Signing Air Application without a .pfx file

[Khumee]

We have a legacy Air Application that we used to sign with DigiCert Certificate using .pfx file. Now certificate authorities don't allow to export .pfx file. Anyone is experiencing the same issue ? .
Now application can be signed using Digicert key locker or using HSB device but they do not support .airi file extensions.

[ajwfrost]

We've got things set up with a remote codesign service (DigiCert ONE) using the below steps, and I believe the same could also be applied to set up signing for using a hardware key...

The main thing I think is that you need a properties file with details of the platform-specific signing provider, see the first steps from:
https://knowledge.digicert.com/tutorials/sign-java-jar-files-with-a-hardware-token-based-code-signing-certificate-in-windows
i.e. you need a configuration file (it can go anywhere!) with a "name" entry to identify this provider, and a library which references the DLL that handles the signing. Note that they've got single backslashes in their example, we've got double backslashes in our file, so maybe see which works (personally I think this is read by Java so should be double-backslash, or single-forwardslash..)

Then you need to let Java know about this .. which you can do by editing your java.security file (normally in JDK_folder/conf/security) and finding where there's a list of "security.provider.nn" entries, and adding one, using the next number in the list:

security.provider.14=SunPKCS11 c:/somewhere/where/you/put/that/properties.cfg

Then that should all be sorted... and the arguments to AIR/ADT would then be:

-storetype pkcs11
-providerName SunPKCS11-nameEntryFromPropertiesFile
-alias Whatever_your_certificate_alias_is
-storepass xxx

i.e. the provider name is "SunPKCS11" (same as in the java.security file) hyphenated with the "name" entry from your properties file where you also identified the library.

Hope that helps... it's a bit convoluted to set up, but then should work a charm..
We have this working with the online service where we don't actually need a password because the authentication is done separately, but we still need a 'storepass' argument, hence just pass in 'a' or anything random. For a hardware key I suspect you would still need a password? (although we also use a hardware token for signing our .exe files, and that requires the password to be entered in a pop-up window.. I've never come across a way to pass in the password from the command line!)

Let us know how it goes! If you are using DigiCert and run into any difficulties, let me know and I can try to reproduce the set-up here and then rope in their support if needed.

thanks

[Khumee]

Thanks a lot Andrew, I have configured Digicert Signtool and it works with .exe file , In pkcs11.cfg I have
name=signingmanager
library=C:\Program Files (x86)\Adobe\Adobe Flash Builder 4.6\sdks\3.6.0\lib\adt.jar
slotListIndex=0

https://www.loom.com/share/270dc408a42b4bd0819d23abbb200901

I tried with changing the library to
library=C:\Program Files (x86)\Adobe\Adobe Flash Builder 4.6\sdks\3.6.0\lib\adt.jar

but it could not sign .airi file

https://www.loom.com/share/34cdac46b94a4d4c9679757cfba5e2a1

Apparently Digicert support
https://docs.digicert.com/nl/software-trust-manager/sign-with-digicert-signing-tools/files-supported-for-signing.html

[ajwfrost]

So, the process we use in ADT is very similar to how JAR files are signed... if you look under that support list, there's a link for jarsigner:
https://docs.digicert.com/nl/software-trust-manager/sign-with-digicert-signing-tools/third-party-signing-tool-integrations/jarsigner.html
and this has the details for the library and config file:

PKCS11 library
Jarsigner uses a configuration file to integrate with Software Trust Manager PKCS11 library.

Follow these instructions to download Software Trust Manager PKCS11 library and create the configuration file.

You can see the config file under that link, it's a DLL that they've got referenced as the library, and they've saved the file as pkcs11properties.cfg.

It may not help that all their examples have have arguments such as -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties.cfg e.g. see this link, but if you set up the java security configuration file, you can replace those two by the -providerName that you have in the properties/cfg file (i.e. signingmanager in their example).

We perhaps need to try getting the steps better illustrated and working through an example, similar to how their documentation is set up! But hope that helps a bit..

thanks

[Khumee]

Hi Andrew,

I configured things for JarSigner and was able to successfully sign a jar file but unfortunately was not able to sign the desired .airi file.

https://www.loom.com/share/1f138f5e41ce40ad8ece967ea8189cbf

I shall be very grateful if you could sign the .airi file available at { https://drive.google.com/file/d/1uAXweFXs1fMsBnP6Y76nXmSkNS1wI75T/view?usp=sharing } in your setup to see if it works or not.Its a kind of show stopper for us to create setup for updates for our clients

[ajwfrost]

Hi - I can take a look, but I can't access file sharing systems so can you please upload the files here:
https://transfer.harman.com/requests/E5Sm9gsbtmpsze1TdcF0Ax
thanks

[Khumee]

Uploaded file on given link.

…

On Wed, Mar 13, 2024 at 2:54 PM Andrew Frost ***@***.***> wrote: Hi - I can take a look, but I can't access file sharing systems so can you please upload the files here: https://transfer.harman.com/requests/E5Sm9gsbtmpsze1TdcF0Ax thanks — Reply to this email directly, view it on GitHub <#3108 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AELI6XXQ7IDQQB5RQGE42QTYYAO67AVCNFSM6AAAAABEKMZCHCVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DONZQGU2TG> . You are receiving this because you authored the thread.Message ID: <airsdk/Adobe-Runtime-Support/repo-discussions/3108/comments/8770553@ github.com>

[Khumee]

@ajwfrost Did you get a chance to check the installer without migration ?

[ajwfrost]

We did .. and it's also failing; we've narrowed this down to the verification of the signature, but can't actually see where within the code it's finding the problem. The signature validation code is all fairly complex and is from some third party (within Adobe) codebase so it's proving a little difficult to work out. We're trying to look at the comparisons between the signatures from when we do this vs when you do it.... a bit of a painstaking process though!

So, sorry, working on it but it's quite slow..

[Khumee]

Hi @ajwfrost , hope you are doing great

This command suddenly stop working
java -jar "D:\PLM\Signing\AIRSDK\lib\adt.jar" -sign -storetype pkcs11 -providerName SunPKCS11-signingmanager -alias key_614426073 -storepass ignored -target air UIS.1.23.6537.airi UIS.1.23.6537.air

with error
Could not generate timestamp: Connection reset

I tried with -tsa http://timestamp.digicert.com but it didnot work

Can you please share which timestamp URL is being used by adt internally and how can I override it ?

Regards
Khurram

[ajwfrost]

That -tsa argument should work.. are you able to check the troubleshooting output to see what the full command-line is being interpreted as? Plus we have some more details (and a workaround using the 'hosts' file) available under the thread for #3419

We're about to issue a release that has the update for this, internally it would be defaulting to the old Symantec address I believe.

thanks

[Khumee]

Thanks @ajwfrost

-tsa worked now when I inserted after "-alias" argument