I had created a build definition to build a desktop application online on visualstudio.com which fail at task Build Solution (Visual Studio build) with following error,
[error]C:\Program Files (x86)\Microsoft Visual
Studio\2017\Enterprise\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(3156,5):
Error MSB3325: Cannot import the following key file:
Sixmod5Certificate.pfx. The key file may be password protected. To
correct this, try to import the certificate again or manually install
the certificate to the Strong Name CSP with the following key
container name: VS_KEY_3B2BCC84AE4E26F1
I followed solution specified at, https://developercommunity.visualstudio.com/content/problem/156086/vsts-build-msb3325-cannot-import-the-following-key.html
then as specified at, https://stackoverflow.com/a/48698229/3531672
I had added a powershell script task before build task, as follows,
[CmdletBinding()]
param(
[Parameter(Mandatory)][string] $pfxpath,
[Parameter(Mandatory)][string] $password
)
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()
but no luck yet,
There are different SO post similar to this specifying solution to build from Admin user, or installing pfx certificate manually, but as they are related to personal computer and I am trying to configure Continuous integration on visualstudio.com, they don't seem useful to me.
Please note I am able to successfully build on my local machine.
If you wish to regenerate this problem at your end, follow these steps,
STEP 1: Create a new VSTO Addin Project (Any Excel/Word/Powerpoint).
STEP 2: Attach this to VSTS.
STEP 3: In signing tab of Application properties, instead of using temperory certificate, create a new password protected certificate (PFX - Personal Information Exchange in my case) and use this to sign ClickOnce Manifest
STEP 4: Try to build on local machine, it will succeed.
STEP 5: Push it over and try to build on VSTS, you will get the same error as above.
I unchecked the "Sign the assembly" checkbox from the "project properties -> Signing" page and everything worked like a charm. The build was signed successfully through VSTS. Somehow I missed this solution provided in many SO threads related to the problem.
Related
I am trying to create a signed appx package as a test using a purchased code signing certificate. I cannot get it to build without installing the cert locally first (which I don't want to do given this will be done in a CI/CD environment).
I am executing the following on a solution containing an empty WPF project and WAP project.
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=true /p:PackageCertificateThumbprint=$myThumbprint
/p:PackageCertificateKeyFile=$myCert /p:PackageCertificatePassword=$myPassword
error: Certificate could not be opened
error: The specified network password is not correct
I have confirmed the password of $myPassword and thumbprint is $myThumprint by importing the cert and verifying it. I have also tried assigning "" to $myThumprint. I have confirmed the location of $myCert
It will build if I assign AppxPackageSigningEnable=false, but it will be unusable as it is not signed.
In appxmanifest, I have assigned Identity/Publisher to the publisher id of the cert (e.g., Publisher="CN=John Doe, O=Acme, L=TheMoon, S=OuterSpace, C=Universe") and Properties/PublisherDisplayName = the cert's CN (=John Doe)
I have tried exporting the pfx into a cer and using that, but that fails on the cert is not usable as it doesn't include a private key.
I have tried exporting the pfx into a base64 string and then creating a pfx from that - still fails (desperate measures).
Any tips greatly appreciated!
I read that a password protected cert needs to be stored in a cert store for msbuild to use it. Therefore, I ignored the cert on build and added it later by doing the following:
Remove all signing parameters from msbuild as follows
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=false
Given the name of the appx will change based on version and I couldn't find a way to pass wildcards to the SignTool, I used this to grab the built appx:
$Packages_2Sign = (Get-ChildItem -Recurse -Path $currentDirectory -Include *.appx).fullname
Finally, use the SignTool to sign the appx built from the prior step
SignTool sign /fd sha256 /a
/f $certificatePath /p $certificatePwd $Packages_2Sign
I have a project hosted in Azure DevOps and there the build is failing with the error message:
Error MSB3325: Cannot import the following key file: xxxx.pfx. The key
file may be password protected. To correct this, try to import the
certificate again or manually install the certificate to the Strong
Name CSP with the following key container name: VS_KEY_xxxx
This happens after a project has been changed to sign the assembly with a newly generated password protected pfx signing certificate.
I have tried various fixes given in other SO posts and nothing seems to work.
Can anyone with azure-devops expertise help me with this situation.
You can use the SnInstallPfx.exe and add this in your pipeline as a powershell task
- task: PowerShell#2
env:
SN_INSTALL_PFX: $(snInstallPfx.secureFilePath)
MYCERTIFICATE_PFX: $(myCertificatePfx.secureFilePath)
MYCERTIFICATE_PFX_PASSWORD: $(myCertificatePfxPassword)
inputs:
targetType: 'inline'
script: '&"$($ENV:SN_INSTALL_PFX)" "$($ENV:MYCERTIFICATE_PFX)" "$($ENV:MYCERTIFICATE_PFX_PASSWORD)"'
The pfx, exe and password are stored in the Pipeline library as secure files and variables.
For more information, see the following blog article.
Error MSB3325: Cannot import the following key file
You can create a PowerShell script and add a PowerShell Script step in your build definition to import the new certificate file before the VSBuild step:
The PowerShell script I used to use:
$pfxpath = 'pathtoees.pfx'
$password = 'password'
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()
And it works fine on my side.
You can check the similar thread for some more details.
Hope this helps.
We are using a nuget package that requires authentication and are having issues when we try to build our project via VSTS builds. We can pull up the external nuget package feed from our authenticated browser and also via Visual Studio. The project builds locally and has no issues. However, when running through VSTS builds, we receive a 401 unauthorized messed even though we believe we have set things up properly.
Setup
Image of nuget task
Image of authentication for nuget feed
Image of personal access token that is used
Build log
Part of the log that shows that the authentication is picked up and being applied:
2018-03-30T19:38:43.2917713Z Saving NuGet.config to a temporary config file.
2018-03-30T19:38:43.3113980Z Using authentication information for the following URI: https://microsoft.pkgs.visualstudio.com/_packaging/MEE.Privacy/nuget/v3/index.json
2018-03-30T19:38:43.3123672Z [command]D:\a\_tool\NuGet\4.1.0\x64\nuget.exe sources Remove -NonInteractive -Name Privacy -ConfigFile D:\a\4\Nuget\tempNuGet_5609.config
2018-03-30T19:38:45.5301476Z Package source with Name: Privacy removed successfully.
2018-03-30T19:38:45.5348241Z [command]D:\a\_tool\NuGet\4.1.0\x64\nuget.exe sources Add -NonInteractive -Name Privacy -Source https://microsoft.pkgs.visualstudio.com/_packaging/MEE.Privacy/nuget/v3/index.json -ConfigFile D:\a\4\Nuget\tempNuGet_5609.config -Username ******** -Password ********
2018-03-30T19:38:46.0254022Z Package Source with Name: Privacy added successfully.
2018-03-30T19:38:46.0295574Z [command]D:\a\_tool\NuGet\4.1.0\x64\nuget.exe restore D:\a\4\s\msc\dev\Msc.Privacy\Msc.Privacy.sln -Verbosity Detailed -NonInteractive -ConfigFile D:\a\4\Nuget\tempNuGet_5609.config
Error that we receive when trying to find nuget package:
The nuget command failed with exit code(1) and error(Errors in packages.config projects
Unable to find version '1.1.18087.3' of package 'Microsoft.PrivacyServices.CommandFeed.Client'.
C:\Users\VssAdministrator\.nuget\packages\: Package 'Microsoft.PrivacyServices.CommandFeed.Client.1.1.18087.3' is not found on source 'C:\Users\VssAdministrator\.nuget\packages\'.
D:\a\4\Nuget\..\..\_Packages: Package 'Microsoft.PrivacyServices.CommandFeed.Client.1.1.18087.3' is not found on source 'D:\a\4\Nuget\..\..\_Packages'.
https://api.nuget.org/v3/index.json: Package 'Microsoft.PrivacyServices.CommandFeed.Client.1.1.18087.3' is not found on source 'https://api.nuget.org/v3/index.json'.
https://microsoft.pkgs.visualstudio.com/_packaging/MEE.Privacy/nuget/v3/index.json: Unable to load the service index for source https://microsoft.pkgs.visualstudio.com/_packaging/MEE.Privacy/nuget/v3/index.json.
Response status code does not indicate success: 401 (Unauthorized).
Questions
Any ideas on what we could be missing?
It turns out our personal access token was not setup properly. When creating the token, we weren't choosing the correct account. To fix our issues, we created a new token using 'All accessible [Microsoft] accounts' instead of 'myuser1'.
Image of personal access token creation
I am using signtool.exe to sing my msi output through a proj file in Jenkins. My command to sign the msi is, "C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin\signtool.exe" sign /f "C:\Build\SignCertificate.cer" /csp "Microsoft Enhanced Cryptographic Provider v1.0" /k privatekeycontainer /t "http://timestamp.verisign.com/scripts/timstamp.dll" "..\Release\output.msi" . The pfx file is added in certificate store.
Whenever i execute it through command prompt it get pass and the msi get signed. But if i try through Jenkins then it fails. Please help me what is wrong.
My problem was solved. The pfx is not imported with the private key properly. Now the leaf tells that it has a private key. So the problem is with the pfx file.
Import sertificate to Machine Store instead of User store. Steps described here
http://www.dartmouth.edu/~deploypki/materials/web_authn/pages/IISonXP_AddingTrustedCACertToComputer.htm
Try these steps:
Create a user 'Jenkins' as and Administrators group member
Run the Jenkins service as the user 'Jenkins'
log in as Jenkins user and install the certificate in the user store.
Run it through Jenkins
Also, take a look at this link which is very similar to your question:
SignTool Error: ISignedCode::Sign returned error: 0x80092006
I get this error when trying to build a project using Team Build (MSBuild) on TFS 2010:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970):
Cannot import the following key file: CCC.pfx.
The key file may be password protected.
To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_C00C673BBB353901
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970):
Importing key file "CCC.pfx" was canceled.
It all builds OK in Visual Studio 2010. The assembly is signed with a PFX file. Usually in Visual Studio we are prompted for the password the first time we build, but then never again...
I've tried running:
sn -i companyname.pfx VS_KEY_3E185446540E7F7A
as other replies as suggested in Stack Overflow question Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'. I've tried importing into the personal certificate store as suggested in Stack Overflow question Using MSBuild to sign ClickOnce or assembly results in error MSB3321. But all to no avail, still the same error.
How do I do it? Do I have to somehow add the certificate to the Windows account the build service runs under or something like that?
Alternatively, how do I make the build done in Team Build not use signing? I just want to check it compiles and run the unit tests. I don't need signing for that.
You need to adapt this answer to your specific. Something like:
sn -i companyname.pfx VS_KEY_C00C673BBB353901
What I did is not that elegant, but works: log in as the user that runs msbuild on the build machine, manually invoke msbuild, and then type in the password when prompted. It'll now be saved in that user's certificate store, and now the builds can run unattended.
What finally fixed it for me was making the account under which TFS Build service runs an administrator on the local machine.
Don't know though if any of the other stuff I was trying before also needs to be done to get it working. But before it was admin it didn't work after it became admin it worked.
I was getting the same error, and after reading your "administrator" comment - I just ran VS Command Prompt as Admin and it now works fine.
I have faced similar issue
Scenario 1: While building project in local system
In my case i was getting the manifest signing error once i download the project from TFS and build it.
To avoid this issue I right clicked on the project ==> Properties ==> Signing
then unchecked "Sign the ClickOnce Manifests"
OR
You can click Select from store button and select your login id from the dialog box open.
OR
You can install the PFX file manually and later click on More Options button to install those certificate.
Scenario 2:- Manifest error during Build
Here to resolve this error i first clicked Select from store button and select my login id from the dialog box .Then I committed that project in TFS first and then run the build.
I had following settings:
<PropertyGroup>
<SignAssembly>false</SignAssembly>
<AssemblyOriginatorKeyFile>MyKey.pfx</AssemblyOriginatorKeyFile>
</PropertyGroup>
Assembly signing was turned off, but AssemblyOriginatorKeyFile caused error during manifest sign. Removed AssemblyOriginatorKeyFile to fix it.