I developed a driver an with makecert, certmgr and signtool. I created a digital signature (for Win 7 64 bit) and sign it to the driver (.sys-File). In the settings of the sys-file I see that he has the digital-File which is also value.
In the mmc->certificates I see the creates signature under trusted certificates.
When I start the driver with sc start then come the error 577 that the digital signature cannot be checked.
What am I doing wrong?
I created the signature with the following command line statements:
makecert.exe -$ individual -r -pe -ss "my Certificates" -n CN="certmaker" "myfirstcert.cer"
certmgr.exe /add "myfirstcert.cer" /s /r localMachine root
SignTool.exe sign /v /s "my Certificates" /n "certmaker" /t http://timestamp.verisign.com/scripts/timstamp.dll "C:\Windows\System32\driversMyFirstDriver.sys"
Related
We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.
Using the Windows 8 SDK's signtool:
e.g.:
signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll"
(where XXXXXXX is our password for the certificate)
fails with the cryptic error:
SignTool Error: SignedCode::Sign returned error: 0x80070057
The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: file.dll
Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.
I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?
I know it's a bit old, but I landed in this thread and maybe someone else will too.
It will work if you sign first with SHA1 and then with SHA256:
signtool.exe sign /f cert_file.pfx /t http://timestamp.comodoca.com/authenticode /p cert_password
signtool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password
It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.
I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:
signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.
The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.
Updated 29/12/15:
The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:
signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
Updated 30/12/2015
To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:
signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"
The issue is actually way simpler.
The problem is with the time stamp server.
Instead of using signtool.exe with this
/t http://timestamp.comodoca.com
You need to use it like this for SHA1
/tr http://timestamp.comodoca.com /td sha1
And for SHA256
/tr http://timestamp.comodoca.com/?td=sha256 /td sha256
Try using
signtool.exe sign /as /fd sha256 /tr http://timestamp.geotrust.com /td sha256 /f certificate.pfx /p XXXXXX file.dll
/tr is for RFC3161 timestamping, /td obviously for the hash to use.
Adding to martin_costello answer, XP and Vista do not support the RFC timestamp. You need to use the /t option for sha1 signatures.
signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
I also get the above error, however It works with the osslsigncode utility when using the '-nest' option:
osslsigncode sign -pkcs12 cert1.pfx -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in original.exe -out intermediate.exe
osslsigncode sign -pkcs12 cert2.pfx -nest -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in intermediate.exe -out final.exe
The official project is for Unix, however I've knocked up my own windows fork.
I think this link has some nice pointers. Some of it is mentioned in the answer by martin_costello, but this article provides some more details. In particular:
'Dual signing and include an SHA1 file digest' is possible if you sign SHA1 first, and use /as for the SHA256. It only works with signtool v6.3 from the Windows 8.1 SDK (or later) though.
Dual signing with 'a FULL SHA1 signature', needed for windows version before XP sp3, requires 2 different certificates.
(I haven't tested all this myself though.)
I cloned https://github.com/plaid/plaid-link-ios plaid's IOS sample swift app and followed the instructions for Plaid node to get a Generated token. https://plaid.com/docs/quickstart/
I put my token in the swift app linkToken variable in the func presentPlaidLinkUsingLinkToken() but when I run the app and click on the plaid link I'm presented with this error:
2020-11-30 18:03:07.629202-0600 LinkDemo-Swift[1378:41715] [] nw_protocol_get_quic_image_block_invoke dlopen libquic failed
2020-11-30 18:03:08.771021-0600 LinkDemo-Swift[1378:41497] WF: === Starting WebFilter logging for process LinkDemo-Swift
2020-11-30 18:03:08.771106-0600 LinkDemo-Swift[1378:41497] WF: _userSettingsForUser : (null)
2020-11-30 18:03:08.771167-0600 LinkDemo-Swift[1378:41497] WF: _WebFilterIsActive returning: NO
2020-11-30 18:03:08.997682-0600 LinkDemo-Swift[1378:41497] Unbalanced calls to begin/end appearance transitions for <LinkKit.InProcessWebviewFallbackController: 0x13fe30a70>.
exit with ExitError(errorCode: LinkKit.ExitErrorCode.invalidRequest(INVALID_FIELD), errorMessage: "link_token must be properly formatted, non-empty string", displayMessage: Optional(""), errorJSON: nil)
ExitMetadata(status: Optional(requires_credentials), institution: Optional(LinkKit.Institution(id: "", name: "")), linkSessionID: Optional(""), requestID: Optional("FzibHWAqJqtTG3e"), metadataJSON: nil)
2020-11-30 18:03:40.762780-0600 LinkDemo-Swift[1378:41497] Could not signal service com.apple.WebKit.WebContent: 113: Could not find specified service
2020-11-30 18:03:40.768987-0600 LinkDemo-Swift[1378:41497] Could not signal service com.apple.WebKit.Networking: 113: Could not find specified service
My token is in the right format I'm sure, I'm not sure what I'm doing wrong.
Please help,
Thanks
Following the steps below I was able to build and run the LinkDemo-Swift app in iOS Simulator (iPhone 12 mini iOS 14.2) and link an account using the sandbox test credentials.
To ensure there are no mismatches in the environment the following commands show which setup I have used:
% sw_vers
ProductName: Mac OS X
ProductVersion: 10.15.7
BuildVersion: 19H15
% xcode-select -p
/Applications/Xcode.app/Contents/Developer
% xocdebuild -version
Xcode 12.2
Build version 12B45b
% swift -version
Apple Swift version 5.3.1 (swiftlang-1200.0.41 clang-1200.0.32.8)
Target: x86_64-apple-darwin19.6.0
% git -C $PATH_TO/quickstart log --format=oneline -1; true # replace $PATH_TO with the path to the directory containing the Plaid quickstart git clone
9ccc96567eaec7a77209676a1693387cc93a32d0 (HEAD -> master, upstream/master, upstream/HEAD) Merge pull r equest #167 from plaid/sb-quickstart-improvements
% git -C $PATH_TO/plaid-link-ios log --format=oneline -1; true # replace $PLAID_TO with the path to the directory containing the plaid-link-ios git clone
0a8b0c4a85d6042fafdb5deaa346d41364cafc1f (HEAD -> master, tag: ios/2.0.8, origin/master, origin/HEAD) Merge pull request #38 from plaid/add-changelog-2.0.8
Additionally I have the following Plaid quickstart related environment variables set (values redacted):
% env | grep -Ei '^plaid_(client_id|secret|public_key)' | tr 'a-z0-9' '•'
PLAID_CLIENT_ID=••••••••••••••••••••••••
PLAID_SECRET=••••••••••••••••••••••••••••••
PLAID_PUBLIC_KEY=••••••••••••••••••••••••••••••
To generate a link token I ran the node quickstart in Docker
% cd $PATH_TO/quickstart/node
% make QUICKSTART=node up
and also ran the node quickstart locally using nvm (not at the same time as both bind to localhost:8000):
% cd $PATH_TO/quickstart/node
% nvm use; node --version; npm --version
Now using node v14.15.0 (npm v6.14.8)
v14.15.0
6.14.8
% npm install
> nodemon#2.0.5 postinstall $HOME/src/quickstart/node/node_modules/nodemon
> node bin/postinstall || exit 0
added 179 packages from 133 contributors and audited 179 packages in 2.903s
10 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
% node index.js
plaid-quickstart server listening on port 8000
I used curl to generate a new link token from the node quickstart as follows:
% curl -sX POST localhost:8000/api/create_link_token \
| awk -F: 'BEGIN{RS=","} /link_token/{print $2}' \
| pbcopy
With the generated link token in the pasteboard I've replaced the <#GENERATED_LINK_TOKEN#> placeholder in the source code with the actual token:
% cd $PATH_TO/plaid-link-ios
% sed -i "" -e "s/\"<#GENERATED_LINK_TOKEN#>\"/$(pbpaste)/" LinkDemo-Swift/LinkDemo-Swift/ViewController+LinkToken.swift
% git diff -U1 | sed -e '/^\+.*linkToken/s/[0-9]/•/g'; true # link-token redacted
diff --git a/LinkDemo-Swift/LinkDemo-Swift/ViewController+LinkToken.swift b/LinkDemo-Swift/LinkDemo-Swift/ViewController+LinkToken.swift
index 9cce64f..361916a 100644
--- a/LinkDemo-Swift/LinkDemo-Swift/ViewController+LinkToken.swift
+++ b/LinkDemo-Swift/LinkDemo-Swift/ViewController+LinkToken.swift
## -20,3 +20,3 ## extension ViewController {
- let linkToken = "<#GENERATED_LINK_TOKEN#>"
+ let linkToken = "link-sandbox-f•••ebb•-•d•a-•aa•-adae-••a•••••••••"
I made sure that the sample app is properly configured to use the link token flow:
% grep -i 'let sampleFlow' LinkDemo-Swift/LinkDemo-Swift/ViewController.swift
let sampleFlow : PlaidLinkSampleFlow = .linkToken
With no further changes to the project and the LinkDemo Xcode workspace open
% open -a Xcode $PATH_TO/plaid-link-ios/LinkDemo.xcworkspace
I was able to "Build and Run (⌘ R)" the LinkDemo-Swift scheme in the iOS Simulator iPhone 12 mini (iOS 14.2 (18B79)) and successfully link an account using the sandbox test credentials user_good pass_good.
If the issue you are seeing persists I recommend to reach out to the official Plaid support (http://dashboard.plaid.com/support/new) providing detailed and exact steps on how the link token was created and which changes to the sample application were made.
I am new to Fabric 2.0 and recently installed all samples and I was able to run test-network without an issue with 2 orgs. Then I followed the directory on addOrg3 to add 3rd organization and join the channel I created earlier.
Now the fun part came in when I wanted to add 4th organization. What I did was, I copied the addOrg3 folder and renamed almost everything in each file to represent 4th organization. I even assigned new PORT for this organization. However I am seeing the following error.
I've also added the following in Scripts/envVar.sh
export PEER0_ORG4_CA=${PWD}/organizations/peerOrganizations/org4.example.com/peers/peer0.org4.example.com/tls/ca.crt
And added the following in envVarCLI.sh
elif [ $ORG -eq 4 ]; then
CORE_PEER_LOCALMSPID="Org4MSP"
CORE_PEER_TLS_ROOTCERT_FILE=$PEER0_ORG4_CA
CORE_PEER_ADDRESS=peer0.org4.example.com:12051
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/peerOrganizations/org4.example.com/users/Admin#.../msp
I have also added step1Org4.sh and step2Org4.sh basically following by following addOrg3's structure.
What steps do you follow to add additional organizations ? Please help.
"No such container: Org4cli"
Sorry for the formatting since I wasn't able to put in to coding style but here is the output from running the command "./addOrg4.sh up"
**Add Org4 to channel 'mychannel' with '10' seconds and CLI delay of '3' seconds and using database 'leveldb'
Desktop/blockchain/BSI/fabric-samples/test-network/addOrg4/../../bin/cryptogen
##########################################################
##### Generate certificates using cryptogen tool #########
##########################################################
##########################################################
############ Create Org4 Identities ######################
##########################################################
+ cryptogen generate --config=org4-crypto.yaml --output=../organizations
org4.example.com
+ res=0
+ set +x
Generate CCP files for Org4
Desktop/blockchain/BSI/fabric-samples/test-network/addOrg4/../../bin/configtxgen
##########################################################
####### Generating Org4 organization definition #########
##########################################################
+ configtxgen -printOrg Org4MSP
2020-05-29 13:33:04.609 EDT [common.tools.configtxgen] main -> INFO 001 Loading configuration
2020-05-29 13:33:04.617 EDT [common.tools.configtxgen.localconfig] LoadTopLevel -> INFO 002 Loaded configuration: /Desktop/blockchain/BSI/fabric-samples/test-network/addOrg4/configtx.yaml
+ res=0
+ set +x
###############################################################
####### Generate and submit config tx to add Org4 #############
###############################################################
Error: No such container: Org4cli
ERROR !!!! Unable to create config tx **
In your addOrg4.sh have condition check like this:
CONTAINER_IDS=$(docker ps -a | awk '($2 ~ /fabric-tools/) {print $1}')
if [ -z "$CONTAINER_IDS" -o "$CONTAINER_IDS" == " " ]; then
echo "Bringing up network"
Org4Up
fi
If you already run addOrg3.sh up, CONTAINER_IDS alway have value (Example: 51b4ad60d812). It is ContainerID of Org3cli. So function Org4Up will never call. Simple way is just comment code like this:
# CONTAINER_IDS=$(docker ps -a | awk '($2 ~ /fabric-tools/) {print $1}')
# if [ -z "$CONTAINER_IDS" -o "$CONTAINER_IDS" == " " ]; then
echo "Bringing up network"
Org4Up
# fi
It will bring up Org4cli you missing.
First check the container is up or not and if it is up then I think the CLI where the command is executed is not bootstrapped with the Org4 details.
I have added the 4th Organization from the three Org Hyperledger Fabric Network .Firstly, you have to create the Org4-artifacts (Crypto.yaml and Org4 docker file including the Org4Cli) and then try to follow the manual (step by step) process to add the new Organization from the official documentation.
https://hyperledger-fabric.readthedocs.io/en/release-2.0/channel_update_tutorial.html
Omit the process of editing scripts (step1 Org3.sh ...) because the workflow for adding the 4th or a new Org is slightly changed.So,you will spend a lot of time in just modifying the scripts.
I will write an article to add a new Org (4th) on medium,will paste the link here too.
I'm trying to connect a windows agent to jenkins with no luck. I'm using open ssh and no verification for now during setup. When I launch the agent, Jenkins can reach it and it puts the remote.jar in the requested folder, but it still has an issue starting the agent. I get no error description whatsoever
SSHLauncher{host='NLQA1', port=22, credentialsId='10314a78-c648-4891-aa78-c5510875e8e7', jvmOptions='', javaPath='c:/jenkins2/jdk/bin/java.exe', prefixStartSlaveCmd='', suffixStartSlaveCmd='', launchTimeoutSeconds=210, maxNumRetries=10, retryWaitTime=15, sshHostKeyVerificationStrategy=hudson.plugins.sshslaves.verifiers.NonVerifyingKeyVerificationStrategy, tcpNoDelay=true, trackCredentials=true}
[06/20/19 13:36:26] [SSH] Opening SSH connection to NLQA1:22.
[06/20/19 13:36:27] [SSH] WARNING: SSH Host Keys are not being verified. Man-in-the-middle attacks may be possible against this connection.
[06/20/19 13:36:28] [SSH] Authentication successful.
[06/20/19 13:36:28] [SSH] The remote user's environment is:
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Admin\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=NLQA1
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
GIT_SSH=C:\Program Files\TortoiseGit\bin\TortoisePLink.exe
HOMEDRIVE=C:
HOMEPATH=\Users\Admin
ICU_DATA=c:\Usd91\BIN
LOCALAPPDATA=C:\Users\Admin\AppData\Local
NUMBER_OF_PROCESSORS=2
OneDrive=C:\Users\Admin\OneDrive
OS=Windows_NT
Path=C:\app\client\Admin\product\12.1.0\client_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\Git\cmd;C:\Program Files\TortoiseGit\bin;C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;c:\Gnuwin32;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;C:\App;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 63 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=3f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=Admin#Domain#NLQA1 $P$G
PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SSH_CLIENT=172.x.x.x 63458 22
SSH_CONNECTION=172.x.x.x 63458 172.x.x.x 22
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\TEMP
TMP=C:\TEMP
USERDOMAIN=Domain
USERNAME=Admin#Domain
USERPROFILE=C:\Users\Admin
windir=C:\WINDOWS
[06/20/19 13:36:28] [SSH] Starting sftp client.
[06/20/19 13:36:28] [SSH] Copying latest remoting.jar...
Source agent hash is D2D1A740134BD20D6F0855B356344342. Installed agent hash is D2D1A740134BD20D6F0855B356344342
Verified agent jar. No update is necessary.
Expanded the channel window size to 4MB
[06/20/19 13:36:29] [SSH] Starting agent process: cd "c:/jenkins2" && c:/jenkins2/jdk/bin/java.exe -jar remoting.jar -workDir c:/jenkins2
Slave JVM has terminated. Exit code=0
[06/20/19 13:36:29] Launch failed - cleaning up connection
[06/20/19 13:36:29] [SSH] Connection closed.
Agent is running adoptopenjdk 11 with eclipsej9, Slave JVM has terminated. Exit code=0 is all information I get back from Jenkins. I can run the agent if I rdp to the machine and do c:/jenkins2/jdk/bin/java.exe -jar remoting.jar -workDir c:/jenkins2 manually, so it is not that the jar can't be started at all. jnlp is working as well, but I'd like to use the ssh route. Do you have a clue what is wrong or what I have to do to get more information regarding the failed launch?
I found the answer at the ssh-slaves-plugin git repository. I'll quote it here so it will be here in the future.
Launch Windows slaves using Microsoft OpenSSH
The current version of the plugin does not run directly on PowerShell, you have to use prefix and suffix settings to trick the command and make it works, Windows 10 machines can run as SSH agents with the Microsoft OpenSSH server by using:
Prefix Start Agent Command
powershell -Command "cd C:\J\S ; C:\J\S\jdk\bin\java.exe -jar remoting.jar" ; exit 0 ; rem '
Suffix Start Agent Command
'
EDIT 16-08-2019
After installing windows updates on the machine I had to change the prefix to
powershell -Command "cd C:\J\S ; C:\J\S\jdk\bin\java.exe -jar remoting.jar" ; exit 0 ; # '
The change from rem to # make it working again. The error I was getting was :
The string is missing the terminator: '.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString
Looks like its the && operator. simple example
powershell -Command "cd c:/" ; exit 0 ; rem 'cd && echo "abc"'
Adding the prefix and the suffix fixed it for my. If someone knows why wrapping it in another powershell command makes it work feel free to elaborate.
I'm following the Getting started tutorial of Sawtooth Seth (https://sawtooth.hyperledger.org/docs/seth/releases/latest/getting_started.html), but I'm not able to set up an account on the network. The network is running properly in another shell. (I've removed the -aes128 flag for simplicity)
lorenzo#MacBook-Air-di-Lorenzo ~ $ cd gitHubRepo/sawtooth-seth/
lorenzo#MacBook-Air-di-Lorenzo ~/gitHubRepo/sawtooth-seth $ docker exec -it seth-cli bash
root#a6caea38a1a8:/project/sawtooth-seth# openssl ecparam -genkey -name secp256k1 | openssl ec -out key-file.pem
read EC key
writing EC key
root#a6caea38a1a8:/project/sawtooth-seth# seth account import key-file.pem myalias
error: Found argument 'myalias' which wasn't expected, or isn't valid in this context
USAGE:
seth account import <key-file> --pass-file <pass-file>
For more information try --help
root#a6caea38a1a8:/project/sawtooth-seth# seth account import key-file.pem --pass-file myalias
Error: No such file or directory (os error 2)
root#a6caea38a1a8:/project/sawtooth-seth# ls
bin cli common contracts key-file.pem protos tests
You ran the seth command in the seth-cli Docker container.
You need to run it in the seth-cli-go container until PR https://github.com/hyperledger/sawtooth-seth/pull/72 is merged.
EDIT: This was merged 2018-11-13.
A good resource for questions like this is also the seth chat channel at
https://chat.hyperledger.org/channel/sawtooth-seth