All posts by admin

How to Automate Code Signing using EV Code Signing Certificate

Motivation

Your software installer (e.g. an EXE or MSI file) is warned by Microsoft Defender. You want to remove the warning so that your users can trust your software.

Solution

You need to sign your software installer using an EV code signing certificate.

Terminologies

SSL certificate is a cryptographic certificate (technically named X.509) issued by a Certificate Authority as a file for encrypting and decrypting data between a client and server.
SSL certificate is usually valid for one domain in 1 year.

Code singing certificate is a cryptographic certificate (technically named X.509) issued by a Certificate Authority as a file for placing a digital signature on a file, program, or software.
Code signing certificate is usually valid for signing file, program or software from 1 year to 3 years.
Code signing certificate does not relate to domain.

EV code signing certificate is a code singing certificate (technically named X.509) that is issued on USB or HSM or Cloud Signing Service (not a file) by a Certificate Authority for placing a digital signature on a file, program, or software to bypass MS Defender warning.
EV code signing certificate is usually valid for signing file, program or software from 1 year to 3 years.
EV code signing certificate does not relate to domain.
When signing file, program or software using an EV code signing beside presence of USB or HSM or Cloud Signing Service an additional one-time password (OTP) is usually required for security.

EV Code Signing Certificate, USB, HSM, and Cloud Code Signing Service

The core part of a certificate is a secret string called private key.
All the certificates have this same core part. The difference is just where this string will be stored.

– This secret string can be stored in a machine/server (standard certificate) and can be exported and imported to other machines/servers, e.g. via PFX files with private keys.

– This secret string can be stored in a USB (this is a requirement for EV certificate). In this case, it can be imported to the USB but then could NOT be exported from the USB and imported to other locations.

– This secret string can be stored in a HSM (hardware security module, usually a physical card with cryptoprocessor chip or a certified virtual machine, USB can be considered a HSM too) (this is a requirement for EV certificate). In this case, it can be imported to the HSM but then could NOT be exported from the HSM and imported to other locations.

– This secret string can be stored in a Cloud Code Signing Service (this is actually a specific certified HSM virtual machine) (this is a requirement for EV certificate). In this case, it can be imported to the Cloud Code Signing Service but then could NOT be exported from the Cloud Code Signing Service and imported to other locations.

If we have 3 physical servers and we use the USB storage approach for EV Code Signing certificate then we need 3 USB sticks (duplicates) that contain the same certificate.

If we use HSM or Cloud Code Signing Service then we just need one HSM or one Cloud Code Signing Service account.

Typical steps to sign code using EV code signing certificate

– Purchase an EV code signing certificate.

– Retrieve the USB containing private key and temporary token password.

– Install software to connect to the USB, e.g. SafeNet Authentication Client, and change the temporary token password.

– Find and copy the SignTool.exe utility from Visual Studio Tools to a location.

– Enable Single Logon feature of SafeNet Authentication Client on Client Settings > Advanced so that we can pass the EV certificate password to SignTool.

– On SafeNet Authentication Client, right click the EV certificate and export the public certificate (.CER file).

– On SafeNet Authentication Client, click the EV certificate and retrieve the key container name of the EV certificate.

– Sign the software installer using the command below.

SignTool sign /f myCert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myFile.msi /tr http://timestamp.digicert.com /td sha256 /fd sha256

– Verify the signing using the command below.

SignTool verify /pa myFile.msi

 

 

How to Fix IIS Express HTTPS Error

Problem:

You have created an ASP.NET web application with HTTPS.

You ran the application on https://localhost:5001 and got the “ERR_CONNECTION_RESET” error.

Solution:

1. Open Command Prompt with admin rights.

2. Type and press Enter

cd "C:\Program Files (x86)\IIS Express"

3. Type and press Enter

IISExpressAdminCmd.exe setupsslUrl -url:https://localhost:5001/ -UseSelfSigned

Change 5001 in the command above to the port you’re trying to use.

 

How to Pronounce Specific Technology Terminologies?

 

 

 

     

    Microservice-Based System

    Motivation:

    You want to use microservice architecture for your system but you are not sure whether your design does follow microservice style.

    You need to explain your microservice-based design to your client or manager.

    You need to evaluate a system against microservice architecture style.

    Information:

    A microservice-based system contains 2 main parts: a user interface and a collection of APIs (or web services or just services).

    [A diagram shall be added here.]

    The user interface can be multiple web pages or single web page or mobile native application or Windows native application.

    The user interface can be implemented using ASP.NET MVC or React or Angular or Android SDK or iOS SDK or even ASP.NET Web Forms or WordPress.

    Each API must have its own database , must be deployed independently of other APIs, can be implemented using preferred technology stack, and should focus on a single business domain.

    Each API database can be a relational database (MS SQL, Oracle, mySQL) or noSQL database (MongoDB, Cassandra).

    These APIs can be implemented using .NET Framework 4.8 or .NET 6 or Spring Boot (Java) or Node.js or Golang or even WordPress.

    These APIs often share an identity provider that in turn is often a specific API too.

    These APIs often share several utilities (e.g. notification service, file service, payment service) that in turn are often specific APIs too.

    These APIs can be grouped into API Gateways for easier authentication and authorization control. The API Gateways can be implemented using using .NET Framework 4.8 or .NET 6 or Spring Boot (Java) or Node.js or Golang or even WordPress.

    These APIs can also share data with one another using a message broker (i.e. message queues). These message queues can be implemented using a relational database (MS SQL, Oracle, mySQL) or noSQL database (MongoDB) or a distributed event streaming platform (Kafka, RabbitMQ).

     

     

    Why Select Microservice Architecture for Your System?

    Motivation:

    You need to decide whether to use microservice architecture for a new system or for modernizing a legacy system.

    Suggestions:

    A. Why select microservice architecture for your new system?

    Reason 1: You want to have several independent development teams.

    Reason 2: You want or your client wants to have a faster and modern UI (i.e. SPA) that is totally decoupled from the other parts of the system.

    Reason 3: You want or your client wants that a part of your system (e.g. user store and authentication) can be shared among or reused by multiple different systems.

    Reason 4: You want or your client wants your system to be able to scale out easily later.

    Reason 5: You want or your client wants that some parts of your system can be revised or extended or replaced easily later.


    B. Why migrate your legacy system to microservice architecture?

    Reason 1: You want to have several independent development teams.

    Reason 2: You want or your client wants to have a faster and modern UI (i.e. SPA) that is totally decoupled from the other parts of the system while the old technologies (like ASP.NET Web Forms or WordPress) cannot provide it.

    Reason 3: You do or your client does have performance or scalability issue with the legacy system.

    Reason 4: You find that is too difficult to add a new feature to the legacy system because it is too complicated.

    Reason 5: You want or your client wants that some parts of your system (e.g. user store and authentication) can be shared among or reused by multiple different systems.

    Reason 6: You want or your client wants your system to be able to scale out easily later.

    Reason 7: You want or your client wants that a part of your system can be revised or extended or replaced easily later.


    C. Here are my suggestions based on estimated development effort and a number of system users.

    For a new small project (3-month effort, less than 1,000 users) I always recommend that we use any simple solution that works (e.g. WordPress, Magento, Salesforce LWC, ABP).

    For a new medium or large project (2-year effort, more than 20,000 users) I recommend that we use a microservice-based and SPA solution.

    For a legacy project I think that we do need a really “good” reason to migrate it to microservice architecture first.

    Maybe your client wants to provide a modern SPA for their users.

    Maybe the number of users grows to 1,000,000 and you do have a performance or scalability issue.

     

    How to Make Windows Use Dedicated Graphics Card

    Problem:

    You have a laptop with 2 graphic cards: one is built-in graphics card (e.g. Intel(R) UHD Graphics), and the other is a dedicated graphics card (e.g. NVIDIA Quadro P520).

    However it seems that Windows does NOT use the dedicated graphics card.

    Verification:

    You can verify this issue by

    1. Opening a video file, then
    2. Opening Task Manager,
    3. Going to Performance tab, and
    4. Checking the percent usage of GPU 0 (i.e. Intel(R) UHD Graphics) and GPU 1 (i.e. NVIDIA Quadro P520).
    Solution:
    1. Open Device Manager and uninstall the dedicated graphics card driver.
    2. Go to https://www.nvidia.com/Download/index.aspx?lang=en-us.
    3. Set Product Series to Quadro Series (Notebooks).
    4. Set Product to Quadro P520.
    5. Set Operating System to Windows 10 64-bit.
    6. Click the SEARCH button.
    7. Download and install the latest driver.
    8. That’s all. Please do let Windows automatically select a graphic processor for a task to avoid potential performance issues.
      Typically Windows only uses a dedicated graphics card for heavy graphics tasks.

     

    How to Remove Automatic Block from Downloaded Files

    Problem:

    After you download a file, you open its Properties and find that it is automatically marked with “This file came from another computer and might be blocked to help protect this computer.” warning and you have to unblock the file manually by selecting the “Unblock” check box.

    Solution:

    1. Open Group Policy Editor (gpedit.msc) as Administrator.

    2. Go to User Configuration > Administrative Templates > Windows Components > Attachments Manager.

    3. Enable Do not preserve zone information in file attachments option.

    What is zone information?

    Zone information is the information about the zone of origin (such as restricted, Internet, intranet, local) of downloaded files.

    By default Windows marks downloaded files with information about their zone of origin (such as restricted, Internet, intranet, local) to make risk assessments in order to warn users when they open or execute files which are marked as being from the Internet or Restricted Sites zone, unless the file’s zone information has been removed.

     

    How to Pose a Software Engineering Research Question?

    Motivation:

    You begin to do software engineering research.
    You want to have a research question.
    You have several ideas but you wonder whether they are good enough for conducting a research.

    Suggestions:

    1. Your question should contain well-defined terms.
    Are you talking about something that everyone mostly agree about its definition and core characteristics.
    For example, are you talking about Microservices, Event Sourcing, Relational Database, NoSQL, Unit Tests, Go Language, Speech Recognition, Speech Synthesis?

    2. Your question should have a purpose and specific audience.
    Why should the audience be interested in your question?
    For example, are they going to upgrade a an event sourcing system? Are they going to apply test automation in our project?
    Do they have specific security issues with their system?
    Have they gotten specific performance issues with their system?
    Are they going to build a new identity management platform for their legacy system?
    Do they need to accelerate the development of a portal for their legacy system?
    Are they going to integrate voice search into their existing system?

    3. Your question should have verifiable answer.
    What are the possible answers to your question? How can we compare these answers.
    What is your concrete answer?
    How can we replicate your answer?
    How can we test your answer against the existing “standards“.

     

     

     

    WordPress Lessons Learned

    Lessons learned 1: Maintenance creep.

    Problem:

    The cost of updating the core, updating plug-ins, and updating integration code for a system built with WordPress is much higher than expected.

    Context:

    WordPress core, its themes and plug-ins can provide a very fast solution by integrating their features. It works best for used for achieving a general solution (for example corporate websites with predefined business processes).

    However their very frequent updates are painful too.

    If we do not apply the updates to the system then we may have risk of potential security issues.

    Therefore the maintenance of a WordPress based system usually takes more effort than systems built using other web frameworks that do not require very frequent updates.

    The problem become worse when we apply the updates to the system and the integration may be broken because of incompatibility among the plug-ins owned by different software providers and WordPress.

    Solution:

    If you have have opportunity of building a system for a client using WordPress and its plug-ins then you should plan a considerable maintenance budget for updating WordPress, specific plug-ins and integration code.

    This lesson learned applies to any system built with a plug-in based architecture (i.e. microkernel architecture) in which the core and plug-ins owned by different software providers.

    Lessons learned 2: Customization creep.

    Problem:

    The cost of integrating a theme with various COTS plugins and integration code for building a system using WordPress is much higher than you expected.

    Context:

    Customizing a WordPress solution for specific business processes takes more effort than using other general web frameworks because we do not have full control of the themes and plug-ins.

    Even we can modify the themes and plug-ins or build new specific plug-ins using PHP and mySQL the solution still depends on WordPress core the architecture of which is not good for domain-specific enterprise systems which often rely much on domain-specific rules that should be isolated from specific infrastructure.

    Solution:

    If you have have opportunity of building a domain-specific system using WordPress and its plug-ins then you should

    • refine business requirements into appropriate user stories or use cases.
    • create an architecture first and evaluate it carefully using various scenarios, and
    • create a poof of concept.

    Lessons learned 3: WordPress and Salesforce integration decision.

    Motivation:

    You need to evaluate options for integrating WordPress with Salesforce so that development and maintenance cost is acceptable.

    Solution:

    IMO an enterprise solution based on Salesforce and WordPress integration may be proposed based on a client’s needs and budget.

    I define a long term project as a project many big enhancements of which will be required after the solution is deployed.

    I define a short term project as a project only some small enhancements of which will be required after the solution is deployed.

    I define an important project as a project the requirements of which must be satisfied exactly as the Client requires.

    I define a flexible project is a project the requirements of which may be implemented not exactly as the Client requires due to constraints of tools.

    If the client needs Salesforce CRM (a must requirement) and they have a big budget then I would recommend that they use Salesforce for file storage and all Salesforce tools (i.e. LWC, community portals) for implementing their own business processes for a long term and important project.

    If the client needs Salesforce CRM (a must requirement) and they have medium budget then I would recommend that they use BOX or DropBox or Sharepoint for file storage and all Salesforce tools (i.e. LWC, community portals) for implementing their own business processes for a long term and important project.

    If the client needs Salesforce CRM (a must requirement) and they have low budget then I would recommend that they use WordPress for file storage and Commercial off-the-shelf (COTS) plug-ins for implementing their own business processes for a short term or “flexible” project.
    In this case, the development effort may be reduced much but the maintenance/enhancement effort may be increased much.

    If the client does NOT really need Salesforce CRM and they have medium budget then I would recommend that they use general frameworks and tools (including WordPress and custom plug-ins) for implementing their own business processes for a long term and important project.
    File storage can be local server or any service.

    If the client  does NOT really need Salesforce CRM and they have low budget then I would recommend that they use WordPress for file storage and WordPress COTS plug-ins for implementing their own business processes for a short term or flexible project.

     

     

     

        When to Use the Definite Article (“The”)

        Specific identity:

        • I’ll have the spinach salad and the mushroom burger.
        • I want to adopt the cat we saw yesterday.
        • I’ll get the kids ready to go outside.

        Grouping:

        • The English and the Italians played in the World Cup.
        • The elderly (older people) have different needs than the young.

        Some countries:

        • the Philippines
        • the Netherlands
        • the United Kingdom
        • the United States

        Instruments:

        • Can you play the guitar?
        • The piano is my favorite instrument.

        Superlative:

        • The first time we met, I knew you were the only one for me.
        • And I knew this would be the last time I’d fall in love.
        • The worst days of my life are behind me now.
        • I want to spend the best part of my life with you.