I have two C binaries which tries to open network connection for communication.
This is for external communication. When i run that for the first time, OS X' firewall pops up the message as given in title. How can I get rid of this?
I suspect this is related to code-signing? How to do code-sign this binary?
Basically I have to build this binary in one Mac machine, and distribute outside app store.
How can I get rid of the firewall pop up if the OS X firewall is enabled in the machine?
You can resolve this by signing the offending application binary yourself.
Disclaimer: Signing an application yourself will make an application appear more
secure to the operating system, when in reality it isn’t. Only sign applications
that you are 100% sure are not spyware or otherwise malicious. If you have any
doubts, just uninstall/reinstall.
Part 1: Create a Signing Identity
The solution I’m going for – signing the app myself – requires that I create a Signing Identity, also known as Signing Certificate. This is very easy to do:
Open Applications > Utilities > Keychain Access.
From the Keychain Access menu, choose Certificate Assistant > Create a Certificate.
Fill in a name for the certificate. This name appears in the Keychain Access utility as the name of the certificate. This is also the name you will use when referencing this certificate. Personally, I used the name, “My Signing Identity.”
Choose Code Signing from the Certificate Type menu.
Choose Self Signed Root from the Type popup menu.
Check the Let me override defaults checkbox.
Click Continue.
Specify a serial number for the certificate. Any number will do as long as you have no other certificate with the same name and serial number.
Click Continue.
Fill in the information for the certificate. You can use real or fake data, I used real data personally.
Click Continue.
Accept the defaults for the rest of the dialogs.
Once completed, you will see your certificate in Keychain Access. Verify the name you picked, and you’re done with this step. Well done!
Step 2: (Re-)Sign your application
Now you have to sign your application. To do this, open up Terminal again and use the following command:
codesign -s "My Signing Identity" -f /path/to/your/binary/app
A dialog will appear, click "Allow".
Now start your application again. You will get the accept incoming connections dialog one last time. Click "Allow".
From now on you should no longer get the warnings anymore! Now it is possible to enjoy the security of your firewall being active without the inconvenience of having to click "allow" constantly.
Credit: The original source which served as a starting place for this updated and annotated solution guide was http://silvanolte.com/blog/2011/01/18/do-you-want-the-application-to-accept-incoming-network-connections/
In my case this alert appeared when i run Python project from PyCharm after updating MacOS to 10.15 Cataline. I fixed it with
codesign -vvv /Applications/PyCharm.app/
I was trying to apply this solution to fix python as used by Arduino OTA, I found another solution describing self-signing the app that stated $(which python) as the file path to sign, but in my case that resolved to /usr/bin/python. Self-signing this not only required I drop to Rootless mode to allow writing to /usr/bin, but when I went back and tested it, python was STILL asking for permission to allow incoming connections!
The correct python file to self-sign is in fact (in my case at least) /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app
Once I self-signed this correct file path, the Arduino OTA process no longer required me clicking allow incoming connections - Hoorah!
Hope that helps someone.
Related
On WPF installer project build generates setup.exe and it is being signed using Signtool on PostBuldEvent. It does show Publisher as unknown on UAC popup at the very last step of setup.exe.
Can someone help me to fix this ?
MSI vs Setup.exe: You should sign the MSI file as well as the Setup.exe file.
Certificate Type: What kind of certificate are you using? I believe you need a digital code-signing certificate from a recognized issuing authority (DigiCert, Thawte, etc...).
EV-code signing certificate (please visit this link).
Why do I still see publisher unknown with the UAC prompt?
Get a code signing certificate
Signtool.exe: If you have a valid certificate, are you using the /d option to the command line of signtool.exe when signing your MSI?:
signtool.exe /d "Your Software Name"
How to add publisher in Installshield 2018
Trust Yet Verify: When you have signed the file, right click it and select "Properties" to make sure the file is actually successfully signed. Look for the tab "Digital Signatures" (or equivalent in your own language):
Administrative Installation: Sometimes people forget that they have run an MSI through an administrative installation. This is essentially a file extract from the MSI resulting in a new MSI without the embedded CABs in the output location (more). This extracted MSI will not be signed - even if the original MSI was signed. This extracted source is used in many companies to keep the installation files on a networks share available for repair and inspection (and during application packaging to inspect the package content - and other purposes).
Post-Processing MSI: This is actually a very common issue: you must never touch a file that has been digitally signed. If you edit it after the signature has been applied this invalidates the signature. The whole point of digital signatures is to verify that the file you look at is the one that was signed by the vendor. In other words that the file has not been changed in transit to you (tampering, malware infection, etc...). More on this important issue here (attempted humor in there). Note that the tampering might happen via automation scripts and not by manual editing, hence one must always check for this cause.
Other Issues: There are also some other possibilities. The signed file could be corrupted during download or from malware attack and such things. Far beyond the question, but just mentioned for whoever might find this.
Links:
Is it possible to define a Windows Installer-uninstaller filename?
Installshield Custom Dialogue Installer
How can i generate windows certificate so my msi doesn't shows warning to users
Further Links:
Windows printscreen not working on Software Installation
WIX-Installer MSI Publisher Unknown
Everything you need to know about Authenticode Code Signing
Most of my company is currently working from home and is having to tunnel into our office network through a VPN. As such, all our network drives are, technically, disconnected until we login to the VPN. Once connected, we could simply open a file explorer window and open each network drive to reestablish/refresh the connection in Windows' eyes, but more than 2 or 3 drives is a hassle, and some of our members don't even think to do this every day even for our main project drive (only universal drive letter we use in our office) before opening some of our programs that need a network drive mapped, and thus have the potential to mess up our files or link therein.
Desired Solution:
I'm looking for a batch or cmd file that can run to refresh or reconnect the drives, without explicitly using NET USE if possible (more on why further down) or opening a file explorer by using a batch file to open a shortcut to a network folder. If this just isn't possible, I'll stick with the solution I have that uses NET USE, but would appreciate help smoothing out the issues outlined below.
I have a couple solutions that are more than a little intrusive in that they require some form of interaction to dismiss them once launched, rather than running, reaching eof, then closing using TIMEOUT /T 5. I was hoping there might be something a little more streamlined, or at least less intrusive, that I could use to avoid these unnecessary interactions that I'm currently dealing with:
Shortcut to a folder on each drive to "ping" said drive for refresh, but this opens a file explorer window, potentially interrupting workflow. I would like to suppress this window opening if possible, or at least immediately close it (not exactly how file explorer works, I know).
Batch file that tests all mapped drives for disconnected ones, then attempts to reconnect, sometimes causing a user input in the cmd window to interrupt workflow (We have two security levels each with their own login credentials, and several of us have mapped network drives using each of the two creds, so some disconnected drives will require manual entry of username and password when the /USER:%username% %password% parameters don't work, which I just can't seem to avoid. Neither server nor network location for NET USE are viable tests for which security level, as their labeled after the project itself rather than the security level needed, and so my only remedy here would be to suppress the asking for user input).
Multiple batch files, one for each drive, requiring users to manually copy and alter batch files for their own needs (only one drive is universally used for each project we're on, and even then some people are one different projects), then updating the task scheduler to run each of their created files (not at all desirable, and as far as I'm concerned, unacceptable). If nothing else can be modified or work without interference, I can just using this to run on our company's default project drive letter, and let people worry about reconnecting the others as needed.
I have a task scheduled for any time our VPN client reports a connection, which due to our home networks and/or the connection between us and the VPN servers, could occur multiple times a day (I've had up to 4 or 5 "connection" events trigger my task after the initial login, though I only have to explicitly login the one time), which can cause further interruptions in workflow beyond just the initial VPN login run. I'm willing to accept any solution that uses NET USE as long as I can suppress the request for user input if the Windows login password doesn't work, or a shortcut if I can prevent the opening of a file explorer window. Alternative solutions are preferred, but I understand that may not be possible.
I have tested using DIR //server/foo, but it timed out for the same reasons that file explorer doesn't display the network drive as "connected" after VPN login is successful.
I've also had mixed results with setting the task scheduler to run my program off of a network connection as opposed to the "connect" event from our VPN client, mostly in that it didn't run reliably, if at all, as I needed to wait until I was connected through the VPN, not just standard internet connection through an ethernet cable. For this, I tried using both methods here, but none of the networks that are available after VPN login seemed to trigger the task properly, even though manually triggering the even through Task Scheduler showed the action would run fine. As such, I'm considering this as a failure, but can revisit if no more streamlined solutions are available or I can get a guarantee this method won't trigger as often (preferably only once per login) as watching the VPN client for its connection event.
At this point, I'm stuck with two solutions that have a high potential to interrupt workflow and annoy the user too greatly for me to want to send out as a final solution (a for loop on NET USE where drive is disconnected and a batch file to open a shortcut that opens a window front and center), and another solution that I consider to limited in scope and as a last resort. I'll make due if there's not a better way to handle either of the first two, but in the mean time, I would greatly appreciate any help/advice!
Edit:
On a side note, I do expect to have the cmd window pop-up briefly, then close automatically once the operations are done (like it would with the shortcut solution), so some amount of workflow interruption will likely be unavoidable. What I'm considering unacceptable is that I can't minimize it and prevent the user form having to interact with it directly or indirectly to get the cmd or resulting window to close after it takes the active window status from whatever program user was previously in.
Edit 2:
I've posted this query elsewhere with this additional recap to help narrow my request:
As a recap, I'm looking for a solution for refreshing network drive connections that do no rely on Credential Manager, will not require user input if network drive credentials differ from windows login credentials, and will not pop-up a window that requires user to close manually. Brief workflow interruptions resulting from cmd or child-process windows popping up before closing automatically are acceptable, with a preference towards one of the two solution avenues I already have running. Thanks again for any input you may have!
I had the same problem. I have 4 mapped drives to reconnect to when I open the VPN and it was a real pain. I have looked for batch file solutions in vain.
My solution is to use a free program called FBackup. I use it anyway for the intended purpose of backing things up, but I noticed that when it opens, it reconnects all of my drives (including the mapped drives using the VPN to the office)
So after I connect, I open FBACKUP. It makes all of the connections for me, then I just shut it down. Job done.
1 this probably belongs on the site that this site was made to head up against, which I am unsure if I am allowed to reference by name on this site.
That said if it was at this site you probably want topost on Superuser.
That said..
For users with more than one drive mapping you want to store thier credentials used in windows credential manager so that the drives can automatically be mapped without specifying a username and password each time.
That will allow your batch script to run in the background and re-map the drives
In lack of a better answer that is viable for our setup (will definitely remember Ben's answer for later, in case I'm able to use it for the lower security profiles), I've decided to go with a more limited scope for my batch file, since I have yet to find any info that will allow me to suppress a file explorer window or request for user input from the cmd window (for password) when attempting to refresh connection to all saved network drives.
Since the one drive that absolutely must be reconnected is, by our guidelines, universally assigned to the same letter (mapping changes depending on the primary project we're on), I've opted for just refreshing this drive as the credentials for this drive will always match the Windows login credentials, and thus won't request user for input if a password is wrong.
I will keep tabs on this question, so that if someone else comes along and has a better solution, I will definitely swap the selected answer to them.
I need help on sending certificate information from one program to another, and logging into Windows with that information through the use of CredMarshalCredential and LogonUser. My program currently passes credentials and logs in successfully with a regular username/password combination. I'm just adding the ability to do it with Smart Card credentials.
I've used this example successfully to login with a Smart Card Certificate.
This works when you run the program as the user, but not when trying to run the program as SYSTEM. This is because SYSTEM cannot access the user's "MY" store. I'm trying to work around this, either by passing the cert or the entire cert store to the program running as SYSTEM from an application running as the user.
I've tried numerous approaches to get something that would login successfully after serialization, but haven't gotten anything to successfully work. The approach that seems to work the best has been to call CertSaveStore and Open the BLOB. I've used the last example at the bottom of this Microsoft Example Page. This restores the cert store from the BLOB correctly, finds certs, and even generates a username. But the generated username is different than the original generated username and fails to login with an error of ERROR_LOGON_FAILURE (The user name or password is incorrect).
My current test applications saves the cert and loads it again in the same program. I've taken the SYSTEM aspect out of the equation for now. I'm guessing the restored cert store is missing some information, but I'm not sure what I'm missing. Any insight would be appreciated.
One last note, I originally tried to just pass the generated username and PIN to SYSTEM and have it step down, but it failed with the same ERROR_LOGON_FAILURE error. I'm assuming the username has to be regenerated since being called by a different user/program, but that assumption could be wrong.
I have gotten my example program working with CertSerializeCertificatesStoreElement and CertAddCertificateContextToStore. I am able to serialize the certificate, and add it to a new store in memory at a later time. I had tried this earlier, but accidentally did not save the size of the serialized item, I just tried to use sizeof() the item which returned an incorrect size.
If anyone is looking to send certificate credentials between programs in the same userspace this approach will work well.
I took this ahead step further and implemented it in my userspace/SYSTEM paradigm. The logic worked correctly, and I was able to generate a username but still failed to LogonUser. After another week or trial and error, I found a solution that works between the userspace and SYSTEM. I ended up having to use LsaLogonUser instead of LogonUser.
If anyone is looking to have a userspace program send credentials to a daemon running in SYSTEM and have that program step down to the user use this example. I initially tried this very similar example, but it continues to fail. In the working example, you do not need to pass in a domain or username, just the PIN. The system will read the Smart Card from the reader and verify with the passed in PIN. This solution will work across computers, ONLY IF the smart card is located at the remote computer. I am looking into a way to accomplish having it work with the smart card in the host computer, but it is outside of this post.
I hope this saves someone the weeks of work I put into getting to this point.
I have 2 file signing cards with the same "sponsor" (obviously, the actual "signer" is different between the 2). Until quite recently, I've only been using the one but today I tried using the other. I built my application and signed it using the same process I always use and I downloaded both the .out and the .p7s files the same way I always do, but when the download finishes, I get an error message about the signature not matching.
I was pretty sure that you could use 2 different signing cards as long as the sponsor was the same between them. Am I wrong? What am I missing?
For the record:
This is for a Vx520
My terminal is on the latest OS
I have verified that the sponsor certificate name on the terminal's boot up screen matches the sponsor cert name in the signing tool's diagnostics menu
My terminal also has VMAC and CommServer, but no other programs on it (besides the one I built and am trying to download and run)
When the file signing tool runs, it generates the .p7s file, which is always required, but it also generates a file Certif.crt. This file is not necessary to download to the terminal if you are only using a single signing card, but if you use a second card, you MUST download it along with the .p7s. From what I can tell, this .crt file is what the terminal uses to determine that the sponsors are the same. Once I downloaded the .crt file along with everything else, it worked.
Side note: The tool also generates a SponsorCertif.crt file. I'm not using that nor do I know what scenarios would require it... If you know, please comment below.
I bought two VeriShield file signing cards. Unfortunately neither of the cards work--they each give a "wrong pin" error.
PIN Entry Try is 3. Do we see any message if the cards are locked? Can we sign the file as default and download the app to terminal? Also will there be any ownership issues if I sign the files as default for development?
Let's start with why you are getting the wrong PIN. There could be a few different reasons:
VERIFY YOU HAVE THE RIGHT PIN
When you first got your cards, each one should have come with a welcome letter telling you what the PIN is for that card. Note that each card will have a unique PIN and that you can't mix the two up (that is--if you try to enter the PIN for card 1 on card 2, it won't work and visa-versa).
NOTE: VeriFone is not infallible--when I was in my VF training class, one student got a pair of cards that didn't work and the teacher decided he must have had the wrong PINs sent to him. The only remedy is to contact the VF rep from whom you purchased the cards.
CHECK FOR PROPER INSTALLATION
Are you using the latest version of the File Signing Tool (FST)? I believe the latest version is 04.01.04. If you have an older version, go to the DevNet page and get the latest.
I have a note saying that the FST installer needs to be run using administrator privileges, though if I remember correctly, it will elevate itself to administrator, so this shouldn't be off too much concern. My note also says that during the setup, you may get a message about not being able to change folder permissions, but not to worry about it.
Once you have the FST installed, set it to always run as administrator. This IS important and it won't work if you don't.
The first time you run FST, you'll need to set up 2 officers and give them temporary passwords (you will be required to change the passwords on the next log-in). Note that for some reason, VF decided to make the USER NAMES case sensitive (not just the passwords).
Once those users are set up, log in as those users and change the password to the "permanent" password ("permanent" as in you don't have to change it again if you don't want to). If I'm not mistaken, you can't use one of the last (3?) passwords, so you can't use the same as the temporary password you set them up with.
Now log in with BOTH users that you set up and choose Change PIN.
If you are still having trouble, contact your VF rep.
PIN Entry Try is 3. Do we see any message if the cards are locked?
I know that you do have a very limited number of retries before the card locks itself, but seeing as mine worked on my first try, I really couldn't tell you what happens as you approach and/or cross that limit.
Can we sign the file as default and download the app to terminal? Also will there be any ownership issues if i sign the files as default for development.
That depends on what type of terminal you are using. If it is a Verix or VerixV (so like 3740, 3750, 3730, 510, 570) then, yes you can use a default signature (that's what I regularly do on these terminals) and no, it won't cause any problems, assuming everything else that is running on that terminal is also default-signed. If you are using some things that ARE secure-signed, then I believe that all items must have the same sponsor to run on that terminal (I know that's true with the eVo platform, but I'm just assuming on the Verix/VerixV platforms).
HOWEVER, if you are running an eVo terminal (like 520) then you MUST use a secure signature--eVo will not accept a default certificate. What's more, once a secure-signed program is loaded into the terminal, then ALL future applications MUST be signed using a certificate with the same sponsor, or that program will not run. (One exception--if you run the certificate removal program, then AFTER it runs, you can load a new sponsor on. However, note that the removal tool will not run unless it has been singed by the same sponsor).
Trying to use a default certificate should not cause any ownership problems, it just won't run. I know that if I try and use the default certificate on my terminal that already has a sponsor, it will compare the file signatures after download and say they don't match. I haven't tried it on a blank (no sponsor cert yet) eVo, but I suspect you would get roughly the same result.
Those file signing cards have gotten expensive recently, so if yours aren't working, then I'd get with the VF rep quickly and try to get it fixed--the longer you wait, the less likely they'll help you.