Token Based CodeSigning - AIR - OS X – KB
Jul 21, 2022
Token Based CodeSigning - AIR - OS X – KB
Introduction
This page outlines the process of configuring a Windows environment for signing AIR files (.air and .airi), and the actual signing process itself.
There are several things that need to be done to successfully sign an AIR file in Windows, so please read through this carefully.
If this is not the solution you are looking for, please search for your solution in the search bar above.
These instructions were made and tested using:
- OS X 10.12
- JDK 1.8.0_131 (64-bit)
- JRE 8u131 (64-bit)
- AIR SDK (version 25.0.0.134)
Key Points
Here are a few key points that should be kept in mind when troubleshooting. These will be further discussed later on in this page.
- AIR files are already signed files and should not use the "adt -sign" command. Use the "adt -migrate" command to update the signature on an air file.
- AIRI (.airi) files, aka AIR Intermediate files, are unsigned AIR files and will use the "adt -sign" command.
- The -alias "ContainerName" command should be used, when signing, similar to the JAR signing method.
- Adobe GUI applications ONLY support .pfx files, but they allow exporting an AIRI file (unsigned AIR file) to sign using ADT in the command line.
Configuring the Environment
Before signing, you will need the correct tools installed on your computer as listed below:
- Java JDK 1.6 or newer (Haven't tested older versions)
- Java JRE 1.6 or newer (Haven't tested older versions, JRE should be included in the JDK installation)
- AIRSDK version 25 or newer (including ADT)
- As always, check to make sure the token is present in SAC, and the Certificate is shown under the token.
Note: This guidelines is compatible with different MAC environments.
However, this might not be compatible with MAC OS Catalina. Please consider other options.
Configuring ADT
- Download AIRSDK here.
- Once you've downloaded AIR SDK, run it, and copy its contents, create a folder called AIRSDK and paste the contents inside. Cut the new AIRSDK folder, go to Computer (CMD + Shift + C), and open the Mac OSX HDD, and paste the folder there.
- Now open Sublime or another text editor that allows for saving in different file formats, and create a file called eToken.cfg. The contents of the file should be as follows:
name=eToken
library=/usr/local/lib/libeTPkcs11.dylib
slot=0
- Save the file to AIRSDK\bin.
- Now, open the adt file using Sublime. You will need to make sure "java" is pointed to the correct version of java (whichever version you choose, that is what you will be configuring in the JRE and JDK sections).
Here's the original adt file, before editing:
Here's the edited adt file to specify the directory of the Java version:
- Save the file.
Configuring JDK
- After the JDK has been installed, locate the JDK bin folder. By default it will be "\Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin". (replace jdk1.8.0_131.jdk to match your version.
- Copy the eToken.cfg file you made during the Configuring ADT section, and paste it into the JDK bin folder.
Configuring JRE
- Locate the java.security file. The default directory will be "\Library\Java\JavaVirtualMachines\jdk1.8.0_13.jdk\jre\lib\security". (replace jdk1.8.0_131.jdk to match your version).
NOTE: JDK 1.6.0 does not have an explicit JRE folder. You will skip the \jre in the directory and go directly to \lib.
- Open the java.security Sublime or another text editor that supports the format. Then use CMD+F to search for the following text:
"security.provider.10=sun.security.mscapi.SunMSCAPI".
- If it doesn't exist, below the line you just found, add "security.provider.11=sun.security.pkcs11.SunPKCS11 eToken.cfg".
- Now, save the changes you have made.
Signing Files in ADT
Note: If you're signing an AIR file that hasn't been signed previously, you'll actually be signing an AIRI file, which uses slightly different commands. Check with customer to be sure what extension the file is, as they may be saying AIR, but it could actually be an AIRI.
Signing AIR Files
WARNING: If you haven't gone through the Configurations yet, do not begin the signing process!
- The first thing you need to do is get the Container Name of the Certificate you are using. There are two ways of going about this.
Option 1: Using Command Line
1. Start the Command Console, and navigate to the location of your JDK bin folder containing keytool. In this case the command is:
cd \Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin
2. Enter the following command:
keytool -list -storetype PKCS11 -providername SunPKCS11-eToken
The output should look like this:
3. The Container Names are the long alphanumeric strings at the beginning of each entry (le-4859........). The issue is, if you have multiple Certificates on your SafeNet token, you will need to use the second option for finding the Container Name. For now, though, copy that Container Name, you are going to need it.
Option 2: Using the SafeNet Authentication Client Tools
1. Open the SAC Tools, and click Advanced Options, then expand your Token on the left side, and the User Certificates. On the right side, you'll see the Certificate details, and the private key details. Look at the Private key details, and you'll find the Container name there:
2. Copy that Container Name, you are going to need it.
- Navigate to the directory where your adt.bat file is located using the Terminal. In this example, it is in \AIRSDK\bin.
TIP: Place the file you are signing in the same directory as adt.bat, so you don't have to type out the directory when declaring it in the signing command.
- Now, you can finally run the signing command. After you run the command, there won't be any verification that it's been signed. So long as it doesn't throw an error, you should be okay. The signing command for AIR files is:
adt -migrate -tsa http://timestamp.globalsign.com/tsa/r6advanced1 -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken signed.air resigned.air
NOTE: The "signed.air" file at the end is the signed file that you are going to create. You'll still have the signed.air file, and a new file by the name you provide at the end of this command will be created in the same directory.
- Now, there should be a signed AIR file in the directory you signed in. Navigate to it in Windows, and double-click it. If you signed it correctly, you should see a message like this, with the Common Name of your Certificate in the Publisher field, a green check mark, and should say "Publisher Identity: VERIFIED" as shown below.
Signing AIRI Files
What is an AIRI file?
AIRI files are slightly different from AIR files. It's an AIR Intermediate file, which is just an unsigned AIR file. A new AIR application that doesn't have a previously signed version will be exported as AIRI. For the most part, it's going to be the same process with some minor differences.
How To Sign
WARNING: If you haven't gone through the Configurations yet, do not begin the signing process!
- The first thing you need to do is get the Container Name of the Certificate you are using. There are two ways of going about this.
Option 1: Using Command Line
1. Start the Command Console, and navigate to the location of your JDK bin folder containing keytool. In this case the command is:
cd \Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin
2. Enter the following command:
keytool -list -storetype PKCS11 -providername SunPKCS11-eToken
The output should look like this:
3. The Container Names are the long alphanumeric strings at the beginning of each entry (le-........). The issue is, if you have multiple Certificates on your SafeNet token, you will need to use the second option for finding the Container Name. For now, though, copy that Container Name, you are going to need it.
Option 2: Using the SafeNet Authentication Client Tools
1. Open the SAC Tools, and click Advanced Options, then expand your Token on the left side, and the User Certificates. On the right side, you'll see the Certificate details, and the private key details. Look at the Private key details, and you'll find the Container name there:
2. Copy that Container Name, you are going to need it.
- Navigate to the directory where your adt.bat file is located using the Command Prompt. In this example, it's in \AIRSDK\bin.
TIP: Place the file you are signing in the same directory as adt.bat, so you don't have to type out the directory when declaring it in the signing command.
- Now, you can finally run the signing command. After you run the command, there won't be any verification that it's been signed. So long as it doesn't throw an error, you should be okay. The signing command for AIRI files is:
adt -sign -tsa http://timestamp.globalsign.com/tsa/r6advanced1 -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken -target air test.airi signed.air
NOTE: The "signed.air" file at the end is the signed file that you are going to create. You'll still have the test.airi file unsigned, and a new file by the name you provide at the end of this command will be created in the same directory.
- Now, there should be a signed AIR file in the directory you signed in. Navigate to it in Windows, and double-click it. If you signed it correctly, you should see a message like this, with the Common Name of your Certificate in the Publisher field, a green check mark, and should say "Publisher Identity: VERIFIED" as shown below.
Errors You May Encounter
Here are a few of the errors you may encounter, and how to resolve them. Some screenshots may be from OS X, others from Windows, however the errors mean the same thing regardless of your OS, as these are within a Java environment.
- Error: Could not generate timestamp: "Timestamp.URL"
Error Mesage:
Solution: Check the timestamp URL as you may have mistyped it.
- Error: Timestamp response not valid
Error Message:
Solution: You used the wrong timestamp URL. Use this: http://timestamp.globalsign.com/tsa/r6advanced1 instead.
- Error: Could not load keystore file (password may be incorrect)
Error Message:
Solution: Don't use -keystore when signing in ADT. Instead, make sure to include the -alias "ContainerName" argument.
- Error: Not enough arguments
Error Message:
Solution: Remove the "-target air" as well as the newly signed file name at the end.
- Error: Unknown package target "fileName"
Error Message:
Solution: You forgot to place the "air" argument after "-target".
Kind of confusing, since you would think the file would be the target. It's actually looking for a file format, though.