I have taken a project created by someone else on another machine.
I have filled in the signed keys form and had my keys emailed to me.
I have double clicked on each to install them: I then go to the signature tool in the vmTools folder. selected my .cod file (built today).
I then get the list of cod files with 'not registered' next to them in the status column.
I hit the request button and get the error. 'unable to request signatures until this application has been registered with all signing authorities. what am I missing?
It sounds like the signing server may be down, you can check the current status of the signing server here:
isthesigningserverdown.com
It is always a quick and easy start to troubleshooting signatures.
Please see this blackberry.com reference.
To prevent this being lost to link rot, I pasted the important content below.
Note: if you're using the Eclipse plugin, not the old JDE, then you would go to the BlackBerry menu, select Sign, and either Install New Keys or Import Existing Keys. You must use all three files that BlackBerry (RIM) gave you. For example, to install brand new keys:
client-RBB-12341231.csi
client-RCR-12341231.csi
client-RRT-12341231.csi
or for an Import of existing keys:
sigtool.csk
sigtool.db
Problem
In certain situations, when you attempt to sign your application using the SignatureTool application, you receive the following error:
Unable to request signatures until this application has been registered with all signing authorities required.
Cause
You are attempting to request code-signing signatures for your application but the SignatureTool is not registered with all the required signing authorities.
There are two types of RIM Code Signing framework signatures:
Required Signatures - This is specified by the .csl file associated with the .cod file. A required signature is necessary to load your application on the device.
Optional Signatures - This is specified by the .cso file associated with the .cod file. An optional signature indicates that the system may perform a runtime signature check on the application. If the application is not signed, it is not allowed to execute the intended method.
The SignatureTool prevents you from signing the application since it waits until all required signatures are in place. Required signatures are necessary for the application to load successfully on the device.
Resolution
There are several different scenarios where the SignatureTool is not registered with the required code-signing servers.
Scenario 1 - Not Registered with Public Signing Authorities
There are three public-signing authorities (RBB, RRT, and RCR) that represent different sections of the controlled application programming interface (API). When you receive code-signing keys, you receive three .csi files representing the three code-signing servers. It is important to register with all three servers. To determine which signature keys have been successfully installed and/or missing, please review this article
Scenario 2 - Attempting to use a Controlled Signing Authority
There is an additional public-signing authority, the Certicom™ Crypto (RCC) signing authority, that controls access to Certicom cryptography functions on the device. Go to Certicom for more information on accessing the Certicom API’s on the device.
Scenario 3 - Attempting to use an Inaccessible Signing Authority
Research In Motion® maintains its own internal signing authorities for the protection of API’s that are not exposed or data that is not public. It is not possible to gain access to these signing authorities and any reference to Research In Motion internal methods or data should be removed from your application to allow the SignatureTool to sign your application.
Note: JDE 4.1 allows you to turn on code-signing warnings under Preferences. This determines the areas of your application that are attempting to use signatures from each signing authority.
Here's one more useful guide on the BlackBerry website
Occasionally RIM's signing server fails. I've seen it down for hours at a time.
Related
I just deployed my side project and I'm adding the HTTPS certificates.
I was able to setup the certificate for the root domain but it looks like it's impossible to add it to my subdomain www - The UI's dashboard only let you setup one domain.
I ask that since I need two certificates - WWW and NON-WWW - to be able to redirect the WWW to NON-WWW.
You can create another certificate with a different domain, then create and activate a bundle for it as well. Nanobox doesn't limit the number of certificates you can add to any of your apps.
The process of adding a certificate is a bit involved, whether Nanobox is in the loop or not:
The first step is to create a certificate signing request (CSR), essentially a certificate with all the information about your domain (including the public encryption key), but no security. Nanobox refers to this as "creating a certificate", a process that starts every time at the "SSL/TLS Certificates" screen of your app's Admin tab.
The next step is to get that CSR signed, which is where all the security is layered in. Nanobox refers to this as "generating a bundle", since it pulls in the certificate used to sign yours, as well as any ancestor certs that may have.
The final step is to actually load that collection of certificates, also called a "chain of trust" or just "certificate chain", onto your server, where your site can use it to secure communications with itself. Nanobox calls this "activating the bundle", and it involves passing the certificate chain (the "bundle") to the app's load balancer, and telling it which domain to use that particular bundle for.
Here's where things get the most confusing the most often for most users with this question. The UI at this point mentions that "Only one bundle can be activated at a time" – it doesn't clarify that it means "one bundle at a time per certificate". Since you could, hypothetically, sign the same CSR multiple times with multiple Certification Authorities (CAs; LetsEncrypt is the most common CA for Nanobox apps), Nanobox supports loading multiple chains for a single CSR (or, to use the Nanobox naming, multiple bundles for a single certificate). But since SSL doesn't support multiple chains per request, you have to select a bundle to serve for the associated certificate, and that's all that bit means.
To add another certificate/bundle, go back to the "SSL/TLS Certificates" screen, by clicking that button on the left side of the page, then choose "New SSL/TLS Certificate" under any existing certificate(s) you've already added. The rest is the same process you already followed, above.
The workflow to add new certificates in Nanobox isn't the most friendly or obvious, though there are probably ways to improve on that, but hopefully that makes a bit more sense, now.
As many already know, Google App Engine by default hosts its apps on an appspot.com subdomain and their wildcard (*.appspot.com) SSL certificate allows any apps to use https over this subdomain.
Enter iOS 9 with Universal Links and Web Markup which now requires hosting a 'signed json file' with designated applinks in it. The key word there is 'signed'. This file needs to be signed with a valid SSL cert and private key. (Listing 2-7 and 2-8)
On twitter, I've been told that the signing certificate does NOT have to match the actual website's domain SSL certificate BUT a self-signed certificate will not work.
So one workaround is to simply buy your own SSL certificate and sign it with this cert.
I'm curious what other options there are to those of us hosting APIs and websites on Google App Engine and/or using Google Cloud Endpoints because I assume Google isn't going to hand over their wildcard ssl cert and private key for us to use ;)
Update 8/5/2015
To host the apple-app-site-association file, I had to manually open it and spit it out when called for using the webapp2 handler like so:
class GetAppleAppSiteAssoc(webapp2.RequestHandler):
def get(self):
showAppleAppSiteAssoc(self)
def showAppleAppSiteAssoc(self):
logging.info("Enter showAppleAppSiteAssoc()")
path = os.path.join(os.path.dirname(__file__), 'apple-app-site-association')
fileContents = open(path).read()
self.response.headers['Content-Type'] = 'application/pkcs7-mime'
self.response.out.write(fileContents)
return
app = webapp2.WSGIApplication([('/', MainHandler),
('/apple-app-site-association', GetAppleAppSiteAssoc)],
debug=True)
Currently having issues similar to this post and have tried both signing with my iOS Distribution cert as well as with a valid cert from work.
Update 8/10/2015
Had our dev-ops guy at work sign this with both the CA and intermediate certs from work and uploaded it and it worked!
Still curious about other solutions though.....it does seem odd that the iOS Distribution cert wouldn't have worked.
You don't have to sign apple-app-site-association unless your implementing Activity Continuation for devices running iOS 8. Universal Links are new to iOS 9 and Apple no longer requires apple-app-site-association to be signed.
Well one answer to this question points to the fact that any valid domain certificate (with CA cert) can sign the file (even if that certificate is NOT for the domain the file will live on).
I ended up buying one for one of my domains and signing the file for another domain.
https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html
If your app runs in iOS 9 or later and you use HTTPS to serve the apple-app-site-association file, you can create a plain text file that uses the application/json MIME type and you don’t need to sign it.
I have few questions regarding Identity certificate in Profile Payload.
Forgive the ignorance, if some questions are basic.
1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
3.) What if the identity certificate is expired?
As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.
I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error
The identity certificate for “Test MDM Profile” could not be found
while installing profile.
identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
identity_payload['PayloadVersion'] = 1
identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
identity_payload['Password'] = 'p12Secret'
When I checked 'Configuration Profile key reference', it was mentioned that I should send Binary representation of Payload in Data.
So I tried,
identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")
I got,
The password for the certificate “IdentityCertificate” is incorrect
I am supplying valid password for exporting the p12 certificate.
What am I doing wrong?
Answering your question:
1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
Yes. You need some kind of mapping. You can do couple of ways:
Just store it in DB a mapping between certificate common name and device UDID.
Make CN contain UDID (I like this method, because it simplifies initial checks)
And as you pointed out you will need public key to encrypt payloads for this device.
2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.
3) You need to renew identity certificate before it expeires (the same way as for any other certificates).
4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).
For one of my iOS apps I need to check two things:
Is there an active device lock (pass code)
Has the device lock been triggered by the correct authority / certificate (e.g. my own certificate). This is required to assure specific security guidelines.
For the first part of my question I found this answer - which is sufficient for me. How would you accomplish the second part?
Answering my own question.
First of all the correct question is not about validation of a certificate. It's about validation of meta information placed within a configuration profile (which in my case provides security guidelines for the device lock).
You have to create a custom CA and issue one certificate. The issued certificate has to be placed within your app, the custom CA's certificate goes into the configuration profile.
If the configuration profile is installed it is possible to check whether the certificate within the app binary was signed with the root certificate placed in the configuration profile.
It's not the most secure solution, but definitely a way to go.
--
This post put me into the right direction (Apple Developer Account required).
I want to sign a BlackBerry application with the 3 CSI files I have. When I install new keys, I give the associated user id and password, but I am getting this error:
Unable to register a client bearing no
175534 because there are no more
registration attempts. If you have
already registered with this server
then you must contact RIM to register
additional users.
Can anybody tell what is next step that I need to do?
The error message seems pretty clear on the next step:
.. you must contact RIM to register additional users.
The official response from blackberry support:
Hello,
Thank you for contacting BlackBerry Application Development Support.
This error means the keys have already been registered so cannot be registered again. To have this issue resolved a new set of signature keys will need to be issued and installed. Please note that signature keys are now completely free and issued several times a day, so the fastest way to get a new set would be to place a new order:
https://www.BlackBerry.com/SignedKeys
Prior to installing this new set of keys please first delete all present CSI files as well as the sigtool.* (DB, CSK, SET) files that will reside in the sub-directories of all development tools. Make sure to write down the PIN used to place the order as well, it will be needed when installing the keys.
After registering your keys and verifying that they are able to sign I would recommend backing them up some place safe in case anything should happen to your development environment:
http://supportforums.blackberry.com/t5/Testing-and-Deployment/Backup-and-Restore-BlackBerry-Code-Signing-Keys/ta-p/837925
Go to the first URL and request a new set of keys. You should get an order confirmation email right away. In about 1-2 hours you will get 3 more emails. Each one will have a CSI key attached. (The keys are free to generate)
To avoid this issue in the future, you can back up the keys, according to the instructions in the second link (above).
Good luck!