Add automatic certificate generation for OneUI8

[Epgenix]

@Georift Maybe i'm looking forward to simplify the process described here from @SayantanRC

As after the change to the new OneUI 8 the guidilines how apps are being installed also changed. There is now a "forced" account link between installing wgt packges on Samsung TV's. Although developer mode is active and there should be a flag to ignore certificates.

Ill create a pull request on that to resolve this.

Originally posted by @Epgenix in #51

So i've been working in this for a few hours now (mostly figuring some things out)
This pull request is not tested yet, as i'm facing some issues with the building process of the Docker Image.
Docker is complaining that the version requested for fastapi is not existing. (It is)

I guess there is some work to do to get it up running.
But the idea is here, and maybe someone is picking up on this. I will definitely update this PR with some changes in the coming days.

[RuslanMelnychenko]

I was trying to build the image and take a some issue

[RuslanMelnychenko]

For some reason, the image has python 3.6 and the library uses at least python

[Epgenix]

I encountered the same errors. I don't know how to fix that. Maybe someone else has a answer to that

[Epgenix]

I finally managed to get all things up and running. The last thing to do is to modify the Readme.md file accordingly to my changes. Maybe @Georift could help here.

The new instrucitons to install the package autmatically to any Samsung TV is:

docker run -p 4794:4794 <CONTAINER TAG NAME> --ip <DEVICE IP> --oneui8 --device-id <DEVICE ID> --email <SAME EMAIL AS LOGGED IN ON TV>

Example:

docker run -p 4794:4794 'test' --ip 192.168.1.137 --oneui8 --device-id GU43CU7179UXZG --email [email protected]

Wait until the server starts. The script will check every 5 seconds if the certificates are generated yet. Even if the script is not launched yet. So be patient, until there is a printed feedback from the script.

Open: localhost:4797/auth/start and follow the instructions

[Epgenix]

@Georift Nvm. I refactored the readme file. This pull request is ready for merging.

[Epgenix]

@Georift Are you still maintaining this project? - Cause it looks like that you are very inactive. ^^

[sirlark]

Hi. I pulled this down and built the docker image from the Dockerfile. I'm running the docker image on a headless server, which presents some problems. I can point my laptop browser at headless:7494/auth/start and I get to the first problem. It returns a JSON blob, instead of showing instructions. If I then visit the redirect_url, and log in with my Samsung account, I'm redirected to localhost (which is my laptop, not my headless server). I hacked a bit in the code to change the redirect url to point to my headless server, but then my Samsung login failed. Next I tried doing this via links ssh'd into my headless server, but because the first response is JSON, I had to manually go to the redirect_url again, but again, the Samsung login fails.

[Epgenix]

Actually this is the only thing where i can't actually help. As the generation script that i am using is from tizencertificates

I experienced the same issue with the JSON blob. This occures because docker is not able to open a browser on the host machiene. Therefore you have to manually visit the side. A possible solution to this would be to directly return the redirect_url to the output of the thermal. That would solve the JSON blob thing.

Unfortunately i have to say that i am not responsible for you problem with your headless server, as the original script is not build to be run with a headless server. But we can come together and try to fix it together.

[sirlark]

Ah, no worries. I'd hoped you had a quick answer. I'm going to try and hack at it a bit and see if I can figure it out.

[Epgenix]

If you find a solution i would be happy if you concider implmenting it into my PR

[sirlark]

Hey 👋 I just wanted to let you know that it worked fine directly from my laptop. I'll keep at it from the headless server, but I'm not optimistic. The Samsung page itself doesn't like non-full-browsers, so I don't think I'll get a curl solution (or similar) to work

[Hippaduck]

Running into an issue that I don't see documented in the Readme.

Everything seems to work fine installing with the oneui8 steps but errors at the end with:

install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>

[Epgenix]

@Hippaduck
Check if:

• The account that you using to create the certificates and the account that you are logged in with your TV are matching
• All preveous installations of Jellyfin are uninstalled

Are there any other log entrys that could be useful for debugging this issue?

[Hippaduck]

Jellyfin removed when the update happened and I can't find anywhere it may be installed still. The account is the same.
Here is the tail end of the logs

2025-02-15 11:33:30 Certificates not yet generated. Checking again in 5 seconds...
2025-02-15 11:33:34 INFO:     172.17.0.1:53248 - "POST /signin/callback HTTP/1.1" 200 OK
2025-02-15 11:33:35 Certificates generated and linked. CERTIFICATE_PASSWORD set.
2025-02-15 11:33:35 Attempting to sign package using provided certificate
2025-02-15 11:33:36 Author certficate: /certificates/author.p12
2025-02-15 11:33:36 Distributor1 certificate : /certificates/distributor.p12
2025-02-15 11:33:38 Package( /home/developer/Jellyfin.wgt ) is created successfully.
2025-02-15 11:33:39 Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-02-09-0632
2025-02-15 11:33:39 Transferring the package...
2025-02-15 11:33:41 Transferred the package: /home/developer/Jellyfin.wgt -> /home/owner/share/tmp/sdk_tools/tmp
2025-02-15 11:33:41 Installing the package...
2025-02-15 11:33:48 --------------------
2025-02-15 11:33:48 Platform log view
2025-02-15 11:33:48 --------------------
2025-02-15 11:33:48 install AprZAARz4r.Jellyfin
2025-02-15 11:33:48 package_path /home/owner/share/tmp/sdk_tools/tmp/Jellyfin.wgt
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] install start
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] installing[9]
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] installing[19]
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>
2025-02-15 11:33:48 spend time for wascmd is [6680]ms
2025-02-15 11:33:48 Failed to install Tizen application.
2025-02-15 11:33:48 Total time: 00:00:09.209

and the command I ran to kick it off

 docker run -p 4794:4794 tizen --ip _tvip_ --oneui8 --device-id _ID_ --email _email_

[Epgenix]

Hmm that is strange. I cannot identify any issues with the nstallation process here. Can you enter the container and check if the p12 certificates are in the right format?

Get into the Containers Shell
Use the bash command to open a functional shell, instead of using the docker one.

Check certs for expery date
The certificates are located under /certificates

[sirlark]

@Hippaduck @Epgenix When I got it to work, I used the email of my Samsung developer Account, not the email of the account signed into to the TV (which is my wife's).

[Epgenix]

Interesting, i never had an Samsung Developer Account, i straightup used my normal Samsung Account.

[Epgenix]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

Interesting, for me it returns the Unique Device ID

[pazz]

Some feedback on this.

• above is a typo in the port #. it should of course be 4794, not 4747.
• some browsers simply won't connect via http any more and have to be configured to do so (modern chrome).
• given that you try to provide a "simple" installer, consider integrating the --get-device-id into the main run: it is unnecessarily convoluted having to find the id via ip, and then type it again. I know the ip, just do it!
• I ran the commands as you suggest above exactly, and ultimately i see (on stdout) that the webser started. However, with no browser I can connect to the suggested url (with ports adjusted).

Certificates not yet generated. Checking again in 5 seconds...
INFO:     Started server process [29]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:4794 (Press CTRL+C to quit)
INFO:     127.0.0.1:37488 - "GET /auth/start HTTP/1.1" 200 OK

It is the only container running of this image and there were no complaints on stdedd over port bindings.
I am running docker on debian testing,

Docker version 27.4.1, build b9d17ea

When I run a shell inside the image and run the script directly, I can access the httpserver ultimately from my browser outside the image.
This is clearly a bug.
Saying that "the script works" (on your machine) is besides the point and suggests that you have not considered the possibility of other setups from you own.
No biggie, I appreciate your efforts and am grateful for your support, but suggesting that users are too thick to use your contributions is... not the way to convince people to use your code or demonstrate maturity in software development skills.
Again, thank you for your contribution, I do appreciate it.

The furthest I got was to the point where the script ends with the error

The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate.

that was discussed above. As ther users suggest, there appears to be a workaround with setting certificate passwords somehow. I would very much know how to do this exactly.

Yo say above

The path is not wrong, as the script autmatically creates a symlink on the root directory to the /home/developer/certificates/ folder.

This has not been the case for me, even when I got as far as the certificate format error above. I see that ther is a mkdir in the script, but it appears not to have run as far, and without stopping and printing on stderr. Clearly not as intended. I am happy to help debug but I do not know where to start looking.

Again, thanks everyone!

[manueldev]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

Interesting, for me it returns the Unique Device ID

Maybe other TVs display different data?

root@7ef0e3986a18:~# sdb devices
List of devices attached
192.168.1.84:26101      device          QN55QN90CAGXZS
root@7ef0e3986a18:~# sdb devices | grep -E 'device\s+\w+[-]?\w+' -o | sed 's/device//' - | xargs
QN55QN90CAGXZS

[Epgenix]

@pazz

Where the fuck do you get the 4747 from. There is clearly no typo in any readme file or other comment i gave here. I never mentioned 4747 port. This has to be a issue on your side.

When you have browser issues, just use a different one.

Also your arguement:

Saying that "the script works" (on your machine) is besides the point and suggests that you have not considered the possibility of other setups from you own.

Is clearly invalid, as i tested this script in a CLEAN install inside a Hypervisor Virtual Machiene. So this should work for everyone. And besides that, there were also people who successfuly ran the script.

The the only conclusion is that there must be issues in the environment setup for everyone who is getting some errors.

And also related to the symlink. These paths only get created when the certificate generation is completed successfuly.

And last but not least. Yeah i can implement the --get-device-id into the default execution flow.

[Epgenix]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

Interesting, for me it returns the Unique Device ID

Maybe other TVs display different data?

root@7ef0e3986a18:~# sdb devices
List of devices attached
192.168.1.84:26101      device          QN55QN90CAGXZS
root@7ef0e3986a18:~# sdb devices | grep -E 'device\s+\w+[-]?\w+' -o | sed 's/device//' - | xargs
QN55QN90CAGXZS

Yep that is probably the issue

[pazz]

Where the fuck do you get the 4747 from. There is clearly no typo in any readme file or other comment i gave here. I never mentioned 4747 port. This has to be a issue on your side.

I meant to say "4797". This was clearly a typo on your part: "Then open localhost:4797/auth/start on your browser where docker is running. " and I corrected it in case others stumble upon it.

When you have browser issues, just use a different one.

You misunderstand: I do not have "browser issues", I merely wanted to make you, and others who potentially have related issues, aware that some browsers have this behaviour and it may be a source of issues.

Also your arguement:

Saying that "the script works" (on your machine) is besides the point and suggests that you have not considered the possibility of other setups from you own.

Is clearly invalid, as i tested this script in a CLEAN install inside a Hypervisor Virtual Machiene. So this should work for everyone. And besides that, there were also people who successfuly ran the script.

Again, you've misunderstood: by "other setups" I meant hardware (yes, the TV), the type of developer account or authentification mechanism, and docker versions.

You write "Hypervisor Virtual Machiene". These are words and I know some of them and know that others are probably misspelled. No bother, nobody is perfect.

"there were also people who successfuly ran the script."
Again, the same apparent fallacy I meant to point out above. Just because things "work for me" or "work for some" does not mean they work in all relevant scenarios or for everyone. Consider that there are people who have different parameters than you have.

That said, I do not doubt that there is something "wrong" on my end in the sense that clearly, I did not manage to successfully generate certificates and use them to sign and install stuff. Perhaps this is on me, but again, nobody's perfect. Have a great day.

[Epgenix]

Probably you can try to invoke the tizencertificates script manually and generate a certificate out of it.
Then you could copy these certificates into the docker vm with the appropriate --cert-password argument

The following command could be appended to the docker run command
-v "$(pwd)/author.p12":/certificates/author.p12 -v "$(pwd)/distributor.p12":/certificates/distributor.p12

[pazz]

Great idea! I did something similar by running everything manually inside the image.
In any case, it appears that there is something wrong with the certificate generated, or rather, the current version of my TV's firmware does not accept the such-signed file.

Ultimately, the installation call to tizen fails with

app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid certificate chain with certificate in signature.:<-3>

On the webs I could only find solutions via some samsung device manager GUI, which I cannot run on my systems.
I will try this again later and report back in case I am successful with a solution that could be incorporated here or useful to others.
Thanks so far.

[Waseh]

@Epgenix Just want to add that i got your docker image working as well, but did also run across the problem where --get-device-id returns the TV model.
I instead found the device ID on the TV under Menu > Support > About (or something like that) and used that instead which resulted in a successful install. Thank you so much for putting in the work to get this working again.

[Epgenix]

@Epgenix Just want to add that i got your docker image working as well, but did also run across the problem where --get-device-id returns the TV model. I instead found the device ID on the TV under Menu > Support > About (or something like that) and used that instead which resulted in a successful install. Thank you so much for putting in the work to get this working again.

Wow that is really interesting. The --get-device-id works for me without any problems. But i am happy to heat that the script works.

[andrepue]

@Epgenix Just want to add that i got your docker image working as well, but did also run across the problem where --get-device-id returns the TV model. I instead found the device ID on the TV under Menu > Support > About (or something like that) and used that instead which resulted in a successful install. Thank you so much for putting in the work to get this working again.

Hi,

I almost got crazy with this. I had the same issue. After getting the image running, finding the correct Address for the certificate server localhost:4794/auth/start I always received the certificate error during installation. The Solution was indeed that I got shown only the Device model, not the Unique Device ID. Finally I got it running using the correct device ID.

I really want to thank everybody here who provided the solution. Now Jellyfin is working again, after two month of waiting.

[Epgenix]

I updated the readme accordingly

[drifter75]

@pazz , I was getting the same invalid certificate error. check if you are using "Unique ID" or "Unique Device ID". It's the Unique Device ID you need to use. finally it worked for me.

@andrepue , thank you.

[pazz]

@drifter75 thanks for the tip.
I did get this to work ultimately, and yes, one hickup for me has been finding the "Unique ID" through the device settings as the sdb-based script suggested here simply does not list that id.
The other issue was that I had to use a samsung account that was not connected to a gmail address authenticated via OAuth. I ended up creating a new email and samsung account, then made them into a developer account, which then worked for me. Bit of a rollercoaster this.

[helenclarko]

Maybe I'm just dumb but I get this error:

Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-04-03-1529
There is no package with named Jellyfin.wgt.
[Fail] Fail install. There is the problem about package.
Total time: 00:00:00.299

Edit: When the TV is free again I'm going to try adding the "jellyfin-master https://github.com/jeppevinkel/jellyfin-tizen-builds/releases/tag/2025-03-25-2029" flag

EDIT2:

Running this worked:

docker run -p 4794:4794 "samsung" --ip 192.168.0.6 --build jellyfin --tag https://github.com/jeppevinkel/jellyfin-tizen-builds/releases/tag/2025-03-25-2029 --oneui8 --device-id 43CFVOONZWD7K --email [email protected] 

[Epgenix]

Maybe I'm just dumb but I get this error:

Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-04-03-1529
There is no package with named Jellyfin.wgt.
[Fail] Fail install. There is the problem about package.
Total time: 00:00:00.299

Edit: When the TV is free again I'm going to try adding the "jellyfin-master https://github.com/jeppevinkel/jellyfin-tizen-builds/releases/tag/2025-03-25-2029" flag

EDIT2:

Running this worked:

docker run -p 4794:4794 "samsung" --ip 192.168.0.6 --build jellyfin --tag https://github.com/jeppevinkel/jellyfin-tizen-builds/releases/tag/2025-03-25-2029 --oneui8 --device-id 43CFVOONZWD7K --email [email protected] 

Great, love to see that it woked. Are there any other problems that are related to this script. Any improvement requests to the readme file, or is everything fine?

[tsoulard]

Just thought i'd chime in as there was some strange behaviour when i attempted this on my PC with some out of memory exceptions adding --ulimit nofile=122880:122880 -m 3G to just after the run command resolved the issue and allowed the process to complete without issue

[ketsapiwiq]

Hi, I just wanna say thank you so much for your work, I updated and thought I'd never see Jellyfin Tizen again, it worked after figuring out the unique device ID number (edit: different from unique ID! see below)

If you're in a hurry (and you trust me ;) ), I prebuilt and uploaded the docker image here:
ghcr.io/ketsapiwiq/install-jellyfin-tizen-oneui8

3 little notes:

• maybe it should be clearer how to get the "unique device id", here's a link to the official doc (which is quite complete for once): https://www.samsung.com/au/support/tv-audio-video/find-serial-number-in-tv-menu/
  In this screen, it's the last id (P7...):
  
• really minor: the script in my case shows an error even though it succeeded (and in my frustration I even overlooked it at first):

app_id[AprZAARz4r.Jellyfin] install completed
spend time for wascmd is [11503]ms
Installed the package: Id(AprZAARz4r.Jellyfin)
Tizen application is successfully installed.
Total time: 00:00:18.844

Possible fix for certificate error:
The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate.
[...]

• in instructions, that whole 1. Open: http://localhost:4794/auth/start" and then 2. "click on login_url URL", and 3. login with Samsung account part could be a bit clearer (tiny detail once again).

[jesusvallez]

I have the same problem:
install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>

Steps:

• git clone https://github.com/Epgenix/install-jellyfin-tizen epgenix
• cd epgenix
• git clone https://github.com/sreyemnayr/tizencertificates.git
• cd ..
• docker build -t samsung:latest .

...
 => exporting to image                                                                                                                                                                                                                       0.0s
 => => exporting layers                                                                                                                                                                                                                      0.0s
 => => writing image sha256:2abc987781ae56a5b790b4101ed44487b1afd0588b7e9c4345394b0e8b231d7a                                                                                                                                                 0.0s
 => => naming to docker.io/library/samsung:latest                                                                                                                                                                                       0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/wiohxjybt216cmbq1rbelmze3

2 warnings found (use docker --debug to expand):
 - InvalidBaseImagePlatform: Base image vitalets/tizen-webos-sdk was pulled with platform "linux/amd64", expected "linux/arm64" for current build (line 1)
 - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "CERT_PASSWORD") (line 27)

Run the command:

• docker run -p 4794:4794 --platform linux/amd64 samsung:latest --ip 192.168.1.136 --oneui8 --device-id HKL57YIXXXXXX --email [email protected]

Python WARNING
...
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
Certificate generation server started.  Waiting for certificates to be generated...
Certificates not yet generated. Checking again in 5 seconds...
Certificates not yet generated. Checking again in 5 seconds...
Certificates not yet generated. Checking again in 5 seconds...
INFO:     Started server process [23]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:4794 (Press CTRL+C to quit)
INFO:     127.0.0.1:41098 - "GET /auth/start HTTP/1.1" 200 OK

Open: http://localhost:4794/auth/start
returns json like:

{
  "login_url": "https://account.samsung.com/mobile/account/check.do?serviceID=v285.....&actionID=StartOAuth2&accessToken=Y&redirect_uri=http://localhost:4794/signin/callback",
  "service_id": "v285.....",
  "redirect_uri": "http://localhost:4794/signin/callback",
  "state": "w3VMS_Q-2M...."
}

I navigate to: https://account.samsung.com/mobile/account/check.do?serviceID=v285.....&actionID=StartOAuth2&accessToken=Y&redirect_uri=http://localhost:4794/signin/callback

Login and:

ertificates not yet generated. Checking again in 5 seconds...
INFO:     172.17.0.1:59728 - "POST /signin/callback HTTP/1.1" 200 OK
Certificates generated and linked. CERTIFICATE_PASSWORD set.
Attempting to sign package using provided certificate
INFO:     Shutting down
INFO:     Waiting for application shutdown.
INFO:     Application shutdown complete.
INFO:     Finished server process [29]
Author certficate: /certificates/author.p12
Distributor1 certificate : /certificates/distributor.p12
Package( /home/developer/Jellyfin.wgt ) is created successfully.
/home/developer/entrypoint.sh: line 160:    29 Terminated              python cert_server.py --tv --device-id="$DEVICE_ID" --email="$EMAIL"
Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-05-02-1034
Transferring the package...
Transferred the package: /home/developer/Jellyfin.wgt -> /home/owner/share/tmp/sdk_tools/tmp
Installing the package...
--------------------
Platform log view
--------------------
install AprZAARz4r.Jellyfin
package_path /home/owner/share/tmp/sdk_tools/tmp/Jellyfin.wgt
app_id[AprZAARz4r.Jellyfin] install start
app_id[AprZAARz4r.Jellyfin] installing[9]
app_id[AprZAARz4r.Jellyfin] installing[19]
app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>
spend time for wascmd is [5208]ms
Failed to install Tizen application.
Total time: 00:00:08.221

Possible fix for certificate error:
The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate.
1. Verify your CERTIFICATE_PASSWORD is correct, if used.
2. Ensure the certificates in /certificates/author.p12 and /certificates/distributor.p12 are valid.
3. If using OneUI8 mode, make sure the certificate generation process completed successfully.
4. Try regenerating the certificates. If you are using the cert_server.py script, double check the device-id and email are correct

[sreyemnayr]

See if running the latest version of the cert generator directly works? There are some adjustments to accommodate a different OpenSSL version in this repo that might cause the certs to fail. Really the vitalets image needs some updates, maybe when I get some extra time I can knock that out.

…

On Fri, May 2, 2025 at 11:34 AM jesusvallez ***@***.***> wrote: *jesusvallez* left a comment (Georift/install-jellyfin-tizen#65) <#65 (comment)> I have the same problem: install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2> Steps: - git clone https://github.com/Epgenix/install-jellyfin-tizen epgenix - cd epgenix - git clone https://github.com/sreyemnayr/tizencertificates.git - cd .. - docker build -t samsung:latest . ... => exporting to image 0.0s => => exporting layers 0.0s => => writing image sha256:2abc987781ae56a5b790b4101ed44487b1afd0588b7e9c4345394b0e8b231d7a 0.0s => => naming to docker.io/library/samsung:latest 0.0s View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/wiohxjybt216cmbq1rbelmze3 2 warnings found (use docker --debug to expand): - InvalidBaseImagePlatform: Base image vitalets/tizen-webos-sdk was pulled with platform "linux/amd64", expected "linux/arm64" for current build (line 1) - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "CERT_PASSWORD") (line 27) Run the command: - docker run -p 4794:4794 --platform linux/amd64 samsung:latest --ip 192.168.1.136 --oneui8 --device-id HKL57YIXXXXXX --email ***@***.*** Python WARNING ... WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning. Certificate generation server started. Waiting for certificates to be generated... Certificates not yet generated. Checking again in 5 seconds... Certificates not yet generated. Checking again in 5 seconds... Certificates not yet generated. Checking again in 5 seconds... INFO: Started server process [23] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Uvicorn running on http://0.0.0.0:4794 (Press CTRL+C to quit) INFO: 127.0.0.1:41098 - "GET /auth/start HTTP/1.1" 200 OK Open: http://localhost:4794/auth/start returns json like: { "login_url": "https://account.samsung.com/mobile/account/check.do?serviceID=v285.....&actionID=StartOAuth2&accessToken=Y&redirect_uri=http://localhost:4794/signin/callback", "service_id": "v285.....", "redirect_uri": "http://localhost:4794/signin/callback", "state": "w3VMS_Q-2M...." } I navigate to: https://account.samsung.com/mobile/account/check.do?serviceID=v285.....&actionID=StartOAuth2&accessToken=Y&redirect_uri=http://localhost:4794/signin/callback Login and: ertificates not yet generated. Checking again in 5 seconds... INFO: 172.17.0.1:59728 - "POST /signin/callback HTTP/1.1" 200 OK Certificates generated and linked. CERTIFICATE_PASSWORD set. Attempting to sign package using provided certificate INFO: Shutting down INFO: Waiting for application shutdown. INFO: Application shutdown complete. INFO: Finished server process [29] Author certficate: /certificates/author.p12 Distributor1 certificate : /certificates/distributor.p12 Package( /home/developer/Jellyfin.wgt ) is created successfully. /home/developer/entrypoint.sh: line 160: 29 Terminated python cert_server.py --tv --device-id="$DEVICE_ID" --email="$EMAIL" Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-05-02-1034 Transferring the package... Transferred the package: /home/developer/Jellyfin.wgt -> /home/owner/share/tmp/sdk_tools/tmp Installing the package... -------------------- Platform log view -------------------- install AprZAARz4r.Jellyfin package_path /home/owner/share/tmp/sdk_tools/tmp/Jellyfin.wgt app_id[AprZAARz4r.Jellyfin] install start app_id[AprZAARz4r.Jellyfin] installing[9] app_id[AprZAARz4r.Jellyfin] installing[19] app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2> spend time for wascmd is [5208]ms Failed to install Tizen application. Total time: 00:00:08.221 Possible fix for certificate error: The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate. 1. Verify your CERTIFICATE_PASSWORD is correct, if used. 2. Ensure the certificates in /certificates/author.p12 and /certificates/distributor.p12 are valid. 3. If using OneUI8 mode, make sure the certificate generation process completed successfully. 4. Try regenerating the certificates. If you are using the cert_server.py script, double check the device-id and email are correct — Reply to this email directly, view it on GitHub <#65 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACBJQTVDEIDZV7AUX5246R324ONBDAVCNFSM6AAAAABWKPKARSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNBXGY2DIMZTHA> . You are receiving this because you commented.Message ID: ***@***.***>

[jesusvallez]

See if running the latest version of the cert generator directly works? There are some adjustments to accommodate a different OpenSSL version in this repo that might cause the certs to fail. Really the vitalets image needs some updates, maybe when I get some extra time I can knock that out.

It seems to work perfectly. The only difference I see is that when I run the project it doesn't return a JSON but it does redirect me without having to copy and paste the login_url

[sreyemnayr]

Yeah it’s meant to automate the whole process. There’s a legacy flag that Georift’s solution here removes from the certificate creation command (due to the version of OpenSSL that is default in the existing docker base image) which seems to be required to generate the certs for some use cases.

…

On Fri, May 2, 2025 at 12:41 PM jesusvallez ***@***.***> wrote: *jesusvallez* left a comment (Georift/install-jellyfin-tizen#65) <#65 (comment)> See if running the latest version of the cert generator directly works? There are some adjustments to accommodate a different OpenSSL version in this repo that might cause the certs to fail. Really the vitalets image needs some updates, maybe when I get some extra time I can knock that out. It seems to work perfectly. The only difference I see is that when I run the project it doesn't return a JSON but it does redirect me without having to copy and paste the login_url — Reply to this email directly, view it on GitHub <#65 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACBJQTVYMFL77NIUFUDAKJL24OU6HAVCNFSM6AAAAABWKPKARSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQNBXG43DCOBTGA> . You are receiving this because you commented.Message ID: ***@***.***>

[jesusvallez]

I have the same problem: install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>

Steps:

• git clone https://github.com/Epgenix/install-jellyfin-tizen epgenix
• cd epgenix
• git clone https://github.com/sreyemnayr/tizencertificates.git
• cd ..
• docker build -t samsung:latest .

...
 => exporting to image                                                                                                                                                                                                                       0.0s
 => => exporting layers                                                                                                                                                                                                                      0.0s
 => => writing image sha256:2abc987781ae56a5b790b4101ed44487b1afd0588b7e9c4345394b0e8b231d7a                                                                                                                                                 0.0s
 => => naming to docker.io/library/samsung:latest                                                                                                                                                                                       0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/wiohxjybt216cmbq1rbelmze3

2 warnings found (use docker --debug to expand):
 - InvalidBaseImagePlatform: Base image vitalets/tizen-webos-sdk was pulled with platform "linux/amd64", expected "linux/arm64" for current build (line 1)
 - SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "CERT_PASSWORD") (line 27)

Run the command:

• docker run -p 4794:4794 --platform linux/amd64 samsung:latest --ip 192.168.1.136 --oneui8 --device-id HKL57YIXXXXXX --email [email protected]

Python WARNING
...
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
Certificate generation server started.  Waiting for certificates to be generated...
Certificates not yet generated. Checking again in 5 seconds...
Certificates not yet generated. Checking again in 5 seconds...
Certificates not yet generated. Checking again in 5 seconds...
INFO:     Started server process [23]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:4794 (Press CTRL+C to quit)
INFO:     127.0.0.1:41098 - "GET /auth/start HTTP/1.1" 200 OK

Open: http://localhost:4794/auth/start returns json like:

{
  "login_url": "https://account.samsung.com/mobile/account/check.do?serviceID=v285.....&actionID=StartOAuth2&accessToken=Y&redirect_uri=http://localhost:4794/signin/callback",
  "service_id": "v285.....",
  "redirect_uri": "http://localhost:4794/signin/callback",
  "state": "w3VMS_Q-2M...."
}

I navigate to: https://account.samsung.com/mobile/account/check.do?serviceID=v285.....&actionID=StartOAuth2&accessToken=Y&redirect_uri=http://localhost:4794/signin/callback

Login and:

ertificates not yet generated. Checking again in 5 seconds...
INFO:     172.17.0.1:59728 - "POST /signin/callback HTTP/1.1" 200 OK
Certificates generated and linked. CERTIFICATE_PASSWORD set.
Attempting to sign package using provided certificate
INFO:     Shutting down
INFO:     Waiting for application shutdown.
INFO:     Application shutdown complete.
INFO:     Finished server process [29]
Author certficate: /certificates/author.p12
Distributor1 certificate : /certificates/distributor.p12
Package( /home/developer/Jellyfin.wgt ) is created successfully.
/home/developer/entrypoint.sh: line 160:    29 Terminated              python cert_server.py --tv --device-id="$DEVICE_ID" --email="$EMAIL"
Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-05-02-1034
Transferring the package...
Transferred the package: /home/developer/Jellyfin.wgt -> /home/owner/share/tmp/sdk_tools/tmp
Installing the package...
--------------------
Platform log view
--------------------
install AprZAARz4r.Jellyfin
package_path /home/owner/share/tmp/sdk_tools/tmp/Jellyfin.wgt
app_id[AprZAARz4r.Jellyfin] install start
app_id[AprZAARz4r.Jellyfin] installing[9]
app_id[AprZAARz4r.Jellyfin] installing[19]
app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>
spend time for wascmd is [5208]ms
Failed to install Tizen application.
Total time: 00:00:08.221

Possible fix for certificate error:
The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate.
1. Verify your CERTIFICATE_PASSWORD is correct, if used.
2. Ensure the certificates in /certificates/author.p12 and /certificates/distributor.p12 are valid.
3. If using OneUI8 mode, make sure the certificate generation process completed successfully.
4. Try regenerating the certificates. If you are using the cert_server.py script, double check the device-id and email are correct

okey... My bad... Thanks to ketsapiwiq
Thanks to your image I realized that I was copying the wrong ID.
Unique ID is not the same as Unique devide ID

Works perfectly... Thanks you all!

[andreasntr]

@Epgenix i get a 500 error when hitting the login link, is this approach still working?

detail 500: Command failed: curl -v -X POST [https://dev.tizen.samsung.com:443/apis/v2/authors](https://dev.tizen.samsung.com/apis/v2/authors) -H "Authorization: Bearer ..." -F access_token=... -F user_id=... -F platform=VD -F [email protected] --output author.crt\nError: Note: Unnecessary use of -X or --request, POST is already inferred.\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\n 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 112.106.187.16...\n* TCP_NODELAY set\n* connect to 112.106.187.16 port 443 failed: Connection refused\n* Failed to connect to dev.tizen.samsung.com port 443: Connection refused\n* Closing connection 0\ncurl: (7) Failed to connect to dev.tizen.samsung.com port 443: Connection refused\n

[sreyemnayr]

FYI, I published an update to the tizencertificates repo this morning that sorts out the issues caused by samsung replacing the endpoints for the distributor/authors apis.

[andreasntr]

FYI, I published an update to the tizencertificates repo this morning that sorts out the issues caused by samsung replacing the endpoints for the distributor/authors apis.

This works, i pushed some changes to @Epgenix 's repo so that your new code structure can be used smoothly

Thank you very much

[Georift]

Just cropping back up to say I appreciate all the work put in on this PR @Epgenix, I'm not across the certificate generation requirements as my TV didn't require it. But I'll look to test this and @andreasntr's PR and I hope we can get something merged soon.