I have number of applications running in GCP and using KMS to sign certificates. I give each application sign permission (projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.asymmetricSign) for specific key. In order to sign I need to provide specific key version (actually I want to use the last version of the key), so I have to get list of version for the key and this requires projects.locations.keyRings.cryptoKeys.get or projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list permission.
The question is why I need to give this permission to sign a certificate and whether there is way to sign without getting list of versions.
Related
We have a Windows UWP app that is currently in the Microsoft store. The project includes a store association file which contains publisher attributes one of which is the Common Name. Our store account shows the CN as a string value resembling a GUID. It shows the Display Name as our company name. In Visual Studio we can build the app for sideloading and code sign with a self-signed certificate in which the certificate’s CN is the same as the Store CN (GUID like string). This allows us to sideload new versions of the app over the store version for testing and getting new features to specific customers quickly. Then the sideloaded version can eventually be updated with newer published store versions.
My question is this: We would like to sign the app with a Code Signing Certificate we purchase from a trusted certificate authority. The problem is trusted code signing certificates must have the Common Name as the company name. We seem to only be able to sign the app with a certificate that has the Common Name equal to the CN in the store association file (GUID like string). Is this a known limitation to store associated apps or are we missing something?
TLDR; Any app published in the MS Store will be signed only with Microsoft's certificates. You cannot use your own certificate to publish an app in the store.
If you use your own certificate to sign the package you need to provide an external link for users to get your app. You can use the AppInstaller protocol for that.
The GUID that you see in the CN (for the certificate generated automatically by VS) is actually a "private key"-like mechanism that MSFT uses to ensure that the app published in the store is actually submitted by its real owner (i.e. I assume to avoid some kind of man in the middle attack where an attacker could somehow upload a corrupted version of your app).
Once your app gets in the store and passes all the validations MSFT will sign it with their own certificate. I suppose this is how the AppInstaller service (or the Store app from Windows 10) will know it is ok to trust any app signed with their certificate.
So, I created an script on google sheets that, basically, selects a set of addresses on a sheet and uses Maps.newGeocoder.geocode() to get geocodes and calculate distances. It works wonderfully, no problems there. However, when I try to authenticate using Maps.setAuthentication(clientId, signingKey);, I just get an error.
I got my credentials from loging into https://console.cloud.google.com/, creating a random project and by going in "Create credentials". When I go into the credentials tab, I can select OAuth2.0 and see clientId and client secret key. I am using these to authenticate. Is it correct? What am I doing wrong? How the hell can I get the credentials? Thanks a lot!
The setAuthentication(clientId, signingKey) method enables the use of an externally established Google Maps APIs Premium Plan account, to leverage additional quota allowances. Your client ID and signing key can be obtained from the Google Enterprise Support Portal.
They are not the same as client ID and client secret key as explained here.
Note that this type of account is not longer available for new customers.
Here some helpful links:
Premium Plan Support
Premium Plan FAQ
My company has 2 Google Maps API keys that we have been using for several years. They started charging us for their use in June 2018. At that point and for several month afterwards, I could go to the Google Cloud Platform console and see the API keys listed, along with usage etc. Now when I go to the GCP console, it does not show those API keys. However, Google is still charging our credit card every month for their use.
I'm wondering what happened, and if it has happened to anyone else. If I could see the API keys, I could edit them, change their restrictions, etc.
If you're confident that you're checking the correct project, you may wish to review your audit logs to see whether the API Key was deleted by one of the project's authenticated accounts:
For ${PROJECT}, the following should list API key-related actions:
PROJECT=[[YOUR-PROJECT]]
LOGNAME="projects/${PROJECT}/logs/cloudaudit.googleapis.com%2Factivity"
METHOD="google.api.apikeys.v1.ApiKeys"
gcloud logging read "logName=\"${LOGNAME}\" protoPayload.methodName:\"${METHOD}\"" \
--project=${PROJECT} \
--format="value(protoPayload.authenticationInfo.principalEmail,protoPayload.methodName,timestamp)"
I created then deleted an API key to confirm the behavior.
My logs show (abbreviated):
[me] google.api.apikeys.v1.ApiKeys.DeleteApiKeys 2020-04-07T19:21:40.301Z
[me] google.api.apikeys.v1.ApiKeys.PatchApiKey 2020-04-07T19:18:38.395Z
[me] google.api.apikeys.v1.ApiKeys.CreateApiKey 2020-04-07T19:18:20.721Z
I have developed a few small apps that connect to our google domain. However each time I have to authorize one of these apps I need to add a different
Authorized API client by using it's "Client Name". Is there a way to set this client name to something of my choosing? It would make it much easier to quickly understand what apps are OK to remove from the list later on.
Thanks!
...edit...
I may not have been specific enough, here is an image of where I want to change the value. This is from the google admin console for google apps under Security -> Show More -> Advanced Settings -> Manage API Client Access
CLient Name Field
For all the apps I've developed so far my Client Name(which I pull from the google developers console) is either a seemingly random string of only numbers or a random string of numbers and letters follow by "apps.googleusercontent.com". Yet I've seen other apps that somehow have their company name listed there. How can I choose my own Client Name as I've seen in other apps?
You can set client name and the scope by goinog on the Manage client API access page. Register your client in the Authorize a new API client settings.
Enter the client name provided by the third-party vendor and specify the scope. Add a new client by entering the client name (OAuth consumer key) and API scope and clicking "Authorize". You should verify that the client is known to you and that they have an appropriately small scope of access.
For each client, you can specify multiple APIs, separated by commas. For example, to allow access to both the Contacts and Documents List APIs: "http://www.google.com/m8/feeds/, http://www.google.com/feeds/". The list of clients is unique, and cannot have two entries in the list for one OAuth client. You can use any of the Google APIs that currently support two-legged OAuth for Google Apps domains
Authorized API Clients
Add your APIs from the list of approved clients and their scope.
After the client has been added, you can remove a client that has a specified API scope by clicking the "Remove" link. If the client is the OAuth consumer key for your Google Apps domain, you'll see the link, "Manage". Clicking this link takes you to the Manage OAuth key and secret for this domain page where you can edit the client (for example, turn off global API scope access).
For more information about OAuth, please follow this link: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
In case you meant how to set the application name when you connect with the php api client, you can use:
$client->setApplicationName('App Name Here');
My website makes use of Google Maps API. I recently received an email from Google that says that I should switch from a Browser Key to a Server Key in order to continue using the API past 2 Dec 2015.
So if I am not mistaken all I have to do is request a Server Key in the Google Console and put it in place of my Bowser Key? is that simple?
Here is part of the email:
Yesterday, we announced a pay-as-you-go option for seven of the Google
Maps API Web Services for free, external, publicly available websites
and mobile implementations. As part of this launch, we are tightening
security around how developers identify their usage of the APIs. You
are receiving this email because you may be affected by this change.
Starting today we have deprecated usage of 'Keys for browser
applications' or 'Browser keys’ with the Google Maps API Web Services.
Developers should instead use ‘Server keys’ with these services. Any
newly created browser keys will not work, but existing browser keys
will continue to work for 90 days starting today. On 2nd December
2015, we will be completely disabling usage of browser keys to access
Google Maps API Web Services, at which point any requests to Google
Maps Web Services APIs using such keys will begin to fail.
Currently, in my HTML I have the following that loads the Google Maps API:
<script scr="https://maps.googleapis.com/maps/api/js?v=3&signed_in=false&key=MY_BROWSER_API_KEY&sensor=false"></script>
In another page in the same website, I use the YouTube Data API in the server side to which I feed the SERVER_KEY I obtained from Google Console.
The code looks like:
require_once 'google-api-php-client/src/Google/autoload.php';
$client = new Google_Client();
$client->setDeveloperKey(GOOGLE_API_SERVER_KEY);
$youtube = new Google_Service_YouTube($client);
Yes, all you have to do is change out the key. There are complications with white lists, that may or may not affect people. The white lists between server and web keys need to be merged. This is a problem if the server does not send outgoing communications with the same ip address everytime. For example, for my company, our set up is a group of instances that get dynamically assigned ips from a public pool. In our case we are going to add an extra network interface.
So a better answer to your question is depending on whether you only use the key in a public webpage, or if you use it on a server. If you use the key on a server, and the key is connected to a paid google account for a specific map api service, then you will have to figure out the outgoing ip address(es) and add each one to the list.
A lot of people, particularly on shared hosting accounts have not white listed the server ip as until now, as it could be hidden and the risks of people pirating the key were minimal. But now, in the next 90 days, a lot of private server keys are going to be publicly exposed when people also have to put the key in their html. This will probably mean that there will be a mini migration from shared hosting to more controlled environments, in my opinion.