Can I code sign a Windows Store App with a trusted code signing certificate? - windows-store-apps

We have a Windows UWP app that is currently in the Microsoft store. The project includes a store association file which contains publisher attributes one of which is the Common Name. Our store account shows the CN as a string value resembling a GUID. It shows the Display Name as our company name. In Visual Studio we can build the app for sideloading and code sign with a self-signed certificate in which the certificate’s CN is the same as the Store CN (GUID like string). This allows us to sideload new versions of the app over the store version for testing and getting new features to specific customers quickly. Then the sideloaded version can eventually be updated with newer published store versions.
My question is this: We would like to sign the app with a Code Signing Certificate we purchase from a trusted certificate authority. The problem is trusted code signing certificates must have the Common Name as the company name. We seem to only be able to sign the app with a certificate that has the Common Name equal to the CN in the store association file (GUID like string). Is this a known limitation to store associated apps or are we missing something?

TLDR; Any app published in the MS Store will be signed only with Microsoft's certificates. You cannot use your own certificate to publish an app in the store.
If you use your own certificate to sign the package you need to provide an external link for users to get your app. You can use the AppInstaller protocol for that.
The GUID that you see in the CN (for the certificate generated automatically by VS) is actually a "private key"-like mechanism that MSFT uses to ensure that the app published in the store is actually submitted by its real owner (i.e. I assume to avoid some kind of man in the middle attack where an attacker could somehow upload a corrupted version of your app).
Once your app gets in the store and passes all the validations MSFT will sign it with their own certificate. I suppose this is how the AppInstaller service (or the Store app from Windows 10) will know it is ok to trust any app signed with their certificate.

Related

SAML certificate authentication vs login

I have a working implementation of SAML (OneLogin) within an enterprise architecture.
When a guest user arrives at my application they are redirected to the company login where they enter their username / password. After that the user identity is passed back to my application and we log them in.
However, I notice that in other applications within the company I do not have to login at all. Somehow the website "knows who I am" and seems to authenticate me automatically. I presume there is some form of certificate on my pc / browser which the other applications are passing to the SAML??
Can somebody tell me the technical term or process? Is there a process whereby I simply pull the certificate from the browser or PC and pass it to the SAML? I would like my users to be able to auto-login without entering their credentials.
Thanks
There's a number of mechanisms that support an "automatic" authentication like what you describe. In the Identity and Access Management (IAM) realm, we have all sorts of names for it, but many of us call that "seamless single sign-on (SSO)".
Within a corporate environment, I would suspect that you are dealing with a one of two mechanisms: Kerberos authentication (especially if you're a Microsoft shop and log in to a domain-joined machine on a daily basis), or your machine is in an MDM-type of system, which uses a machine- and/or user-based certificate (aka PKI) to authenticate the user or user/machine combination.
Within your enterprise, if there are other applications whose users are immediately authenticated to the application without entering their username and password, then you should talk to your IAM team or your Single Sign On (SSO) administrators to understand why that doesn't work for yours.
I will also say that it's possible that your security team evaluated what information your application offers (insider financials? source code? your secret recipe? credit card data?) and decided that they would still require the user enter their username and password to get access to the data. So when you go to your SSO admins to ask, if they say that it's intentional, you should feel free to ask why and who you should talk to about it.
After a LOT of research and testing I finally have the answer to this question, and it is incredibly simple!
In summary:
I have a working solution with OneLogin that sends me to a page like this:
https://sts.companyname.com/adfs/ls
The url is specified in the config: saml->config->idp->singleSignOnService->url
However, this page requires the user to enter their username and password and, instead, I would like the system to be fully seamless.
The solution, it turns out, is simply to hyperlink to the following url:
https://sts.companyname.com/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mypage.com/saml/metadata
where "loginToRp" url is the url provided in saml->config->sp->entityID
The ADFS IDP Initiated Signon will connect to your metadata schema and automatically log the user in (without the user needing to provide any credentials)
NOTE: this only applies to intranet sites in a corporate environment

How to login once across multiple subdomains on a custom domain using Auth0?

We are developing a suite of separate SPA applications where each one lives on a separate subdomain with a common parent domain.
app1.domain.com
app2.domain.com
We want to avoid customers having to sign in to each app separately. So we want to be able to sign in once to one app and remaining signed in when visiting the other apps. Similarly, signing out of one would sign out in the others.
Based on my research of the Auth0 docs, this seemed to be possible with a custom domain. So changed our plan, added the custom domain auth.domain.com and created a test SPA app that could log in. I then created two subdomains and pointed them both at the app.
Logging in to app1.domain.com worked. The auth0.{clientid}.is.authenticated cookie was created. However, the cookie’s domain was app1.domain.com, not .domain.com as I’d hoped.
I then tried visiting the app2.domain.com and confirmed that the cookie definitely wasn’t there and I wasn’t logged in.
Is there any way to configure Auth0 to keep a user logged in across all the subdomains?
(I posted this on the Auth0 Forums here but got no replies)
I opened a pull request on auth0-spa-js package to add an option to specify the cookie domain. It was accepted and merged in version 1.21.0 and later.
In your client configuration, add a cookieDomain option.
const auth0 = await createAuth0Client({
domain: '<AUTH0_DOMAIN>',
client_id: '<AUTH0_CLIENT_ID>',
redirect_uri: '<MY_CALLBACK_URL>',
audience: '<MY_AUDIENCE>',
cookieDomain: '.example.com',
})
NOTE: Top level cookie domains always start with a period ..
Use this configuration on each app/subdomain under the same top level domain and you'll notice the auth0.{clientid}.is.authenticated cookie will exist on both. Signing in on one will result in you being signed in when you visit any others.
The auth0-spa-js package is used by most of the other auth0 plugins for Vue, React, etc. so client configuration should be virtually identical.

Detect Toast Notification from the particular application

I have two application both of them send toast notifications, I want to detect the Toast Notification from the particular application.On search I findpublic ToastNotificationHistoryChangedTrigger(string applicationId),what would be the application ID during development?
What would be the application ID during development?
Here is the MSDN documentation for the parameter:
The identifier of the app for which you want to create an instance of
the ToastNotificationHistoryChangedTrigger class.
More searching on MSDN, here is more info about application identity, which will appear in the package manifest:
<Application Id = An ASCII string between 1 and 64 characters in length.
The unique identifier of the application within the package. This
value is sometimes referred to as the package-relative app identifier
(PRAID). The ID is unique within the package but not globally. There
may be another package on the system that uses the same ID. The same
ID cannot be used more than once in the same package.
So it means both applications need to exist in the same package. I don't know how is that possible right now and I doubt that it is your case. Most likely, you have multiple packages, one for each app. In this case, you can use AppServices to communicate between the two apps.
Edit
Here explains about multiple app packages, it is supported for side loading and not the store.
You can create a multi-app package for side-loading, just not to
deploy through the store. When the user installs the package they'll
get all of the apps, and the apps will all share the same security
context, local data, etc.

App is not testable

I receive the information from Microsoft:
App Policies: 10.3 App Is Not Testable
The app must be testable. If it is not possible to test your app for any reason, including, but not limited to, the items below, your app may fail this requirement.
If your app requires login credentials, provide us with a working demo account using the Notes to Tester field.
If your app requires access to a server, the server must be functional to verify that it's working correctly.
If your app allows a user to add a gift card balance, give us a gift card number that can be used in the testing
How to pass certificate?
It seems that the tester cannot test your app properly, which violates the Windows Store Policy and will make your app get unpublished or fail to pass the certification.
Please follow and check the notes provided by Microsoft:
If your app requires login credentials, provide us with a working demo account using the Notes to Tester field.
If your app requires access to a server, the server must be functional to verify that it's working correctly.
If your app allows a user to add a gift card balance, give us a gift card number that can be used in the testing.
And I would like to suggest you to provide a hosted video of your app’s functionality working properly in the notes for certification when you resubmit your app so that tester can see your app perform normally and know how to test it in an appropriate way.
Please refer to Notes for certification. This can really benefit your app to pass the certification.

How does WhatsApp syn up contacts with ejabberd

I am creating ejabberd xmpp client for charting similar to WhatsApp. Want to understand, how does WhatsApp sync contacts with server? How does WhatsApp find out all registered users with server and synchronise it with your address book?
This feature is not related to XMPP or ejabberd. If you want to detect contact of your user you need to implement that feature in a custom way.
You need to upload an anonymised version of the user address book with hash of phone number and email and store that on your server.
When another user with a phone number or email address matching that hashes join the service you can find who knows it and do operations to notify each parties that they are both using the service (and/or add them in roster for example).
So, this is a purely custom extension to ejabberd you will have to implement.