Code signing certificate renewal problem

We recently renewed our Verisign code signing certificate, only to find out that it breaks the process of automatic update with the notorious error "this application cannot be installed because this installer has been misconfigured." We were able to make it work using the ADT-migrate command. It's all good and wonderful. But there are two issues I see. First of all, there is a limit of 180 days, beyond which users is no longer updated. Then, when our certificate gets renewed next year, we could be stuck in a situation where we have to choose which users get to update and who are orphaned and are forced to uninstall/re-install.

Also, how much of this we have to live with the pain becomes a function of how long a certificate we are willing to pay for. If we are a small company of doubling money for a year 3 certificate could be painless. Why should that be a factor? Why is it not simple to renew the same certificate and have facilities at the beginning of time be well with him?

Maybe there's something about the renewal process which is not fair. However, when I renewed my cert of Verisign that their process fairly well got me to keep everything about the renewed cert, identical to the original, otherwise it would not be a "renewal."

If there is something arcane we miss them I'd appreciate it more for what it is. It shouldn't be this difficult.

Thank you

Kevin

Hey Kevin,

I asked around and learned that the process you describe is "as planned."  However, there are strategies to minimize the disadvantages.

For more information, please see the following documents:

AIR 2.6 periods Migration Signature Grace

Update strategies for changing certificates

Regularly update your Applications

Code singing in Adobe AIR

Hope this helps,

Chris

Tags: Adobe AIR

Similar Questions

  • ADT error with comodo code signing certificate

    Hello

    I am signing an AIR application with a Comodo code signing certificate.

    SHA-256 with RSA encryption

    -Java 1.8 (same problem with 1.6)

    -AIR 15 (same problem with older versions)

    My order:

    java -jar -Xmx1024m /data/sdk/AIRSDK_Compiler15/lib/adt.jar  -sign -storetype pkcs12 -storepass ******* -keystore cert/air-distrib.p12 bin-release/TestCert.airi bin-release/TestCert.air

    I get the following error:

    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    at java.util.Arrays.copyOf(Arrays.java:3181)
    at java.util.ArrayList.grow(ArrayList.java:261)
    at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
    at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
    at java.util.ArrayList.add(ArrayList.java:458)
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2026)
    at java.security.KeyStore.load(KeyStore.java:1433)
    at com.adobe.ucf.UCF.processSigningOptions(UCF.java:313)
    at com.adobe.ucf.UCF.parseSigningOptions(UCF.java:298)
    at com.adobe.air.ADT.parseSign(ADT.java:1589)
    at com.adobe.air.ADT.parseArgsAndGo(ADT.java:598)
    at com.adobe.air.ADT.run(ADT.java:435)
    at com.adobe.air.ADT.main(ADT.java:485)

    When I increase java memory to 8 GB, java uses 6 GB and do not stop... (nothing after 20 minutes...)

    Any idea?

    Problem of ADT or cert? Others?

    THX.

    Jonas

    Yes!
    The certificate was generated in firefox...
    Import it in IE and regenerate the certificate solved the problem

    Jonas

  • Default ASA code signing certificate has expired

    Hello. I get a certificate warning expired with different versions and ASA models when you use SSL VPN. When I look at the certificate (see file attachment), it shows that it is own Cisco certificate acquired code signing from Thawte. Everyone has noticed this in the last few weeks? How can I fix it or is it solved in a future version of the ASA? BR, Eero Laaksonen

    EERO,

    You can easily change the cert:

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/JK.html#wp1597730

    Just please make sure that you are running a recent 8.0.5 + revision of software or the 8.2.5+.

    Marcin

  • Code signing - server unavailable problem

    When I tried to sign code and click 'register' in the last step, it gave an error message saying "server not available at this time. Please contact your system administrator.

    I tried 3 times, but to no avail. Anyidea please?

    The servers sometimes signature are out of service for maintenance purposes.

    Wait 10 to 15 minutes and try again.

  • Signature of a package with the signing of code .pfx certificate

    Hello

    I got a code signing certificate (.pfx) of GlobalSign and tried to connect my extension package.

    I used the tool of ZXPSignCmd and got the following response:

    Cannot generate a valid certificate chain. Please ensure that all certificates are included in the certificate file.

    The necessary chain of certificates is installed on my system (Windows 7):

    My code signing certificate,

    GlobalSign signed my certificate

    and the root certificate GlobalSign who signed it.

    The release of OpenSSL info to the certificate seems good too:

    Iteration of MAC 2000

    MAC verified OK

    Data of the PKCS7

    Keeled Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, iteration 2000

    The PKCS7 figures: pbeWithSHA1And40BitRC2-CBC, iteration 2000

    Bag of certificate

    Bag of certificate

    Bag of certificate

    Signature however other files with the Windows SDK Signtool works and translates a string of correct certificate (visible in the details of the file).

    No idea what I could do wrong?

    Concerning

    Philipp

    Interestingly, the internal order of the certificates is really important. I reorganized the sections of certificate in my PEM file and converted it into a PKCS12 and now it works.

    I also tried the export of certificate through Firefox by following the instructions posted OMFguy2. It worked also.

    I took a peek in a version of the Mozilla certificate PEM, and he showed the same order of certificate section as my PEM adapted. Only the position of the private key part was different, that doesn't seem to be a problem.

    So, Microsoft seems to export the certificates in the following order:

    Personal Certificates-> certificate-> GlobalSign Root of GlobalSign Code signing certificate

    While Mozilla and my customized order are:

    GlobalSign Root certificate-certificate-personal of GlobalSign Code signing certificate > >

  • You can code sign an extension of CS with a PFX certificate

    I generated a PFX society Code signing certificate and I want to apply it to an Extension of CS I create, but in the export in Flash Builder Wizard, I cannot use a certificate P12. Is it possible to use a PFX? Yes, how?

    Thank you

    Stephen

    Hello

    I managed to install it, I had to install the PFX certificate, then export is like a P12 by Mozilla. Works now, thanks.

  • Code sign VISA raw driver USB for Windows 8

    Hi guys,.

    I wrote a LabVIEW program that communicates with a measuring using NI-VISA (class raw USB) USB device.
    With the development of Driver NI-VISA Wizard, I created two .inf files of drivers (for XP/2000 and 7/Vista).
    It works like a charm on my computer (Windows 7, 64-bit) and on the computers running Windows XP and 32-bit versions of Windows Vista and 7.
    I also have to work on 64 bit versions of Windows Vista and 7 using "disable driver signature enforcement" before installing the driver.
    Once the driver is installed, it is listed under "devices USB of NI-VISA" in the Windows Device Manager. After that I can reactivate the driver signature enforcement, the unit will continue to work, even after a reboot.

    Alas, in the 64-bit version of Windows 8 is not as simple as that. Yes, you can temporarily disable driver signing enforcement, but not on computers that use 'secure boot' or UEFI.
    I know that there are ways to disable booting UEFI's secure, but I don't want that on our customers computers. It seems wrong, and could introduce a large number of security problems.

    The next logical step would be to sign the device driver. Our company has a valid kernel mode code signing certificate and we signed the other drivers with it in the past.
    The problem is that I don't know how to sign my device in the NI-VISA database driver. According to the .inf file it uses WinUSB.sys, a Microsoft USB generic driver (part of the Windows Driver Kit, I think).
    Winusb.sys is already signed by Microsoft and that I could replace the signature, but that probably won't work without some tweaking inf and generate a new catalog file.

    Can someone please give me some pointers on where to start? As a reference, I have attached one of the inf files for this post. This inf file works on Windows Vista and 7.

    It is even possible to create a signed driver based on NI-VISA raw?

    Thanks in advance for your help.

    Paul

    Here's a knockout who described workaround.

    http://digital.NI.com/public.nsf/allkb/36DB8D6AC385052786257A940066A421

    What you have written, you need to generate a catalog (.cat) of the inf file (as described in step 1 of the KB) and then sign the .cat with your certificate file, the same way you would sign your other components. The inf and CAT are always distributed together. The inf file contains information about the cat file that has the signature, and the cat file contains the signature information. Since you have already been distributing the components signed with your own certificate, I'm sure you can understand the process, but please let us know if you have any other questions.

    Thank you

    Pankaj

  • Cannot find the file .csi for code signing

    I'm new to the development for a Blackberry. I get the following error message when you try to build an application that uses a persistent store.

    WARNING! : reference to the class: net.rim.device.api.system.PersistentObject requires the signature with the key: RIM API implementation

    I found that I'm supposed to have a .csi file from when I registered with the area of the developer, but I'm not. Can I request a new one or what?

    Thank you

    Jason

    You can buy rim, code signing certificates.

    The process details are here: http://na.blackberry.com/eng/developers/javaappdev/codekeys.jsp

    Form of payment etc. is here: https://www.blackberry.com/SignedKeys/

    Once you have paid and submitted your application, it takes a few weeks to receive the keys. If you use eclipse, you can then install the keys in your IDE.

  • problem on mac code signing

    Currently, I just have a problem concerning the signing of the app using webworks api for playbook.

    In particular, I already could package it in a bar in the file but just cannot sign.

    I followed all the instructions to

    1. http://docs.blackberry.com/en/developers/deliverables/23977/Configure_signing_for_tablet_application...

    2. http://docs.blackberry.com/en/developers/deliverables/23977/Sign_the_cod_file_for_a_BB_Widget_applic...

    And it seemed that I have successfully registered my account because I have the following message in my mailbox:

    An application for registration is completed successfully for the customer "xxx".  The client left or code xxx signing requests.

    The customer has returned the following message is displayed:

    Customer "xxx" registered successfully with the server ID RDK signature and now attempts remaining xxx code signing.

    Then when I run the command:. / bbwp ~/Dropbox/Interceptr.zip /gcsk /gp12 123456 123456 /buildId 1/o/Users/xxx/Desktop (I replaced my real pass in this email with string 123456)

    I had the rest of the console message:

    [INFO]       Parsing of the command line options

    [INFO]       Bbwp.properties analysis

    [INFO]       Validation of archive WebWorks

    [INFO]       The analysis of config.xml

    [WARNING]   Cannot find an element of

    [INFO]       The application of filling source

    [INFO]       Compiling applications WebWorks

    [INFO]       Packaging of the record bar

    [INFO]       Bar complete packaging

    [INFO]       Start signing tool

    error barsigner: developer certificate and private key not found in the keys file or store the password not supplied

    [ERROR]     Signature failed

    and using blackberry-signatory gives the same result:

    . / blackberry-sign-verbose - cskpass 123456 - keystore sigtool.p12 - storepass 123456 ~/Desktop/Interceptr.bar RDK

    error barsigner: developer certificate and private key not found in the keys file or store the password not supplied

    I wonder if anyone has any ideas on this subject?

    Here are the exact steps I followed. I tried twice and havn't seen the questions either WinXP or Win7

    updating PATH env variable to add all the paths to the tools

  • Problem with WebInspector: error: Code signing request failed car-development-Application Mode in the East of the demo is present and is not set [false].

    Hi, I have a problem running the webinspector on my dev alpha.

    Whenever I have create bar folder with the d flag, and then run the signature tool, I got the error message:

    Error: Code signing of the petition failed because Application-Development-Mode demo
    is is present and not set [false].

    How to solve this problem? If I generate the .bar without the flag - d, can I sign and execute on the device, but without web Inspector

    I found the error

    I just had to use the indicator g in bbwp and set my password

    and not reuse bbwp and then the signing tool

  • Code signing problems

    I constantly have problems with Code signing.  I select "Request Signatures" using the JDE.  I then click 'ask '.  Some cod get signed while others fail.  In addition, the process takes about 25 minutes.  Its clearly not a network issue whereas some get actually signed.  The problem occurs on all JDE that are installed.  The application is about 650 k in size. If I run the utility signature repeatedly, it ends by signing all the cod files - however...

    After all the cod files are finally signed, I post the cod files and jad on my web server and clients get an error "907 invalid cod".  I am compiling each version of the application with the corresponding JDE version.

    I am at a loss.  Any thoughts?

    Thanks in advance.

    Nevermind, RIM development support come back to me and told me that their servers were down again.

  • Problem with code signing

    Hi friends,

    I am facing problems by signing my code.

    The question:

    * My cod file is 169kb.

    * When I compile, jde generates only one .cod file everything for me.

    The steps that I followed:

    * I opened the .cod in a winrar and extract the .cod files three who were inside.

    * I opened the .csl file and typed "52525400 = RIM Runtime API" to get the signature RRT (as it is a 4.5 API)

    * I registered all of the .cod files.

    * I updated using the Updatejad.exe .jad file

    Now, when I installed OTA, I get the following error.

    Error at startup BugTracker: Module «BugTracker-2 "must be signed with the RIM DURATION Code Signing Key (RRT).»

    How should I proceed? I ve run out of options. Thank you

    Check out the cod file after the signing.

  • How to generate the code for the ZXP file signing certificate

    I'm developing a creative using FlashBuilder 4.6 Adobe extension. I released the extension of a file .zxp and wanted to generate the code for him signing certificate. I've checked all the supported providers Adobe, but not found that anyone can do. Only, they provide the certificate for *.exe * .cab, *.dll and *.ocx.


    Thanks in advance.

    Leon.

    It's all too confusing.

    We use the Comodo certificate. You can use all the others as long as you end up with a point p12 certificate.

    Signing certificate by using the Digital Signature of the code

    http://www.InstantSSL.com/code-signing/index.html

    (1) request you the certificate. I used Internet Explorer on a PC because Comodo says it's better for them.

    (2) they do a thorough credit check to make sure that you are who you claim to be.

    (3) they shall issue a certificate giving you a PIN that he pay back.

    (4) redeem you your PIN certificate and the certificate is in your browser certificate cache.

    (5) you go to the cache and add a personal password for your certificate.

    (6) what makes a dot P12 file file name you choose.

    (7) now you can use your file p12 point with the utilities Adobe XZPSignCmd or ucf.jar to sign your Panel. I use the Mac utilities to sign on a Mac. The point p12 file is good on the PC and Mac.

    Don't worry, the utilities they speak about to sign. Adobe has their own utilities ZXPSignCmd and ucf.jar to do the signature. You are forced to timestamp your signature.

  • What is the problem with the form of code signing?

    I would ask code signing for BB10, I go to https://www.blackberry.com/SignedKeys/codesigning.html BUT when I choose sign app for BB10, it always go to the BlackBerry ID login page

    A few months ago anymore, at least not in the way you have used for a signature key. Is now complete with your BlackBerry ID now, hence the need to connect. It used to be a sticky thread at the top of the Council of native development, but I see that they removed that now.

    Go here.

  • Cannot publish apps, code signing problem...

    Hello

    I received a set of three keys to RIM and I am able to enter in (Eclipse: Blackberry-> Signature request) and have all my files "signed" (it seems that there are a total of 21 signed files). However when I put it on the web for the publication, my blackberry was telling me that the code is the appropriate signature.

    What confused me most, is that the tool showed me a total of 21 cases of cod signed. I have only a single application, it should not just show me a single file instead of 21 of them. The list of files goes like this (Polyglotz is the name of my application)

    Polyglotz.cod... signed...

    Polyglotz.cod... signed...

    Polyglotz.cod... signed...

    Polyglotz - 1.cod... signed

    Polyglotz - 1.cod... signed

    Polyglotz - 1.cod... signed

    Polyglotz - 2.cod... signed

    Polyglotz - 2.cod... signed

    Polyglotz - 2.cod... signed

    Polyglotz - 3.cod... signed

    Polyglotz - 3.cod... signed

    Polyglotz - 3.cod... signed

    Polyglotz - 4.cod... signed

    Polyglotz - 4.cod... signed

    Polyglotz - 4.cod... signed

    Polyglotz - 5.cod... signed

    Polyglotz - 5.cod... signed

    Polyglotz - 5.cod... signed

    Polyglotz - 6.cod... signed

    Polyglotz - 6.cod... signed

    Polyglotz - 6.cod... signed

    The file Polyglotz - 1.cod, Polyglotz - 2.cod, Polyglotz - 3.cod, Polyglotz - 4.cod, Polyglotz - 5.cod and Polyglotz - 6.cod are all located under different directory EvsJXuSa\

    In any case, I copied all the files to my Web site, set the configuration of mime types in the file .htaccess as suggested by RIM to

    http://www.polyglotz.com/index.php?option=com_content&task=view&id=79&Itemid=40

    but whenever I tried to download and install the application using the web browser on the device, I kept getting the message saying that the application is not signed correctly.

    I'd appreciate very much any help that you could give me.

    Kind regards

    If you want to distribute your app via OTA and if your application also contains brother cod files the following:

    Rename your cod for zip file. Unzip it. Delete the generated file.

    And extacted *.cod file with your jad file (you don't need to edit the jad file) to the server.

    Visit this link for more technical information:

    http://www.BlackBerry.com/knowledgecenterpublic/livelink.exe/fetch/2000/348583/800708/800646/What_Is...

Maybe you are looking for