Jenkins fails in signtool.exe - msbuild

I am using signtool.exe to sing my msi output through a proj file in Jenkins. My command to sign the msi is, "C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin\signtool.exe" sign /f "C:\Build\SignCertificate.cer" /csp "Microsoft Enhanced Cryptographic Provider v1.0" /k privatekeycontainer /t "http://timestamp.verisign.com/scripts/timstamp.dll" "..\Release\output.msi" . The pfx file is added in certificate store.
Whenever i execute it through command prompt it get pass and the msi get signed. But if i try through Jenkins then it fails. Please help me what is wrong.

My problem was solved. The pfx is not imported with the private key properly. Now the leaf tells that it has a private key. So the problem is with the pfx file.

Import sertificate to Machine Store instead of User store. Steps described here
http://www.dartmouth.edu/~deploypki/materials/web_authn/pages/IISonXP_AddingTrustedCACertToComputer.htm

Try these steps:
Create a user 'Jenkins' as and Administrators group member
Run the Jenkins service as the user 'Jenkins'
log in as Jenkins user and install the certificate in the user store.
Run it through Jenkins
Also, take a look at this link which is very similar to your question:
SignTool Error: ISignedCode::Sign returned error: 0x80092006

Related

msbuild fails on Certificate could not be opened, network password not correct

I am trying to create a signed appx package as a test using a purchased code signing certificate. I cannot get it to build without installing the cert locally first (which I don't want to do given this will be done in a CI/CD environment).
I am executing the following on a solution containing an empty WPF project and WAP project.
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=true /p:PackageCertificateThumbprint=$myThumbprint
/p:PackageCertificateKeyFile=$myCert /p:PackageCertificatePassword=$myPassword
error: Certificate could not be opened
error: The specified network password is not correct
I have confirmed the password of $myPassword and thumbprint is $myThumprint by importing the cert and verifying it. I have also tried assigning "" to $myThumprint. I have confirmed the location of $myCert
It will build if I assign AppxPackageSigningEnable=false, but it will be unusable as it is not signed.
In appxmanifest, I have assigned Identity/Publisher to the publisher id of the cert (e.g., Publisher="CN=John Doe, O=Acme, L=TheMoon, S=OuterSpace, C=Universe") and Properties/PublisherDisplayName = the cert's CN (=John Doe)
I have tried exporting the pfx into a cer and using that, but that fails on the cert is not usable as it doesn't include a private key.
I have tried exporting the pfx into a base64 string and then creating a pfx from that - still fails (desperate measures).
Any tips greatly appreciated!
I read that a password protected cert needs to be stored in a cert store for msbuild to use it. Therefore, I ignored the cert on build and added it later by doing the following:
Remove all signing parameters from msbuild as follows
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=false
Given the name of the appx will change based on version and I couldn't find a way to pass wildcards to the SignTool, I used this to grab the built appx:
$Packages_2Sign = (Get-ChildItem -Recurse -Path $currentDirectory -Include *.appx).fullname
Finally, use the SignTool to sign the appx built from the prior step
SignTool sign /fd sha256 /a
/f $certificatePath /p $certificatePwd $Packages_2Sign

The term 'Get-AzureSubscription' is not recognized as a name of a cmdlet, function, script file, or executable program

I installed Az Module with the following command, but I still get the following error.
Install-Module -Name Az -AllowClobber -Scope AllUsers
Get-AzureSubscription: The term 'Get-AzureSubscription' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Any ideas?
The command to get the subscription is Get-AzSubscription.
Most Azure commands include Az, not Azure.
You might need to login first with Connect-AzAccount, and logging in through the browser popup.
Sign in with Azure Powershell - Microsoft
Get-AzSubscription no longer works. Use Get-AzureRmSubscription to retrieve your Azure Subscription details.

VSTS build fails with MSB3325, Cannot import PFX key file

I had created a build definition to build a desktop application online on visualstudio.com which fail at task Build Solution (Visual Studio build) with following error,
[error]C:\Program Files (x86)\Microsoft Visual
Studio\2017\Enterprise\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(3156,5):
Error MSB3325: Cannot import the following key file:
Sixmod5Certificate.pfx. The key file may be password protected. To
correct this, try to import the certificate again or manually install
the certificate to the Strong Name CSP with the following key
container name: VS_KEY_3B2BCC84AE4E26F1
I followed solution specified at, https://developercommunity.visualstudio.com/content/problem/156086/vsts-build-msb3325-cannot-import-the-following-key.html
then as specified at, https://stackoverflow.com/a/48698229/3531672
I had added a powershell script task before build task, as follows,
[CmdletBinding()]
param(
[Parameter(Mandatory)][string] $pfxpath,
[Parameter(Mandatory)][string] $password
)
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()
but no luck yet,
There are different SO post similar to this specifying solution to build from Admin user, or installing pfx certificate manually, but as they are related to personal computer and I am trying to configure Continuous integration on visualstudio.com, they don't seem useful to me.
Please note I am able to successfully build on my local machine.
If you wish to regenerate this problem at your end, follow these steps,
STEP 1: Create a new VSTO Addin Project (Any Excel/Word/Powerpoint).
STEP 2: Attach this to VSTS.
STEP 3: In signing tab of Application properties, instead of using temperory certificate, create a new password protected certificate (PFX - Personal Information Exchange in my case) and use this to sign ClickOnce Manifest
STEP 4: Try to build on local machine, it will succeed.
STEP 5: Push it over and try to build on VSTS, you will get the same error as above.
I unchecked the "Sign the assembly" checkbox from the "project properties -> Signing" page and everything worked like a charm. The build was signed successfully through VSTS. Somehow I missed this solution provided in many SO threads related to the problem.

SignTool internal error when trying to repackage an APPX package?

I'm analyzing existing Windows Store applications and modifying them to make sure my company's obfuscator works with them.
I've ran into a bit of a problem doing that though. I can grab an APPX package from the store easily enough(requires Fiddler to get the URL). I can then just use any unzip program to extract the appx to a folder. I can then take the assemblies in the APPX and modify the IL a bit. I then remake and sign the package:
makeappx pack /d "mypackage" /p "mypackage.appx"
signtool sign /fd sha256 /f temporarykey.pfx mypackage.appx
I then get an error with signtool though:
SignTool Error: An unexpected internal error has occured
Error information: "Error: SignerSign() failed." (-2147024885/0x800700b)
And then of course get an error when trying to install it with the standard powerscript file created by Visual Studio for installing/sideloading any APPX package.
Found package: C:\....mypackage.appx
Error: The package is not digitally signed or its signature is corrupted
I've used this exact process for packages generated from Visual Studio. Are temporary keys tied to a particular package or something? What am I missing? Is this a bug in signtool?
Apparently, you can't just take any temporary key and sign the APPX with it. In particular the certificate subject lines must match(the "publisher name"). I do not know of a better way of determining what the subject line much actually be. First, try to use signtool and sign the APPX file with any temporary key. Now go to Event Viewer. Then to Applications and Services and then Microsoft and then Windows and then AppxPackaging and finally Microsoft-Windows-AppxPackages/Operational. There should be an error event that just happened from that build. Check it. It should say something like
Error 0x800700B: The app manifest publisher name (CN=random-hex-number) must match the subject name of the signing certificate (CN=MyWrongName)
So, now make sure to hang on to that random-hex-number. That needs to be the subject line of the certificate and is the cause of the error. To generate a working certificate:
makecert.exe mycert.cer -r -n "CN=random-hex-number" -$ individual -sv private.pkv -pe -cy end
pvk2pfx -pvk private.pkv -spc mycert.cer -pfx mytemporarykey.pfx
Now finally, you should have a temporary key that will work with signtool!
Hopefully this answers serves other people well.

Signing assemblies with PFX files in MSBuild, Team Build, and TFS

I get this error when trying to build a project using Team Build (MSBuild) on TFS 2010:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970):
Cannot import the following key file: CCC.pfx.
The key file may be password protected.
To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_C00C673BBB353901
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970):
Importing key file "CCC.pfx" was canceled.
It all builds OK in Visual Studio 2010. The assembly is signed with a PFX file. Usually in Visual Studio we are prompted for the password the first time we build, but then never again...
I've tried running:
sn -i companyname.pfx VS_KEY_3E185446540E7F7A
as other replies as suggested in Stack Overflow question Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'. I've tried importing into the personal certificate store as suggested in Stack Overflow question Using MSBuild to sign ClickOnce or assembly results in error MSB3321. But all to no avail, still the same error.
How do I do it? Do I have to somehow add the certificate to the Windows account the build service runs under or something like that?
Alternatively, how do I make the build done in Team Build not use signing? I just want to check it compiles and run the unit tests. I don't need signing for that.
You need to adapt this answer to your specific. Something like:
sn -i companyname.pfx VS_KEY_C00C673BBB353901
What I did is not that elegant, but works: log in as the user that runs msbuild on the build machine, manually invoke msbuild, and then type in the password when prompted. It'll now be saved in that user's certificate store, and now the builds can run unattended.
What finally fixed it for me was making the account under which TFS Build service runs an administrator on the local machine.
Don't know though if any of the other stuff I was trying before also needs to be done to get it working. But before it was admin it didn't work after it became admin it worked.
I was getting the same error, and after reading your "administrator" comment - I just ran VS Command Prompt as Admin and it now works fine.
I have faced similar issue
Scenario 1: While building project in local system
In my case i was getting the manifest signing error once i download the project from TFS and build it.
To avoid this issue I right clicked on the project ==> Properties ==> Signing
then unchecked "Sign the ClickOnce Manifests"
OR
You can click Select from store button and select your login id from the dialog box open.
OR
You can install the PFX file manually and later click on More Options button to install those certificate.
Scenario 2:- Manifest error during Build
Here to resolve this error i first clicked Select from store button and select my login id from the dialog box .Then I committed that project in TFS first and then run the build.
I had following settings:
<PropertyGroup>
<SignAssembly>false</SignAssembly>
<AssemblyOriginatorKeyFile>MyKey.pfx</AssemblyOriginatorKeyFile>
</PropertyGroup>
Assembly signing was turned off, but AssemblyOriginatorKeyFile caused error during manifest sign. Removed AssemblyOriginatorKeyFile to fix it.