I try to enable apple pay in authorize.net for my WooCommerce store.
I follow this instruction
I get CertificateRequest_csr from authorize.net, create Certificate in Apple Developer Account and download it. But I cant generate a .p12 file, because it need private key. I don't have private key from authorize.net, I just have CertificateRequest file.
I try to create key with my Apple Developer Account data, and generate a .p12 file, but its don't work, every time I get error:
Could not validate merchant. cURL error 58: Private key does not match the certificate public key
Related
Despite all our attempts, we could not get past the password entry popup. Usually, this is an issue with an incorrect password or a "head-space and timing issue", but we've confirmed the password to the KeyStore App is correct.
We are attempting to sign our javafx 17 application in order to submit it to the mac app store. We've followed the instructions from Apple to create the certificate, and from the docs on Install4j to upload the certificate. After attempting several times and checking the KeyChain password we still continue to fail - see image below. I've also allowed full access to the certificate in the keyChain app by double clicking the certificate -> Access Control and checking "Allow all applications to access the item". Despite the certificate being unrestricted, we could not get past the password entry.
Install4j Docs on code-signing: https://www.ej-technologies.com/resources/install4j/v/8.0/help/doc/concepts/codeSigning.html
Preparing your app for distribution:
https://developer.apple.com/macos/distribution/
Signing you apps for GateKeeper -- Apple id for apps distributed outside the Mac Store: https://developer.apple.com/developer-id/
Has anyone had a similar issue with Install4j 9.0.7? What was the solution?
--update:
Upon further inspection, the EJ Technologies Install4j docs describe that the certificate "Subject Name" must be "Developer ID Application". I am not sure if this is an accurate description. The certificate's Subject Name, Common Name is "Developer ID Application:MyDeveloperName(123.....)". There is no option from apple to give the Certificate a Subject Name. I'm also not sure if this is related to the password problem.
If you have created the certificate signing request with a private key that uses elliptic curve cryptography, it will not work in 9.0.7. Contact support#ej-technologies.com for a build that will work in this case. Also, please make sure to select both the public and the private key before exporting from the KeyChain app.
I've also allowed full access to the certificate in the keyChain app by double
clicking the certificate -> Access Control and checking "Allow all applications
to access the item"
Don't do that, install4j does not access the KeyChain, it works with the PKCS#11 keystore that you export from it and you set a password during export for full access.
The certificate's Subject Name, Common Name is "Developer ID
Application:MyDeveloperName(123.....)". There is no option from apple to give
the Certificate a Subject Name. I'm also not sure if this is related to the
password problem.
No, that is fine, "Developer ID Application" is the type of the certificate.
However, regarding:
We are attempting to sign our javafx 17 application in order to submit it to
the mac app store.
This will not work with a "Developer ID Application" certificate which is only suitable for standalone distribution. Submitting to the App Store will be supported in the upcoming install4j 10 (very soon). You need different certificates for that and it is not possible to create a signed artifact with install4j 9 that will be accepted by the App Store.
-- Solution:
Based on the answer provided by Ingo Kegel we were successful in 1) bundling our application into a DMG, 2) signing it, and 3) getting it notarized by Apple using Install4j.
Here is a description of what worked.
There are multiple passwords needed. We further had problems with other passwords. After Ingo's comments we were able to get through these. Note that the first password is NOT the apple "Keychain Access" app password. It is the password that you set when you create the .pkcs12 file.
This post is a supplement to the instructions provided by EJ-Technologies and by Apple in order to show how we solved a few area's that were slightly troubling.
Creating a Developer Password with Apple for our application was slightly confusing. After creating the certificateSigningRequest in the "Keychain Access" app, we then needed to create the Application Certificate in the Apple Developer Account (online).
Below: The developer account page, click on the "certificates and id's".
Below: Next page, click on the plus to add a new certificate.
Below: Next page, select the "Developer ID Application, then click continue.
Once Apple had created the certificate we followed the directions to 1) download the cert from apple. It ends with ".cer". 2) install the ".cer" file to your KeyStore app by double clicking on it. This was also problematic and would not install if there was a similar file in the KeyStore App. 3) Export the cert and its related secret to a directory on the hard drive. The certificate and the secret was slightly ambigious. The certificate appears to be a subdirectory of the secret in the KeyStore application. We selected both, and exported them by right clicking on the two.
The instructions were clear from this point forward. However after successfully passing the password entry, we were then faced with a second password entry popup for Apple's notarization. We are creating a .dmg for MacOS 12. Our JavaFX app had to be signed AND notarized in order for our users to avoid "most" of the warnings by Apple.
As mentioned above, install4J asks for the "app specific password" This password had nothing to do with our application, it is an application password between us and install4j.
I created the password in My Apple user account. Note that this is not from the developer account.
In the next screen after clicking here, I simply provided the name "install4j" in the text-entry to describe the password. Also, a Cut and Paste of the password from Apple did not work and caused an error so I pasted the selection from the browser into a text editor and noticed it was wrapped with brackets and several other characters that would make it invalid. Typing the password directly into the install4J text field worked. You will need to save this password for future uploads as well.
After correctly entering these passwords, install4j took about a minute to bundle and sign our application, then sent the dmg to Apple for notorization. Notorization took several minutes. When the operation completed, our dmg was created.
We tested the .dmg by uploading it to our server and downloading it to another device. Everything worked as expected. Apple still warns the user that "the app is not built by Apple", and "it is downloaded from the internet". For the "inexperianced user", this is much easier than without code-signing and notarization.
I want to sign an X509 certificate whose keys I cannot access directly(stored in KMS/HSM).
I thought of a way to sign the certificate with any random private key so that the certificate can be generated successfully, after that, I can pass the payload of the certificate to the KMS/HSM for signing, and the signature that will be given will be set in the previously created certificate. But I am not able to do so. Can someone help me how to achieve this with the java code?
I am trying to execute some administrative tasks on my Cloud Firestore (upload some data, ... etc.). I read through the documentations here
Use a Google Identity OAuth 2.0 token and a service account to authenticate requests from your application, such as requests for database administration.
This referred to the documentation here on how to make Authorized API Call after generating JWT. I am struggling with generating the JWT.
This is what I tried:
I formed the header and the claim set
{"alg":"RS256","typ":"JWT"}.
{
"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5#developer.gserviceaccount.com",
"scope":"https://www.googleapis.com/auth/prediction",
"aud":"https://oauth2.googleapis.com/token",
"exp":1328554385,
"iat":1328550785
}
Went to https://jwt.io/ to generate JWT with RSA256. It asks for public key and private key. I understand the private key can be generated in json formate from service account I created under https://console.cloud.google.com/iam-admin/serviceaccounts. However, I am not sure where to obtain the public key. jwt.io does not generate jwt. I only get 'invalid signature'.
There are many examples in the web using SDK or libraries. However, I could not see any example on how to generate JWT manually (if that is possible at all) to use it with Postman. Any idea?
Thanks to #JohnHanley. I managed to generate the token. This is not entirely withing Postman (I am still relying on jwt.io to generate the jwt).
after creating service account here. add a key and download the p12 file (not json). The default secret is notasecret
convert p12 to pem and extract the public key:
$openssl pkcs12 -in postman-admin-private.p12 -out postman-admin-private.pem -nodes
$openssl rsa -in postman-admin-private.pem -outform PEM -pubout -out postman-admin-public.pem
Open both pem files and copy the private and public keys into jwt.io (using RSA256 option)
Make sure you use the email address of the service account in iss field
Here is the request in postman:
curl --location --request POST 'https://oauth2.googleapis.com/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion='{generated jwt}'
next would be to make it entirely within Postman. I have not tried that but this post seems to be an option
as fortumo documentations says:
JWT based authentication Before using the JWT based authentication,
you will need to add a public key under "API keys" section in your
Fortumo Dashboard. Refer to Preparing SSH keys guide on how to
generate the public and private key pair.
https://merchants.fortumo.com/integration-and-testing/hosted-dcb/hdcb-security/
but i cant find it on dashboard. but on General Section we have "Secret" down side. is that it? where can i set the fortumo public key?
As noted in Fortumo's documentation:
Hosted DCB is an on demand payment product. In order to gain access to the product, please contact your account manager.
If you don't have an account manager, you can get in touch with them here.
I am attempting to validate an email but when I follow the mailgun docs and have code such as follows
https://documentation.mailgun.com/en/latest/user_manual.html#email-validation
EMAILPUBLICVALIDATIONKEY = 'my sexy key'
def validateemail(emailaddress):
return requests.get(
"https://api.mailgun.net/v3/address/validate",
auth=("api", EMAILPUBLICVALIDATIONKEY ),
params={'address': emailaddress}
)
I get the response
["{"Error":"exposed account credentials"}"]0: "{"Error":"exposed account credentials"}"length: 1__proto__: Array(0)
I haven't actually gotten this error in MailGun before. But I'm assuming exposed account credentials means that your API key got exposed and they deactivated it in order to try to protect you.
Kinda unrelated, but GitHub recently released a feature where they will scan commits for API keys and tokens and notify the company that it was exposed. Doesn't look like as of posting this MailGun is on that list, but there is also a slim chance since it's in beta that list hasn't been updated. https://help.github.com/articles/about-token-scanning/
This is most likely due to exposing a Mailgun API key on Github. I had the API key in a file and commented it out but still got flagged. If you file a ticket on Mailgun, a reply will be sent with these instructions:
Due to the compromise, you will need to take a few steps to secure your Mailgun account:
- Remove the repository from Github or making the repository private. A new commit will not overwrite the previous commit history which contains the password.
- Please log in to the Mailgun Control Panel and reset your Mailgun account password. Click your email address in the top right, "Edit Account Info" -> "Password Change" section.
- Enable 2 Factor Authentication. Click your email address in the top right > Security > Two-Factor Authentication section.
- Reset your Mailgun API key. Under "Account Settings" -> "Security" click the refresh symbol to generate a new API key.
- Reset your SMTP credentials. Go to the "Domains" tab and repeat the following process for each domain listed in this view.
I don't THINK Mailgun was on that list. But they could have been added.
It is official now (May 23rd, 2019): "Token scanning"
Token scanning is now generally available in all public repositories.
Additionally, token scanning now supports detection of new token types from Alibaba Cloud, Mailgun, and Twilio.
The full list is on "About token scanning".
See more at "Token scanning".
You need to go to your Mailgun account, a banner will say that your account has been suspended, then you have to contact support to unlock it