Highlighted

adt signing using etoken issue

New Here ,
Jan 25, 2019

Copy link to clipboard

Copied

Using macOS and signing with eToken. Was working before I upgraded to os x 10.14 as this broke the PKSC11 signing.

Installed an updated driver for SafeNet and the keytool is working again.

However when I try to sign using adt I get the following:

adt -sign -storetype PKCS11 -providerName SunPKCS11-eToken -storepass XXXXX -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -target air APP.airi APP.air

unexpected failure: Unable to create signature.

java.io.IOException: Unable to create signature.

    at com.adobe.ucf.UCFOutputStream.finalizeSig(UCFOutputStream.java:334)

    at com.adobe.air.AIROutputStream.finalizeSig(AIROutputStream.java:157)

    at com.adobe.air.ApplicationPackager.createPackage(ApplicationPackager.java:256)

    at com.adobe.air.ADT.parseArgsAndGo(ADT.java:716)

    at com.adobe.air.ADT.run(ADT.java:485)

    at com.adobe.air.ADT.main(ADT.java:535)

Using keytool I get:

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg

Enter keystore password: 

Keystore type: PKCS11

Keystore provider: SunPKCS11-eToken

Your keystore contains 1 entry

xxxxxxxxxx, PrivateKeyEntry,

Certificate fingerprint (SHA-256): xxxxxxxx

Any ideas on how to proceed?

TOPICS
Development

Views

512

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

adt signing using etoken issue

New Here ,
Jan 25, 2019

Copy link to clipboard

Copied

Using macOS and signing with eToken. Was working before I upgraded to os x 10.14 as this broke the PKSC11 signing.

Installed an updated driver for SafeNet and the keytool is working again.

However when I try to sign using adt I get the following:

adt -sign -storetype PKCS11 -providerName SunPKCS11-eToken -storepass XXXXX -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -target air APP.airi APP.air

unexpected failure: Unable to create signature.

java.io.IOException: Unable to create signature.

    at com.adobe.ucf.UCFOutputStream.finalizeSig(UCFOutputStream.java:334)

    at com.adobe.air.AIROutputStream.finalizeSig(AIROutputStream.java:157)

    at com.adobe.air.ApplicationPackager.createPackage(ApplicationPackager.java:256)

    at com.adobe.air.ADT.parseArgsAndGo(ADT.java:716)

    at com.adobe.air.ADT.run(ADT.java:485)

    at com.adobe.air.ADT.main(ADT.java:535)

Using keytool I get:

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg

Enter keystore password: 

Keystore type: PKCS11

Keystore provider: SunPKCS11-eToken

Your keystore contains 1 entry

xxxxxxxxxx, PrivateKeyEntry,

Certificate fingerprint (SHA-256): xxxxxxxx

Any ideas on how to proceed?

TOPICS
Development

Views

513

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jan 25, 2019 0
Community Beginner ,
Apr 03, 2020

Copy link to clipboard

Copied

Hey mate.

I wonder if you've been able to resolve your issue with eToken signing?

If yes, perhaps you could help me out?

Here's my story.

I have a client with a desktop AIR app. In 2017, I got the eToken signing working for it. The client had a dedicated Windows 10 (x64) PC set up in their office, with the eToken plugged into that computer. I was accessing it with remote access to build/package/sign the application. So, last time that was done successfully around 2017 or 2018.

That PC got wiped for some reason, and now they need a new version of the app. I got all of the things set up there again, but am now getting this error (the same you were getting). I can't seem to figure out what is causing it, or how to fix this. I've set up the Java eToken configuration per instructions from DigiCert (our EV code signing certificate comes from DigiCert). Checking with keytool, everything looks good. I've successfully signed a test .jar file with jarsigner (and also an .exe file using Microsoft signtool). The only problem seems to be with adt. This is the command-line I'm using:

adt -package -tsa http://timestamp.digicert.com -storetype PKCS11 -storepass "" -providerName SunPKCS11-eToken -target bundle "dist/UFeelPlayer3-store" ufeel.application.xml -C bin-ufeel .

It's asking me for a password, then gives me the unexpected failure: Unable to create signature.

I'm using a combined Flex 4.6.0 + AIR 28.0.0 SDK. In 2017 we were using AIR 25, I've tried this also, with same results. I also tried AIR 32 (which breaks MP4 playback in the application, somehow), and AIR 33.1.1 from Harman. All of them gave the same error. I've also tried both 32-bit and 64-bit Java JDK (latest from 1.8.0_xxx series). Nothing seems to fix it.

Thanks

--Gene

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 03, 2020 0
heilong LATEST
Community Beginner ,
Apr 20, 2020

Copy link to clipboard

Copied

I've tried a suggestion I got from ozster123 in a private message, and it works (on Windows). Here is my description of the solution.

 

Apparently, once you have the SafeNet Authentication Client installed and the USB token plugged in, the key is also visible via some Windows-specific API.

Using keytool -list -storetype Windows-MY, I saw the desired certificate's private key listed.

For signing, here's the command that worked (details edited out for client's privacy): adt -package -tsa http://timestamp.digicert.com -storetype Windows-MY -storepass "" -alias "Example Company LLC" -target bundle "dist/ExampleApp" application.xml -C bin .
Note: if -storepass "" is omitted, adt asks for a password on the command line, and then SafeNet's GUI password prompts shows up. With -storepass "", only SafeNet's GUI prompt shows up, and signing finished without error. And, I've confirmed this works fine with the very recent Java JDK 1.8.0_241.

I think I'll continue to use this solution, since it is easy to use and doesn't need to edit Java's security config file and configuring a eToken.cfg.

 

I don't see the point of trying this on macOS, as Apple wants everything signed by a Developer certificate that they issue themselves, it can be just imported to the Keychain or kept as a PFX file. The more complicated thing is notarization, I've had to spend some hours to make it work. Here's a great resource and some scripts to help with this process: https://github.com/tuarua/WebViewANE/tree/master/mac_installer

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 20, 2020 0