5 Replies Latest reply: Oct 8, 2014 1:51 AM by fgregor RSS

    Trying to make ZXP, selfsigned certificate not valid

    ZetiSam Community Member
    ZetiSam Oct 8, 2014 12:52 AM

      Hi,

       

      I'm trying to make my ZXP with a selfsigned certificate, using the ZXPSignCmd found here Download Extension Builder 3 - Adobe Labs

      First I make a selfsigned certificate, according to the instruction:

      C:\Users\Sam\Downloads\win64>ZXPSignCmd.exe -selfSignedCert US NY MyCompany MyCommonName password FileName.p12

      Self-signed certificate generated successfully

       

      Then I try to use this certificate to sing my app.

      C:\Users\Sam\Downloads\win64>ZXPSignCmd.exe -sign MyApp MyApp.zxp FileName.p12 password

      Signed successfully

       

      Then I try to verify if everything was OK:

      C:\Users\Sam\Downloads\win64>ZXPSignCmd.exe -verify MyApp.zxp

      Error - Failed to verify signature. Signature might have been tampered with.

       

      I'm running a Windows 7 64bit windows, and tried with both the 32bit and the 64bit version of the tool.
      "MyApp" in this case is just a name I use instead of "com.domain.myapp.extension".
      I've tried using it with the full com.domain... path but that didn't work either.


      I've seen people adding  -tsa https://timestamp.geotrust.com/tsa to the sign command, but that gives the following error:

      Error - the timestamp returned from the chosen TSA could not be verified, so the ZXP created is likely to be rejected by other tools. Please recreate your ZXP with a different trusted TSA.

       

      Tried this with http://tsa.safecreative.org but that didn't work either.

      I don't really know any other TSA. My firewall is turned off btw.

       

      Can anybody help me out creating this ZXP file?

       

      Thanks!

      Sam

        • 1. Re: Trying to make ZXP, selfsigned certificate not valid
          fgregor Adobe Employee
          fgregor Oct 8, 2014 12:53 AM (in response to ZetiSam)

          Hi Sam,

           

          Thanks for getting in touch, and sorry you're having trouble with this. In order to get to the bottom of your problem quickly, could you please email me your signed ZXP (fgregor@adobe.com)?

           

          This will allow me to see why ZXPSignCmd is rejecting the signature.

           

          Best,

          Fraser

          • 2. Re: Trying to make ZXP, selfsigned certificate not valid
            ZetiSam Community Member
            ZetiSam Oct 8, 2014 1:06 AM (in response to fgregor)

            Thanks for the quick reply.

            I've sent you the ZXP in an email.

             

            I've written the code using [Brackets]. So I don't have the Extension Builder 3 installed. Don't know if that is a requirement/dependency for the ZXPSignCmd tool.

             

            Sam

            • 3. Re: Trying to make ZXP, selfsigned certificate not valid
              fgregor Adobe Employee
              fgregor Oct 8, 2014 1:39 AM (in response to ZetiSam)

              Hi Sam,

               

              Thanks, I've taken a look inside your ZXP and I think I can see what the problem is. Inside your META-INF/signatures.xml, there are several references to hidden files created by SVN, e.g.:

               

              .svn/pristine/.......svn-base

               

              These files aren't included in the ZXP package (which you can check by renaming your .zxp to .zip, or simply opening it with 7-zip or similar).

               

              In a future version of ZXPSignCmd, we'll look to improve the error messaging around this.

               

              In order to resolve this, you should try to copy your ZXP's source files to a location which is not managed by SVN, and re-sign. Before signing, also make sure that the (possibly hidden) .svn folder does not exist in the root of your ZXP source. You may need to untick "Hide protected operating system files" and select "Show hidden files, folders and drives" in Windows' Folder Options.

               

              folder opts.JPG

              Alternatively, you could unzip your existing ZXP, and then re-sign the extracted folder using ZXPSignCmd.

               

              In answer to your question about Extension Manager - no, there is no dependency on any other software to use ZXPSignCmd. You should be able to use Brackets, Extension Manager, or anything you like.

               

              Let me know if your problems persist.

               

              Best,

              Fraser

              • 4. Re: Trying to make ZXP, selfsigned certificate not valid
                ZetiSam Community Member
                ZetiSam Oct 8, 2014 1:49 AM (in response to fgregor)

                Hi Fraser,

                 

                That's exactly it!

                 

                The first time I tried I ran the ZXPSignCmd tool directly against my repo. When this didn't work I copied over the tool and all the files to a seperate 'staging' folder. I wasn't aware the 'svn-links' were still active.

                 

                I've discovered TuroiseSVN has the option 'export' from a repo, which does exactly what is necessary here: copy to other directory and remove all the .svn data.

                 

                Thank you very much!

                Sam

                • 5. Re: Trying to make ZXP, selfsigned certificate not valid
                  fgregor Adobe Employee
                  fgregor Oct 8, 2014 1:51 AM (in response to ZetiSam)

                  Great, glad to hear it!

                   

                  Thanks for letting me know.

                   

                  Best,

                  Fraser