Token Based CodeSigning - AIR - OS X – KB

Token Based CodeSigning - AIR - OS X – KB

Introduction

This page outlines the process of configuring a Windows environment for signing AIR files (.air and .airi), and the actual signing process itself. There are several things that need to be done to successfully sign an AIR file in Windows, so please read through this carefully.

These instructions were made and tested using:

  • OS X 10.12
  • JDK 1.8.0_131 (64-bit)
  • JRE 8u131 (64-bit)
  • AIR SDK (version 25.0.0.134)

If you find that the method differs on a different version of any of these (in a Windows environment), please leave a comment so we may incorporate the information.

Key Points

Here are a few key points that should be kept in mind when troubleshooting. These will be further discussed later on in this page.

  • AIR files are already signed files and should not use the "adt -sign" command. Use the "adt -migrate" command to update the signature on an air file.
  • AIRI (.airi) files, aka AIR Intermediate files, are unsigned AIR files and will use the "adt -sign" command.
  • The -alias "ContainerName" command should be used, when signing, similar to the JAR signing method.
  • Adobe GUI applications ONLY support .pfx files, but they allow exporting an AIRI file (unsigned AIR file) to sign using ADT in command line.

Configuring the Environment

Before signing, you will need the correct tools installed. Make sure the customer has each of these.

  • Java JDK 1.6 or newer (Haven't tested older versions)
  • Java JRE 1.6 or newer (Haven't tested older versions, JRE should be included in the JDK installation)
  • AIRSDK version 25 or newer (includes ADT)
  • As always, check to make sure the token is present in SAC, and the certificate is showing under the token.

Configuring ADT

  1. Download AIRSDK here.
  2. Once you've downloaded AIR SDK, run it, and copy its contents, create a folder called AIRSDK and paste the contents inside. Cut the new AIRSDK folder, go to Computer (CMD + Shift + C), and open the Mac OSX HDD, and paste the folder there.
  3. Now open Sublime or another text editor that allows for saving in different file formats, and create a file called eToken.cfg. The contents of the file should be as follows:

    name=eToken
    library=/usr/local/lib/libeTPkcs11.dylib
    slot=0

    ADT Step 3.png
  4. Save the file to AIRSDK\bin.
  5. Now, open the adt file using Sublime. You will need to make sure "java" is pointed to the correct version of java (whichever version you choose, that is what you will be configuring in the JRE and JDK sections).
    Here's the original adt file, before editing:

    ADT Step 5.png

    Here's what I changed it to, to specify the directory of the Java version I am using:

    ADT Before Step 6.png
  6. Save the file.

Configuring JDK

  1. After the JDK has been installed, locate the JDK bin folder. By default it will be "\Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin". (replace jdk1.8.0_131.jdk to match your version

    JDK Step 1.png
  2. Copy the eToken.cfg file you made during the Configuring ADT section, and paste it into the JDK bin folder.

Configuring JRE

  1. Locate the java.security file. The default directory will be "\Library\Java\JavaVirtualMachines\jdk1.8.0_13.jdk\jre\lib\security". (replace jdk1.8.0_131.jdk to match your version).

    JRE 1.png

    NOTE: JDK 1.6.0 does not have an explicit JRE folder. You will skip the \jre in the directory and go directly to \lib.
  2. Open the java.security Sublime or another text editor that supports the format. Then use CMD+F to search for the following text: "security.provider.10=sun.security.mscapi.SunMSCAPI".

    JRE 2.png
  3. If it doesn't already exist, below the line you just found, add "security.provider.11=sun.security.pkcs11.SunPKCS11 eToken.cfg".

    JRE 3.png
  4. Now save the changes you've made.

Signing AIR Files

WARNING: If you haven't gone through the Configurations yet, do not begin the signing process!

  1.  The first thing we need to do is get the Container Name of the certificate we're using. There are two ways of going about this.

    Option 1: Using Command Line

    1. Start the Command Console, and navigate to the location of your JDK bin folder containing keytool. In this case the command is:
    cd \Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin
    S Air files 1.png

    2. Enter the following command:
    keytool -list -storetype PKCS11 -providername SunPKCS11-eToken

    The output should look like this:
    Air Files 2.PNG

    3. The Container Names are the long alphanumeric strings at the beginning of each entry (le-4859........). The issue is, if you have multiple certificates on your SafeNet token, you will need to use the second option for finding the Container Name. For now though, copy that Container Name, we're going to need it.

    Option 2: Using the SafeNet Authentication Client Tools

    1. STEP 1 Open the SAC Tools, and click Advanced Options, then expand your Token on the left side, and the User Certificates. On the right side, you'll see the certificate details, and the private key details. Look in the Private key details, and you'll find the Container name there:
    Air Files - SAC 1.png

    2. Copy that Container Name, we're going to need it.
  2. Navigate to the directory where your adt.bat file is located using the Terminal. In this example, it's in \AIRSDK\bin.

    TIP: Place the file you are signing in the same directory as adt.bat, so you don't have to type out the directory when declaring it in the signing command.
  3. Now, we can finally run the signing command. After you run the command, there won't be any verification that it's been signed. So long as it doesn't throw an error, you should be ok. The signing command for AIR files is:

    adt -migrate -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken signed.air resigned.air

    NOTE: The "signed.air" file at the end is the signed file that we are going to create. You'll still have the signed.air file, and a new file by the name you provide at the end of this command will be created in the same directory.
  4. Now, there should be a signed AIR file in the directory we signed in. Navigate to it in Windows, and double-click it. If you signed it correctly, you should see a message like this, with the Common Name of your certificate in the Publisher field, a green check mark, and should say Publisher Identity: VERIFIED:

    Air Files - SAC 4.PNG

Signing AIRI Files


What's an AIRI file?
AIRI files are slightly different then AIR files. It's an AIR Intermediate file, which is just an unsigned AIR file. A new AIR application that doesn't have a previously signed version will be exported as AIRI. For the most part, it's going to be the same process with some minor differences.
How To Sign
WARNING: If you haven't gone through the Configurations yet, do not begin the signing process!

 

STEP 1 The first thing we need to do is get the Container Name of the certificate we're using. There are two ways of going about this.
 Option 1: Using Command Line...
STEP 1 Start the Command Console, and navigate to the location of your JDK bin folder containing keytool. In this case the command is:
cd \Library\Java\JavaVirtualMachines\jdk1.8.0_131.jdk\bin
 

STEP 2 Enter the following command:
keytool -list -storetype PKCS11 -providername SunPKCS11-eToken
The output should look like this:

AIRI File 2.png


STEP 3 The Container Names are the long alphanumeric strings at the beginning of each entry (le-........). The issue is, if you have multiple certificates on your SafeNet token, you will need to use the second option for finding the Container Name. For now though, copy that Container Name, we're going to need it.
 Option 2: Using the SafeNet Authentication Client Tools
STEP 1 Open the SAC Tools, and click Advanced Options, then expand your Token on the left side, and the User Certificates. On the right side, you'll see the certificate details, and the private key details. Look in the Private key details, and you'll find the Container name there:

AIRI File - SAC 1.png


STEP 2 Copy that Container Name, we're going to need it.
 

STEP 2 Navigate to the directory where your adt.bat file is located using the Command Prompt. In this example, it's in \AIRSDK\bin.
TIP: Place the file you are signing in the same directory as adt.bat, so you don't have to type out the directory when declaring it in the signing command.

STEP 3 Now, we can finally run the signing command. After you run the command, there won't be any verification that it's been signed. So long as it doesn't throw an error, you should be ok. The signing command for AIRI files is:
adt -sign -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -storetype PKCS11 -alias "le-4859d290-7d91-4f3d-8987-b7224058c5c7" -providerName SunPKCS11-eToken -target air test.airi signed.air

AIRI Step 3.png


NOTE: The "signed.air" file at the end is the signed file that we are going to create. You'll still have the test.airi file unsigned, and a new file by the name you provide at the end of this command will be created in the same directory.

STEP 4 Now, there should be a signed AIR file in the directory we signed in. Navigate to it in Windows, and double-click it. If you signed it correctly, you should see a message like this, with the Common Name of your certificate in the Publisher field, a green check mark, and should say Publisher Identity: VERIFIED:

AIRI Step 4.PNG
 

Errors You May Encounter

Throughout testing, I encountered tons of errors before getting the process down. Here are a few of them, and how to resolve the error. Some screenshots may be from OS X, others from Windows, however the errors mean the same thing regardless of your OS, as these are within a Java environment. If you encounter one of these errors, and turns out to be for another reason, please share another cause/solution. If you encounter a different error, and you've found a solution, please add it here for the rest of us to refer to. Or, if you haven't found the solution, you can also put your issue into our CodeSign Issue Tracking page here.
 

 

 Error: Could not generate timestamp: "Timestamp.URL"
If you encounter this error below...

Error 1.PNG


... Don't worry. You just miss-typed the timestamp URL.
 Error: Timestamp response not valid
If you encounter this error below...

Error 2.PNG


... You've used the wrong timestamp URL. I found that AIR didn't like the new timestamp URLs, so I reverted to: http://timestamp.globalsign.com/scripts/timestamp.dll
 Error: Could not load keystore file (password may be incorrect)
If you encounter this error below...

Error 3.PNG
 

... The issue here, is that I included the -keystore NONE, argument in the signing command. Don't use -keystore when signing in ADT, it will only confuse it. Instead, make sure to include the -alias "ContainerName" argument.
 Error: Not enough arguments
If you encounter this error below...

Error 4.PNG
 

... You forgot something. In this case, I removed the "-target air" as well as the newly signed file name at the end.
 Error: Unknown package target "fileName"
If you encounter this error below...

Error 5.PNG
 

... You forgot to place the "air" argument after "-target". Kind of confusing, since you would think the file would be the target. It's actually looking for a file format, though.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.