Token Based CodeSigning - AIR - OS X – KB

Token Based CodeSigning - AIR - OS X – KB

Introduction

This page outlines the process of configuring a Windows environment for signing AIR files (.air and .airi), and the actual signing process itself.

There are several things that need to be done to successfully sign an AIR file in Windows, so please read through this carefully.

If this is not the solution you are looking for, please search for your solution in the search bar above.

These instructions were made and tested using:

  • OS X 10.12
  • JDK 1.8.0_131 (64-bit)
  • JRE 8u131 (64-bit)
  • AIR SDK (version 25.0.0.134)

Key Points

Here are a few key points that should be kept in mind when troubleshooting. These will be further discussed later on in this page.

  • AIR files are already signed files and should not use the "adt -sign" command. Use the "adt -migrate" command to update the signature on an air file.
  • AIRI (.airi) files, aka AIR Intermediate files, are unsigned AIR files and will use the "adt -sign" command.
  • The -alias "ContainerName" command should be used, when signing, similar to the JAR signing method.
  • Adobe GUI applications ONLY support .pfx files, but they allow exporting an AIRI file (unsigned AIR file) to sign using ADT in the command line.

Configuring the Environment

Before signing, you will need the correct tools installed on your computer as listed below:

  • Java JDK 1.6 or newer (Haven't tested older versions)
  • Java JRE 1.6 or newer (Haven't tested older versions, JRE should be included in the JDK installation)
  • AIRSDK version 25 or newer (including ADT)
  • As always, check to make sure the token is present in SAC, and the Certificate is shown under the token.

Configuring ADT

  1. Download AIRSDK here.
  2. Once you've downloaded AIR SDK, run it, and copy its contents, create a folder called AIRSDK and paste the contents inside. Cut the new AIRSDK folder, go to Computer (CMD + Shift + C), and open the Mac OSX HDD, and paste the folder there.
  3. Now open Sublime or another text editor that allows for saving in different file formats, and create a file called eToken.cfg. The contents of the file should be as follows:

    name=eToken
    library=/usr/local/lib/libeTPkcs11.dylib
    slot=0

    ADT Step 3.png
  4. Save the file to AIRSDK\bin.
  5. Now, open the adt file using Sublime. You will need to make sure "java" is pointed to the correct version of java (whichever version you choose, that is what you will be configuring in the JRE and JDK sections).

    Here's the original adt file, before editing:

    ADT Step 5.png

    Here's the edited adt file to specify the directory of the Java version:

    ADT Before Step 6.png
  6. Save the file.

Configuring JDK

  1. After the JDK has been installed, locate the JDK bin folder. By default it will be "\Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin". (replace jdk1.8.0_131.jdk to match your version.

    JDK Step 1.png
  2. Copy the eToken.cfg file you made during the Configuring ADT section, and paste it into the JDK bin folder.

Configuring JRE

  1. Locate the java.security file. The default directory will be "\Library\Java\JavaVirtualMachines\jdk1.8.0_13.jdk\jre\lib\security". (replace jdk1.8.0_131.jdk to match your version).

    JRE 1.png

    NOTE: JDK 1.6.0 does not have an explicit JRE folder. You will skip the \jre in the directory and go directly to \lib.
  2. Open the java.security Sublime or another text editor that supports the format. Then use CMD+F to search for the following text:

    "security.provider.10=sun.security.mscapi.SunMSCAPI".

    JRE 2.png
  3. If it doesn't exist, below the line you just found, add "security.provider.11=sun.security.pkcs11.SunPKCS11 eToken.cfg".

    JRE 3.png
  4. Now, save the changes you have made.

Signing Files in ADT

Note: If you're signing an AIR file that hasn't been signed previously, you'll actually be signing an AIRI file, which uses slightly different commands. Check with customer to be sure what extension the file is, as they may be saying AIR, but it could actually be an AIRI.

Signing AIR Files

WARNING: If you haven't gone through the Configurations yet, do not begin the signing process!

  1. The first thing you need to do is get the Container Name of the Certificate you are using. There are two ways of going about this.

    Option 1: Using Command Line

    1. Start the Command Console, and navigate to the location of your JDK bin folder containing keytool. In this case the command is:

    cd \Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin

    S Air files 1.png


    2. Enter the following command:

    keytool -list -storetype PKCS11 -providername SunPKCS11-eToken

    The output should look like this:

    Air Files 2.PNG

    3. The Container Names are the long alphanumeric strings at the beginning of each entry (le-4859........). The issue is, if you have multiple Certificates on your SafeNet token, you will need to use the second option for finding the Container Name. For now, though, copy that Container Name, you are going to need it.

    Option 2: Using the SafeNet Authentication Client Tools

    1. Open the SAC Tools, and click Advanced Options, then expand your Token on the left side, and the User Certificates. On the right side, you'll see the Certificate details, and the private key details. Look at the Private key details, and you'll find the Container name there:

    Air Files - SAC 1.png

    2. Copy that Container Name, you are going to need it.
  2. Navigate to the directory where your adt.bat file is located using the Terminal. In this example, it is in \AIRSDK\bin.

    TIP: Place the file you are signing in the same directory as adt.bat, so you don't have to type out the directory when declaring it in the signing command.
  3. Now, you can finally run the signing command. After you run the command, there won't be any verification that it's been signed. So long as it doesn't throw an error, you should be okay. The signing command for AIR files is:

    adt -migrate -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken signed.air resigned.air

    NOTE: The "signed.air" file at the end is the signed file that you are going to create. You'll still have the signed.air file, and a new file by the name you provide at the end of this command will be created in the same directory.
  4. Now, there should be a signed AIR file in the directory you signed in. Navigate to it in Windows, and double-click it. If you signed it correctly, you should see a message like this, with the Common Name of your Certificate in the Publisher field, a green check mark, and should say "Publisher Identity: VERIFIED" as shown below.

    Air Files - SAC 4.PNG

Signing AIRI Files


What is an AIRI file?

AIRI files are slightly different from AIR files. It's an AIR Intermediate file, which is just an unsigned AIR file. A new AIR application that doesn't have a previously signed version will be exported as AIRI. For the most part, it's going to be the same process with some minor differences.


How To Sign

WARNING: If you haven't gone through the Configurations yet, do not begin the signing process!

 

  1. The first thing you need to do is get the Container Name of the Certificate you are using. There are two ways of going about this.

    Option 1: Using Command Line

    1. Start the Command Console, and navigate to the location of your JDK bin folder containing keytool. In this case the command is:

    cd \Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin

    2. Enter the following command:

    keytool -list -storetype PKCS11 -providername SunPKCS11-eToken

    The output should look like this:

    AIRI File 2.png

    3. The Container Names are the long alphanumeric strings at the beginning of each entry (le-........). The issue is, if you have multiple Certificates on your SafeNet token, you will need to use the second option for finding the Container Name. For now, though, copy that Container Name, you are going to need it.

    Option 2: Using the SafeNet Authentication Client Tools

    1. Open the SAC Tools, and click Advanced Options, then expand your Token on the left side, and the User Certificates. On the right side, you'll see the Certificate details, and the private key details. Look at the Private key details, and you'll find the Container name there:

    AIRI File - SAC 1.png

    2. Copy that Container Name, you are going to need it.
  2. Navigate to the directory where your adt.bat file is located using the Command Prompt. In this example, it's in \AIRSDK\bin.

    TIP: Place the file you are signing in the same directory as adt.bat, so you don't have to type out the directory when declaring it in the signing command.
  3. Now, you can finally run the signing command. After you run the command, there won't be any verification that it's been signed. So long as it doesn't throw an error, you should be okay. The signing command for AIRI files is:

    adt -sign -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken -target air test.airi signed.air

    AIRI Step 3.png

    NOTE: The "signed.air" file at the end is the signed file that you are going to create. You'll still have the test.airi file unsigned, and a new file by the name you provide at the end of this command will be created in the same directory.
  4. Now, there should be a signed AIR file in the directory you signed in. Navigate to it in Windows, and double-click it. If you signed it correctly, you should see a message like this, with the Common Name of your Certificate in the Publisher field, a green check mark, and should say "Publisher Identity: VERIFIED" as shown below.

    AIRI Step 4.PNG

Errors You May Encounter

Here are a few of the errors you may encounter, and how to resolve them. Some screenshots may be from OS X, others from Windows, however the errors mean the same thing regardless of your OS, as these are within a Java environment.
 

  1. Error: Could not generate timestamp: "Timestamp.URL"

    Error Mesage:

    Error 1.PNG

    Solution: Check the timestamp URL as you may have mistyped it.
  2. Error: Timestamp response not valid

    Error Message:

    Error 2.PNG

    Solution: You used the wrong timestamp URL. Use this: http://timestamp.globalsign.com/scripts/timestamp.dll instead. 
  3. Error: Could not load keystore file (password may be incorrect)

    Error Message:

    Error 3.PNG

    Solution: Don't use -keystore when signing in ADT. Instead, make sure to include the -alias "ContainerName" argument.
  4. Error: Not enough arguments

    Error Message:

    Error 4.PNG

    Solution: Remove the "-target air" as well as the newly signed file name at the end.
  5. Error: Unknown package target "fileName"

    Error Message:

    Error 5.PNG

    Solution: You forgot to place the "air" argument after "-target".
    Kind of confusing, since you would think the file would be the target. It's actually looking for a file format, though.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.