Add automatic certificate generation for OneUI8

[Epgenix]

@Georift Maybe i'm looking forward to simplify the process described here from @SayantanRC

As after the change to the new OneUI 8 the guidilines how apps are being installed also changed. There is now a "forced" account link between installing wgt packges on Samsung TV's. Although developer mode is active and there should be a flag to ignore certificates.

Ill create a pull request on that to resolve this.

Originally posted by @Epgenix in #51

So i've been working in this for a few hours now (mostly figuring some things out)
This pull request is not tested yet, as i'm facing some issues with the building process of the Docker Image.
Docker is complaining that the version requested for fastapi is not existing. (It is)

I guess there is some work to do to get it up running.
But the idea is here, and maybe someone is picking up on this. I will definitely update this PR with some changes in the coming days.

[RuslanMelnychenko]

I was trying to build the image and take a some issue

[RuslanMelnychenko]

For some reason, the image has python 3.6 and the library uses at least python

[Epgenix]

I encountered the same errors. I don't know how to fix that. Maybe someone else has a answer to that

[Epgenix]

I finally managed to get all things up and running. The last thing to do is to modify the Readme.md file accordingly to my changes. Maybe @Georift could help here.

The new instrucitons to install the package autmatically to any Samsung TV is:

docker run -p 4794:4794 <CONTAINER TAG NAME> --ip <DEVICE IP> --oneui8 --device-id <DEVICE ID> --email <SAME EMAIL AS LOGGED IN ON TV>

Example:

docker run -p 4794:4794 'test' --ip 192.168.1.137 --oneui8 --device-id GU43CU7179UXZG --email [email protected]

Wait until the server starts. The script will check every 5 seconds if the certificates are generated yet. Even if the script is not launched yet. So be patient, until there is a printed feedback from the script.

Open: localhost:4797/auth/start and follow the instructions

[Epgenix]

@Georift Nvm. I refactored the readme file. This pull request is ready for merging.

[Epgenix]

@Georift Are you still maintaining this project? - Cause it looks like that you are very inactive. ^^

[sirlark]

Hi. I pulled this down and built the docker image from the Dockerfile. I'm running the docker image on a headless server, which presents some problems. I can point my laptop browser at headless:7494/auth/start and I get to the first problem. It returns a JSON blob, instead of showing instructions. If I then visit the redirect_url, and log in with my Samsung account, I'm redirected to localhost (which is my laptop, not my headless server). I hacked a bit in the code to change the redirect url to point to my headless server, but then my Samsung login failed. Next I tried doing this via links ssh'd into my headless server, but because the first response is JSON, I had to manually go to the redirect_url again, but again, the Samsung login fails.

[Epgenix]

Actually this is the only thing where i can't actually help. As the generation script that i am using is from tizencertificates

I experienced the same issue with the JSON blob. This occures because docker is not able to open a browser on the host machiene. Therefore you have to manually visit the side. A possible solution to this would be to directly return the redirect_url to the output of the thermal. That would solve the JSON blob thing.

Unfortunately i have to say that i am not responsible for you problem with your headless server, as the original script is not build to be run with a headless server. But we can come together and try to fix it together.

[sirlark]

Ah, no worries. I'd hoped you had a quick answer. I'm going to try and hack at it a bit and see if I can figure it out.

[Epgenix]

If you find a solution i would be happy if you concider implmenting it into my PR

[sirlark]

Hey 👋 I just wanted to let you know that it worked fine directly from my laptop. I'll keep at it from the headless server, but I'm not optimistic. The Samsung page itself doesn't like non-full-browsers, so I don't think I'll get a curl solution (or similar) to work

[Hippaduck]

Running into an issue that I don't see documented in the Readme.

Everything seems to work fine installing with the oneui8 steps but errors at the end with:

install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>

[Epgenix]

@Hippaduck
Check if:

• The account that you using to create the certificates and the account that you are logged in with your TV are matching
• All preveous installations of Jellyfin are uninstalled

Are there any other log entrys that could be useful for debugging this issue?

[Hippaduck]

Jellyfin removed when the update happened and I can't find anywhere it may be installed still. The account is the same.
Here is the tail end of the logs

2025-02-15 11:33:30 Certificates not yet generated. Checking again in 5 seconds...
2025-02-15 11:33:34 INFO:     172.17.0.1:53248 - "POST /signin/callback HTTP/1.1" 200 OK
2025-02-15 11:33:35 Certificates generated and linked. CERTIFICATE_PASSWORD set.
2025-02-15 11:33:35 Attempting to sign package using provided certificate
2025-02-15 11:33:36 Author certficate: /certificates/author.p12
2025-02-15 11:33:36 Distributor1 certificate : /certificates/distributor.p12
2025-02-15 11:33:38 Package( /home/developer/Jellyfin.wgt ) is created successfully.
2025-02-15 11:33:39 Attempting to install jellyfin-tizen-builds Jellyfin.wgt from release: 2025-02-09-0632
2025-02-15 11:33:39 Transferring the package...
2025-02-15 11:33:41 Transferred the package: /home/developer/Jellyfin.wgt -> /home/owner/share/tmp/sdk_tools/tmp
2025-02-15 11:33:41 Installing the package...
2025-02-15 11:33:48 --------------------
2025-02-15 11:33:48 Platform log view
2025-02-15 11:33:48 --------------------
2025-02-15 11:33:48 install AprZAARz4r.Jellyfin
2025-02-15 11:33:48 package_path /home/owner/share/tmp/sdk_tools/tmp/Jellyfin.wgt
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] install start
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] installing[9]
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] installing[19]
2025-02-15 11:33:48 app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>
2025-02-15 11:33:48 spend time for wascmd is [6680]ms
2025-02-15 11:33:48 Failed to install Tizen application.
2025-02-15 11:33:48 Total time: 00:00:09.209

and the command I ran to kick it off

 docker run -p 4794:4794 tizen --ip _tvip_ --oneui8 --device-id _ID_ --email _email_

[Epgenix]

Hmm that is strange. I cannot identify any issues with the nstallation process here. Can you enter the container and check if the p12 certificates are in the right format?

Get into the Containers Shell
Use the bash command to open a functional shell, instead of using the docker one.

Check certs for expery date
The certificates are located under /certificates

[sirlark]

@Hippaduck @Epgenix When I got it to work, I used the email of my Samsung developer Account, not the email of the account signed into to the TV (which is my wife's).

[Epgenix]

Interesting, i never had an Samsung Developer Account, i straightup used my normal Samsung Account.

[fightingsleep]

@Epgenix Dumb question, where do I get the device-id from? Is that the hostname of the TV? Might be worth putting in the readme

[Epgenix]

The problem was my Git configuration on Windows. The first option was set. This changed the files to CRLF. The second option is ideal to keep everything in LF.

Now the problem is different. I get the invalid format error. I use the same email as Samsung developer and the one registered on the TV.

git clone https://github.com/Epgenix/install-jellyfin-tizen.git
cd install-jellyfin-tizen
git submodule update --init
docker build -t samsung .
docker run --rm -p 4794:4794 "samsung" --ip 192.168.1.84 --oneui8 --device-id [TV_ID] --email [mail]@gmail.com

app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid format of certificate in signature.:<-2>
spend time for wascmd is [7005]ms
Failed to install Tizen application.
Total time: 00:00:11.223

Hmm seems to be the same issue as @Hippaduck had. Could you please check this Error and this one out.

[Epgenix]

@Epgenix Dumb question, where do I get the device-id from? Is that the hostname of the TV? Might be worth putting in the readme

Ill rewrite th script oo that with --get-device-id the id is returned

[Epgenix]

The script improvements are ready. Let me know what you all think of this. Please feel free fo reach out if any errors occur.

[manueldev]

--get-device-id It gives me the model code of the TV. Is this correct?

Attempting to connect to Samsung TV at IP address 192.168.1.84
* Server is not running. Start it now on port 26099 *
* Server has started successfully *
connecting to 192.168.1.84:26101 ...
connected to 192.168.1.84:26101
Device ID: QN55QN90CAGXZS

I was able to complete the installation without any problems using the "Unique Device ID" value.

Installing the package...
--------------------
Platform log view
--------------------
install AprZAARz4r.Jellyfin
package_path /home/owner/share/tmp/sdk_tools/tmp/Jellyfin.wgt
app_id[AprZAARz4r.Jellyfin] install start
app_id[AprZAARz4r.Jellyfin] installing[9]
app_id[AprZAARz4r.Jellyfin] installing[19]
app_id[AprZAARz4r.Jellyfin] installing[29]
app_id[AprZAARz4r.Jellyfin] installing[39]
app_id[AprZAARz4r.Jellyfin] installing[48]
app_id[AprZAARz4r.Jellyfin] installing[58]
app_id[AprZAARz4r.Jellyfin] installing[68]
app_id[AprZAARz4r.Jellyfin] installing[78]
app_id[AprZAARz4r.Jellyfin] installing[87]
app_id[AprZAARz4r.Jellyfin] installing[97]
app_id[AprZAARz4r.Jellyfin] installing[100]
app_id[AprZAARz4r.Jellyfin] install completed
spend time for wascmd is [8190]ms
Installed the package: Id(AprZAARz4r.Jellyfin)
Tizen application is successfully installed.
Total time: 00:00:12.455

Possible fix for certificate error:
The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate.
1. Verify your CERTIFICATE_PASSWORD is correct, if used.
2. Ensure the certificates in /certificates/author.p12 and /certificates/distributor.p12 are valid.
3. If using OneUI8 mode, make sure the certificate generation process completed successfully.
4. Try regenerating the certificates. If you are using the cert_server.py script, double check the device-id and email are correct

To avoid problems the correct value is: "Unique Device ID".
It is not "Model code", "Unique ID", or "Serial Number".

[Epgenix]

Also if any issues occur check this out

[Hippaduck]

Not sure if anyone is still stuck with the :Invalid format of certificate in signature.:<-2> error but I was able to get around it setting a password on the generated certificates.

[Epgenix]

Yeah that's probably also a thing that you want to do. As the default password is just a default password that i entered.

[Georift]

Hi @Epgenix thanks for the PR. I'll try get some time to get this merged this weekend.

[pazz]

I have an issue with the script hanging at

Certificates not yet generated. Checking again in 5 seconds...

I doubt that this should take more than 20mins right?

as instructed above, I entered the shell on the image and checked out /certificates.
This directory does not exist on the running image.

The stdout/stderr produced by your scipt does not appear to complain about missing certificates so far.
Any ideas?
Thanks

[Epgenix]

Please notice that the -p 4794:4794 argument on the docker run command is the most important. As this opens the port for the certificate generation server. After that it can take up to a minute for the cert gen server to start.

[Epgenix]

It's quiet intesresting that so many people experience different problems with the script. For me it just works out of the box.
Sure there were a few problems related to the LF/CRLF escape characters, but all of them have been fixed.

Probably you guys should really take a good look at the .md file and follow the instructions. If there are still some errors you can always message me on this. But most of these issues were just related to that you're were not following the instrucitons properly i guess.

[pazz]

To follow up on the above: I did start the docker command with the -p option.

docker run -p 4794:4794 --rm jellyfin-installer --ip TV-IP --oneui8 --device-id DEVICE-ID-AS-REPORTED-By-YOUR-SCRIPT --email [email protected]

calling top in the shell on the image reports that there are only two processes running: top and bash. So I take it it makes no sense to wait for certificate generation then?

[Epgenix]

Hmmm. Could you probably add me on discord so i could take a close look at the hanging script. My discord handle is: epgenix

[pazz]

Hmmm. Could you probably add me on discord so i could take a close look at the hanging script. My discord handle is: epgenix

thanks for offering support with this. I am not on discord and for now gave up on this.
I did get a step further though, by running your script from within the docker image, /home/developer/...
After extracting the redirect-url from the json blob, logging into samsungs dev account twice, i finally got to the callback url. However, the links to the certificates were dead, for two reasons:
the path appears to be wrong: there was no directory /certificates nor /home/developer/certificates.
However the latter did contain a certificate file author.p12, but not the other one.

[pazz]

@Hippaduck

Not sure if anyone is still stuck with the :Invalid format of certificate in signature.:<-2> error but I was able to get around it setting a password on the generated certificates.

May I ask what exactly you mean by "setting a password"? Did you end up with certificates in your developer homedir eventually, and manually manipulated those to set a passwd? Or was is just a matter of using the --cert-password option to the entry point script with a non-empty argument?

The latter immediately spits out this and halts for me:

Error: Certificate files not found.

NB: I did create the docker image manually, as suggested by @Epgenix , and cloned his repo recursively, so I do have the tizen submodule ckecked out.

[Epgenix]

Hmmm. Could you probably add me on discord so i could take a close look at the hanging script. My discord handle is: epgenix

thanks for offering support with this. I am not on discord and for now gave up on this. I did get a step further though, by running your script from within the docker image, /home/developer/... After extracting the redirect-url from the json blob, logging into samsungs dev account twice, i finally got to the callback url. However, the links to the certificates were dead, for two reasons: the path appears to be wrong: there was no directory /certificates nor /home/developer/certificates. However the latter did contain a certificate file author.p12, but not the other one.

The path is not wrong, as the script autmatically creates a symlink on the root directory to the /home/developer/certificates/ folder.

And also the --cert-password argument is currently only there if you have your own certificates provided and it should only be used for this usecase. Otherwise the script automatically generates the certificates and set's to the password defined in the dockerfile.

Again, here is a command chain that should work (at least for me it works):

To build the container:
cd into the path where the dockerfile is contained.
docker build -t <TAG NAME> .
docker build -t 'samsung' .
Wait for the build process to finish

To get the TV id:
docker run '<TAG NAME>' --ip <TV IP> --get-device-id
docker run 'samsung' --ip 192.168.0.10 --get-device-id

To install jellyfin on the TV:
docker run -p 4794:4794 '<TAG NAME>' --ip <TV IP> --oneui8 --device-id <THE DEVICE ID FROM PREVIOUS STEP> --email <YOUR SAMSUNG TV EMAIL>
docker run -p 4794:4794 'samsung' --ip 192.168.0.10 --oneui8 --device-id GU43CU7179UXZG --email [email protected]

After that wait for the script to spit out that the script started. Then open localhost:4797/auth/start on your browser where docker is running. Authenticate and wait for the installation to complete.

That should be everything. I don't know why people struggle with this. The script works perfectly fine.

[manueldev]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

[Epgenix]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

Interesting, for me it returns the Unique Device ID

[pazz]

Some feedback on this.

• above is a typo in the port #. it should of course be 4794, not 4747.
• some browsers simply won't connect via http any more and have to be configured to do so (modern chrome).
• given that you try to provide a "simple" installer, consider integrating the --get-device-id into the main run: it is unnecessarily convoluted having to find the id via ip, and then type it again. I know the ip, just do it!
• I ran the commands as you suggest above exactly, and ultimately i see (on stdout) that the webser started. However, with no browser I can connect to the suggested url (with ports adjusted).

Certificates not yet generated. Checking again in 5 seconds...
INFO:     Started server process [29]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:4794 (Press CTRL+C to quit)
INFO:     127.0.0.1:37488 - "GET /auth/start HTTP/1.1" 200 OK

It is the only container running of this image and there were no complaints on stdedd over port bindings.
I am running docker on debian testing,

Docker version 27.4.1, build b9d17ea

When I run a shell inside the image and run the script directly, I can access the httpserver ultimately from my browser outside the image.
This is clearly a bug.
Saying that "the script works" (on your machine) is besides the point and suggests that you have not considered the possibility of other setups from you own.
No biggie, I appreciate your efforts and am grateful for your support, but suggesting that users are too thick to use your contributions is... not the way to convince people to use your code or demonstrate maturity in software development skills.
Again, thank you for your contribution, I do appreciate it.

The furthest I got was to the point where the script ends with the error

The error 'Check certificate error : :Invalid format of certificate in signature.:<-2>' suggests an issue with the certificate.

that was discussed above. As ther users suggest, there appears to be a workaround with setting certificate passwords somehow. I would very much know how to do this exactly.

Yo say above

The path is not wrong, as the script autmatically creates a symlink on the root directory to the /home/developer/certificates/ folder.

This has not been the case for me, even when I got as far as the certificate format error above. I see that ther is a mkdir in the script, but it appears not to have run as far, and without stopping and printing on stderr. Clearly not as intended. I am happy to help debug but I do not know where to start looking.

Again, thanks everyone!

[manueldev]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

Interesting, for me it returns the Unique Device ID

Maybe other TVs display different data?

root@7ef0e3986a18:~# sdb devices
List of devices attached
192.168.1.84:26101      device          QN55QN90CAGXZS
root@7ef0e3986a18:~# sdb devices | grep -E 'device\s+\w+[-]?\w+' -o | sed 's/device//' - | xargs
QN55QN90CAGXZS

[Epgenix]

@pazz

Where the fuck do you get the 4747 from. There is clearly no typo in any readme file or other comment i gave here. I never mentioned 4747 port. This has to be a issue on your side.

When you have browser issues, just use a different one.

Also your arguement:

Saying that "the script works" (on your machine) is besides the point and suggests that you have not considered the possibility of other setups from you own.

Is clearly invalid, as i tested this script in a CLEAN install inside a Hypervisor Virtual Machiene. So this should work for everyone. And besides that, there were also people who successfuly ran the script.

The the only conclusion is that there must be issues in the environment setup for everyone who is getting some errors.

And also related to the symlink. These paths only get created when the certificate generation is completed successfuly.

And last but not least. Yeah i can implement the --get-device-id into the default execution flow.

[Epgenix]

To get the TV id: docker run '<TAG NAME>' --ip <TV IP> --get-device-id docker run 'samsung' --ip 192.168.0.10 --get-device-id

In my case --get-device-id returns the TV model and not the "Unique Device ID". Maybe that's the error.

Interesting, for me it returns the Unique Device ID

Maybe other TVs display different data?

root@7ef0e3986a18:~# sdb devices
List of devices attached
192.168.1.84:26101      device          QN55QN90CAGXZS
root@7ef0e3986a18:~# sdb devices | grep -E 'device\s+\w+[-]?\w+' -o | sed 's/device//' - | xargs
QN55QN90CAGXZS

Yep that is probably the issue

[pazz]

Where the fuck do you get the 4747 from. There is clearly no typo in any readme file or other comment i gave here. I never mentioned 4747 port. This has to be a issue on your side.

I meant to say "4797". This was clearly a typo on your part: "Then open localhost:4797/auth/start on your browser where docker is running. " and I corrected it in case others stumble upon it.

When you have browser issues, just use a different one.

You misunderstand: I do not have "browser issues", I merely wanted to make you, and others who potentially have related issues, aware that some browsers have this behaviour and it may be a source of issues.

Also your arguement:

Saying that "the script works" (on your machine) is besides the point and suggests that you have not considered the possibility of other setups from you own.

Is clearly invalid, as i tested this script in a CLEAN install inside a Hypervisor Virtual Machiene. So this should work for everyone. And besides that, there were also people who successfuly ran the script.

Again, you've misunderstood: by "other setups" I meant hardware (yes, the TV), the type of developer account or authentification mechanism, and docker versions.

You write "Hypervisor Virtual Machiene". These are words and I know some of them and know that others are probably misspelled. No bother, nobody is perfect.

"there were also people who successfuly ran the script."
Again, the same apparent fallacy I meant to point out above. Just because things "work for me" or "work for some" does not mean they work in all relevant scenarios or for everyone. Consider that there are people who have different parameters than you have.

That said, I do not doubt that there is something "wrong" on my end in the sense that clearly, I did not manage to successfully generate certificates and use them to sign and install stuff. Perhaps this is on me, but again, nobody's perfect. Have a great day.

[Epgenix]

Probably you can try to invoke the tizencertificates script manually and generate a certificate out of it.
Then you could copy these certificates into the docker vm with the appropriate --cert-password argument

The following command could be appended to the docker run command
-v "$(pwd)/author.p12":/certificates/author.p12 -v "$(pwd)/distributor.p12":/certificates/distributor.p12

[pazz]

Great idea! I did something similar by running everything manually inside the image.
In any case, it appears that there is something wrong with the certificate generated, or rather, the current version of my TV's firmware does not accept the such-signed file.

Ultimately, the installation call to tizen fails with

app_id[AprZAARz4r.Jellyfin] install failed[118, -12], reason: Check certificate error : :Invalid certificate chain with certificate in signature.:<-3>

On the webs I could only find solutions via some samsung device manager GUI, which I cannot run on my systems.
I will try this again later and report back in case I am successful with a solution that could be incorporated here or useful to others.
Thanks so far.

[Waseh]

@Epgenix Just want to add that i got your docker image working as well, but did also run across the problem where --get-device-id returns the TV model.
I instead found the device ID on the TV under Menu > Support > About (or something like that) and used that instead which resulted in a successful install. Thank you so much for putting in the work to get this working again.

[Epgenix]

@Epgenix Just want to add that i got your docker image working as well, but did also run across the problem where --get-device-id returns the TV model. I instead found the device ID on the TV under Menu > Support > About (or something like that) and used that instead which resulted in a successful install. Thank you so much for putting in the work to get this working again.

Wow that is really interesting. The --get-device-id works for me without any problems. But i am happy to heat that the script works.

[andrepue]

@Epgenix Just want to add that i got your docker image working as well, but did also run across the problem where --get-device-id returns the TV model. I instead found the device ID on the TV under Menu > Support > About (or something like that) and used that instead which resulted in a successful install. Thank you so much for putting in the work to get this working again.

Hi,

I almost got crazy with this. I had the same issue. After getting the image running, finding the correct Address for the certificate server localhost:4794/auth/start I always received the certificate error during installation. The Solution was indeed that I got shown only the Device model, not the Unique Device ID. Finally I got it running using the correct device ID.

I really want to thank everybody here who provided the solution. Now Jellyfin is working again, after two month of waiting.