2014年11月21日

Code Signing Certificate (from CA) Steps and trouble shooting

Steps:
  1. Apply certificate from comodo
  2. From Firefox certificate manager, select the certificate and "export all".
  3. Save the exported certificate as comodo.p12
  4. The .p12 and .pfx have the same format, so just change the extension to .pfx, (comodo.pfx).
  5. Import comodo.pfx with chaining info, this will be the certificate for signing ClickOnce manifest
  6. Timestamp server, e.g. http://timestamp.verisign.com/scripts/timstamp.dll
  7. Clean up related certificate in certmgr
  8. Import certificate with "Mark this key as exportable"
  9. From certmgr, personal certificate, select "All Tasks" > "Export.."
  10. Select "Yes, export the private key"
  11. In personal information exchange, un-check "Include all certificates in the certification if possible".
  12. Export this key to be forAssemblies.pfx
  13. This key may contain KeySpec=1, which is incorrect for code signing.
  14. Open Visual Studio command prompt (VS2012 ARM Cross tools Command Prompt in VS2013), because we need to use certutil
  15. In command prompt, navigate to the forAssemblies.pfx location
  16. certutil -importPFX -user forAssemblies.pfx AT_SIGNATURE
  17. This command will import the pfx with KeySpec=2
  18. This key is ready for signing assemblies

Trouble shooting"An attempt was made to reference a token that does not exist."
This means the key for signing assembly is incorrect. 
This is a general error message. There are many possible errors.
Possible solutions:
  1. The key contains chaining information. Import it with private key and export it without chaining info again.
  2. Change KeySpec of the key to 2
    1. Read http://blogs.msdn.com/b/andrekl/archive/2008/01/08/strong-name-signing-in-visual-studio-2005-requires-keyspec-2-at-signature.aspx
    2. Using the "Certifiates" MMC export the existing keyset (KeySpec=1) to a PFX file.
      Note:Please backup this file to a safe location and test if the file can be imported ok on another machine if you really want to play it safe!
    3. Delete the existing certificate from the crypto store (stlll using the MMC).
    4. Open a CMD prompt.
    5. import the PFX file using this command:
    6. certutil -importPFX -user AT_SIGNATURE
    7. Enter the passphrase for the pfx when prompted.
    8. You now should have a keyset/Cert with KeySpec=2. If needed you can now export this into another PFX file using the MMC again.
Trouble shooting: "Cannot import the following key file: my.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_605BB970F096DC5F"

Possible solutions:
  1. sn this key to container
    1. In command prompt, navigate to the AssemblyNoChaining.pfx location
    2. "C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\N
      ETFX 4.0 Tools\x64\sn.exe" -d VS_KEY_605BB970F096DC5F
    3. "C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\N
      ETFX 4.0 Tools\x64\sn.exe" -i forAssemblyNoChaining.pfx VS_KEY_605BB970F096DC5F
  2. Change KeySpec of the key to 2 as above
reference: https://stackoverflow.com/questions/2815366/cannot-import-the-keyfile-blah-pfx-error-the-keyfile-may-be-password-protec/14644793#14644793








沒有留言:

張貼留言