I open again a thread about a problem at our extension installation on several computers.
Few persons can't install our extensions. They get this message: " The extension xxx does not contain valid signature. The extension will not be installed"
Our plugins worked always since the beginning ( about December 2010 )
Our certificate is valid and has been created by TrustCenter.
I use ucf.jar with correct parameters...
I thought that's a manifest problem. So, I tried to generate plugins from Extension Builder trial version which generates manifest "automatically" but the result is the same. I also tried to get a release from a non-signed certificate ( 1024-RSA and 2048-RSA )....but unsuccessfull...
How to get a extension with valid signature for all computers ?
Has your certificate expired? This sounds like the same problem as reported on this thread: http://forums.adobe.com/message/3801447
If so, scroll down to post 5 (one of my replies) on that thread and you'll see an explanation for the behaviour. Sadly it is a bug in Extension Builder and ucf.jar documentation.
Assuming this is the problem you're having, I think your solution would be to obtain a valid certificate, and resign your extension using the Packaging and Signing Toolkit, specifying the tsa argument. I'm sorry for the trouble this has caused. We have a bug open against Extension Builder (#2923679), it will be fixed in the next release.
David, we are having the same problem: an extension signed with a valid certificate and with timestamp, using ucf.jar, valid manifest, installs without problems on some machines, but gives "The extension does not contain valid signature." error on some customers' machines (the reported one is Mac OS 10.7.1, with CS5.5).
I checked the "signatures.xml", it does contain a "TimeStamps" section.
You can download the extension here: http://bit.ly/nzChAJ
Can you please take a look? I suspect there is some problem with the signature checker in CS5.5 as Pierre reports similar problems.
Anatoly, I will try to reproduce this behaviour but it will take me some time to get set up. In the meantime can you help to isolate the issue by bypassing Extension Manager and installing the ZXP directly.
- Quit Photoshop if it is running
- Unzip the zxp's contents
- Copy the unzipped contents to /Library/Application Support/Adobe/CS5.5ServiceManager/extensions/com.pixelnovel.timeline
- Ensure the CSXS PlayerDebugMode flag is *not* set to 1 (the default should be 0 or non-existent) in /Users/<username>/Library/Preferences/com.adobe.CSXS.2.5.plist. This means that only signed extensions should get loaded.
- Launch Photoshop and load your extension.
Does the extension load correctly?
I have tried to reproduce the installation issue with your extension on OSX 10.6.8, 10.7 and 10.7.1 but in each case I can install the extension okay. When I run it, I get a missing/broken swf icon (see below), but I don't think that is symptomatic of a signature problem.
I have asked the Extension Manager team if there are any known issues in this area which might explain the behaviour you are seeing.
If you can provide answers to the above or any other information which might help isolate the issue please do.
Thank you David,
Sorry for the delay with response - I was swamped with other activities.
You are correct, the extension doesn't work even if it succeeds to install, however the problem is that on some Mac machines it fails to install.
I'm glad that the Extension Manager team have managed to reproduce it. All I can say that the problem does not happen on all Macs - I couldn't reproduce it on my Mac OS 10.7.1, but a customer with the same version of Mac OS said that they got the "incorrect signature" error.
Do you think that the fix will be in the extension, or the users will need to update Extension Manager?
Please keep me updated on this issue if it's possible.
We're currently having the same problem. I'm adding what I know to this thread with hope that it will help you troubleshoot the problem.
An extension with a valid timestamped signature is rejected by the Adobe Extension Manager on installation (root CA is VeriSign; the certificate has not expired; extension packaged and signed with ucf.jar with a tsa URL). This is happening on computers running Mac OS X Lion 10.7.2 with CS5 and CS5.5. The same extensions that we have a problem installing now used to work on OS X Lion with both CS 5 and CS 5.5 a while ago, but since upgrading to the latest software from Adobe and Apple we get the an error message saying "The extension XXX does not contain valid signature. The extension will not be installed". However, the same extension that's rejected on the Mac can be installed and works without any issue on computer running Windows 7.
David, do you know if there is a temporary workaround for this problem? Would unchecking the "Show warnings when installing unsigned ZXP extension" in the Extension Manager settings help?
Could you upload ucf.jar you used? You can use ucf.zip attached with this post (please rename ucf.zip to ucf.jar) to re-sign your extension and tell me whether the new extension can pass the signature validation. Also please pay attention to the "Canonicalization limitations" section in http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/fla sh/security/XMLSignatureValidator.html. Thanks.
Thank you for your response.
I've signed our extension with the new ucf tool and sent it to a customer for testing - I will let you know once we get some feedback.
I cannot attach files to posts here (looks like it's a privelege of Adobe's employees), but the file I used was download from here: http://download.macromedia.com/pub/developer/creativesuite/extension-b uilder/signingtoolkit.zip
I am not quite sure what exactly I need to pay attention to regarding canonicalization limitations - I have no idea how the ucf tool works, and even if I did, I have no control over the verification process, so I am not sure why you are referring me to that document. Can you please elaborate?
I don't know how ucf.jar works either. Sorry for the confusion caused by me. It should be taken care by ucf.jar or any signing tools. Could you please send the new signed extension to me so that I can test it? I can reproduce this problem with the old extension you gave in previous post. You can get my mail address from the private message.
We are facing the same issues and urgently need to provide an update to our customers but its hard when we know they won't be able to install the update.
We tried to revert to the previous MAC version but this didn't help. Their also doesn't seem to be a difference between CS5 and CS5.5.
Can you confirm this? As the cause been located? Is their a workarround available?
Any help is aprreciated! Thanks!
this issue should also exist in CS5 although I didn't check it with CS5. If your extension is a CSXS extension (no *.mxi file in package), you can use the workaround provided by David in third reply to install the extension manually. Note that you have to change the folder name "com.pixelnovel.timeline" in that post to the ExtensionBundleId of your extension (in manifest.mxl).
All my customers on Lion started experiencing the same problem! The new ucf.jar does NOT help. I tried it myself installing with Extension Manager CS5.5 and Lion 10.7.2 - I got the same error!
Please fix it, as noone can now install extensions on Mac OS X Lion.
P.S. Extensions now do not run at all on Lion 10.7.2, even if I copy it to CS5.5ServiceManager/.... folder. I got the blank panels.
Maybe it's time to get rid of the whole silly signing business?
We've been able to install plugins and scripts for forever without signing them and noone worried until now.
Why did we need to make this complicated with CS Extensions?
I agree with Harbs.
And please, to avoid confusion, disregard my note about blank panels. If I copy files manually - the extension works.
BUT the error with the installtion through Extension Manager CS5.5 is still there. The new ucf.jar does NOT help.
Please fix it, I got more and more customers who face this bug as they update to latest Mac OS X.
First let me provide a quick update on the signature bug. As pointed out, the ucf.jar solution does not seem to work. We have identified a couple of other solutions to this problem, but we need to test them internally before posting them on the forums or release them as a patch to Extension Manager and/or Extension Builder (if needed). I do not have a date yet on when this fix will be available but I can guarantee you that it is a top priority internally. I am sorry that this issue has surfaced and the entire team recognizes that it is an important issue for the developer community and has significant impact on you and your customers. I (or another member from my team) will provide an update to this thread with an ETA and or the fix.
Regarding the signature issue: I suggest we discuss this on a separate thread (and possibly in the dev con in Munich for those of you who will attend). I do not see us moving away from signatures. Granted there are problems in the workflow. Hence, we should work on addressing those and simplifying the signing and deployment process. There are benefits to having extensions signed and deleting a feature is not usually the best way to solve a problem.
(@harbs: already budgeted for it )
Yesterday we finalized our investigation and we now have a plan regarding the fix. Our #1 priority has been to get a working solution to customers ASAP. Here are the details:
The current implementation of Extension Manager cannot access the system root keychain on Mac 10.7.1. That is due to a particular component used by Extension Manager.
We will make a manual fix available by Friday 10/28 morning Pacific time. The fix will be a .swf that end-users should download and manually replace the Extension Manager .swf on their machines. After they replace the .swf, they can go ahead and install extensions using Extension Manager. This will only apply to users who are on Mac 10.7+. In addition, your users should be running Extension Manager CS5 or CS5.5 and should download the latest update through Adobe Update Manager if they haven't done so already.
I understand that this is not optimal user experience but it is the fastest solution that we can make available.
We will post the .swf and detailed instructions on this forum thread.
We are already working on an update to Extension Manager that will be available through Adobe Update Manager in mid November. The update will work even if some of your users have replaced the Extension Manager .swf on Stage 1 above (ie it will overwrite the fix from Stage 1). Only users that face this problem will be notified to download the update.
Note 1: Doing the manual fix is not necessary. You could still wait until the AUM update is available.
Note 2: The fix we do in Stage 1 is different than the one we'll do for Stage 2.
Note 3: No update is necessary for CS Extension Builder or the CS SDK.
Please let me know if you have any questions or concerns.
Thank you again for helping us in discovering and solving this issue and your understanding as we drive to a solution. I will keep you all posted as news develops.
Message was edited by: PECourtejoie (corrected date)
Thanks also for the quick reply @Gabriel. Although I was able to track this down on the forum fairly quickly, but it would be good to have something on the blog for end users (I'm sure you are already planning). I feel for TypeDNA extension, they just did a big marketing push, and it was installing their extension that gave me the heads up.
As promised the fix for solving the signature bug in Lion is available. Below I am including two zip (one for eachg version of Extension Manager) files that contain the fix and instruction on how to apply it:
exman50.zip - applies for Extension Manager 5.0 users
exman55.zip - applies for Extension Manager 5.5 users
Let me know if you have any questions. As noted above, we will also make an update available via AUM around November 15th.
PS: I have also added a blogpost on the CS SDK forum
THANKS Gabriel! Very fast response and shows again how great the work of your group is. I wish all of Adobe were as responsive.
Our CS Extension for Fotolia (free at http://www.fotolia.com/adobeplugin ) had just been released, and we were about to promote it, yet are holding off until "around November 15th." Please let us know when the AUM update comes out, or if that date solidifies or changes.
We did validate that the fix works, which is quite awesome, so someone who really wants to use our extension can, yet some end users want things to be extremely easy, so I think waiting is prudent.
Please test future dot releases of Apple OS (these come out in beta, yes?) if possible - I don't believe Apple tests these against Adobe products, and I realize you don't have infinite testing budget, but this was quite a scare as we really count on CS Extension technology, which I believe will really take off in the next few years.
We have another bug with Lion and CS extensions that forced us to avoid the native file browser. Not sure if Ole sent you details yet, but we will.
It should be available in the next couple of days. Apologies for the delay but we have run into some issues and wanted to make sure that all possible use cases are covered.
patch has been posted (but not on AUM yet ). Check out the details and download the installer here: http://adobe.ly/rZQzQV
Also feel free to point users to this post to download the file.
Hope that helps and apologies for the delay in making this available.
Will the updated AEM also be available for download? – for users who have deactivated the AUM and prefer to install manually. I downloaded files from http://www.adobe.com/exchange/em_download/ (for CS5.5) and http://www.adobe.com/exchange/em_download/em50_download.html (for CS5) and their contents looked old.