level if possible as this would require changes on multiple part in code.
Limitation:
Production Backend API and other services provided by client is using self signed cert
The asp.net mvc app must be hosted on azure app services provided by client
Answering based on your requirements that you only need to connect to a private endpoint that has a private cert (your app service can have a public endpoint).
Try to follow the guide outlined here to first upload the private certificate chain: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate#upload-a-private-certificate (make sure to include the whole chain).
Once you upload the private cert, follow this guide to access it from your code: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
From there you should be able to use the certificate as needed within your code.
I have a cert signed by a CA (Geotrust) on my server. I have the same cert installed in my app. I compare the two certs in URLSession:didReceiveChallenge:completionHandler:. But I was notified by my hosting service that I need to 'renew' the cert each year. That creates a new and different cert for me to handle in the app. Since the certs are not self-signed, do I need to embed the cert in the app for comparison with the cert as it comes from the server or does iOS's SSL handling take care of the challenge for me. Maybe I can just use server trust without looking at the cert?
I have the same cert installed in my app.
Why?
I compare the two certs in URLSession:didReceiveChallenge:completionHandler.
Why?
What you should be doing is comparing the subjectDN. That's what the signer is verifying. It's all you need.
Maybe I can just use server trust without looking at the cert?
It sounds like you're trying to do the correct thing and add an authorization step. Relying on 'server trust' just gives you authentication, i.e. the subject DN is who he says he is. Authorization checks whether that DN is authorised to use this part of the application. But you don't need to check the entire certificate for that.
I want to proxy traffic from an ios application to Fiddler (or Burp). It looks like the application sends a client certificate to the server.
I will need to retrieve this cert from the phone(it's jailbroken) and import it to my proxy. Is there a way to do that ?
The client certificate is used to identify the client. If the programmer of the app made his job well, you will face difficulties (hopefully). Likely, and most secure, the private key and identity resides in the key-chain. Less secure, it resides in a secured archive (.p12, .pkcs12, .pfx) in the bundle, whose password resides in the key-chain.
If the programmer did his job not so well, you might find the password of the secured archive in the clear somewhere in the apps binary (there're actually floating samples around which do exactly this).
I'm working on an ios application without authentication. Now I would like to protect my server API from calls other then my ios application. A possible solution would be to have the application generate a unique key (based on the appname and the signing), which is not stored on the device since this is the main problem. I could think off an application logic that does some protection combined with some file encryption but the problem is that somewhere something is stored (ex public key can be stored in keychain but still not safe for my API-hackers).
Anyone any tips/advice on how I can handle this ?
thanks in advance
In short, there is no 100% secure way to make sure that the request comes from your application, if the key is available to the iPhone, it's available to extract from the iPhone.
You can make it reasonably safe by calculating a key runtime from info in the application as you say and communicate it over SSL, but a determined attacker can always reverse engineer the key generation too.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use freely available tools for this, like keytool, and I think (but don't know for sure) that Apple includes a tool for this with the iOS SDK. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.