5 Replies Latest reply on Oct 2, 2017 5:59 AM by ogrampowell

    air Code signing with Usb token

    mo_ah

      Hello.

       

      It seems since february 2017, Certificate Authorities deliver certificates as usb token.

       

      I got a GlobalSign code signing certificate, which is stored on such device, using safeNet.

      The problem is that the only thing i can get from it is a .cer

      The private key is unaccessible and the usb token is not visible under windows explorer.

       

      Since FlashBuilder seems to require a .pfx or .p12 for build, i don't know what to do.

      I try looking into adt, but it seems it require the same files.

       

      Any help is welcome.

       

      Thanks.

       

      p.s. I'm working with FlashBuilder 4.6, mainly developping flex/air desktop and mobile apps

        • 1. Re: air Code signing with Usb token
          spadged Level 1

          Hi,

          It can be done via command line / terminal. In the case of windows (I don't have this setup on a mac):

           

          • Install / Import the cert via Internet options in the control panel: Content > Certificates > Import (You may get lucky and already have the certificate installed)
          • Make a note of the "Issued to:" field this will be your alias
          • Make sure you have the key inserted and drivers installed
          • In Flash Builder: Export Build Release selecting the "Intermediate AIRI package that must be manually signed later" option
          • Open up the command prompt
          • Enter the following replacing YOURALIAS, YOURPASSWORD and file paths with the appropriate items:
            adt -sign -tsa http://timestamp.digicert.com/ -storetype Windows-MY -alias "YOURALIAS" -storepass YOURPASSWORD  -keypass YOURPASSWORD "path/to/file.airi" "path/to/file.air"
            I have no idea which one is needed out of -storepass & -keypass (if any)
          • This should then open a window titled "Token Logon"
          • Enter your "Token Password" and click "OK"
          • adt should then get busy signing your app

           

          Notes

          • You'll need to make sure that you have adt and java in your environment variables
          • This may not make any difference, but I'm also using the 32bit version of the JDK
          • The store type Windows-MY has only been supported since JDK v1.6 so make sure thats updated
          • My installed flex SDK is: apache flex 4.16.0 sdk with air v23

           

          Hope this helps you out!

          1 person found this helpful
          • 2. Re: air Code signing with Usb token
            mo_ah Level 1

            Thanks. this works.

            • 3. Re: air Code signing with Usb token
              ogrampowell

              I am having trouble getting this to work. I have the same scenario as above. Unfortunately the alias instructions do not work for me since I have legacy certificates that have the same "Issued to:" field. The command is using last years certificate and telling me my certificate is expired. It is not using the new e-token on the usb.

               

              The certificate is from the same provider so using -providerName does not appear to work..

               

              Any help is welcome - I am spinning my wheels on this one.

               

              Update:

              Figured it out. I deleted all the old certificates that were in the Internet Explorer browser and it defaulted to the latest certificate.

               

              Sorry for the noise

              • 4. Re: air Code signing with Usb token
                Yuhar Level 1

                Been fighting with this all day. GlobalSign is trying to help, but they can't even figure it out. Any help Adobe? Also, there's mention of using the 32 bit version of Java, but as far as I can tell, that's not available for Mac?

                 

                This is essentially what GlobalSign has told us, but I just get an error "requested provider is not available"

                 

                adt -migrate -tsa http://timestamp.globalsign.com/scripts/timestamp.dll <http://timestamp.globalsign.com/scripts/timestamp.dll> -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken signed.air resigned.air
                • 5. Re: air Code signing with Usb token
                  ogrampowell Level 1

                  I am having the same issue. It would be great if this could be resolved.