Unable to find certificate -- not sure where I'm going wrong
See original GitHub issueHi! Firstly, thank you for this tool. Secondly, this is a low priority issue, and I’m 98% sure it’s my fault, so if you happen to be able to point me in the right direction, I’d appreciate it.
Background / Goal
I recently bit the bullet got an Authenticode cert to sign an office add-in I want to publish.
Goals:
- Use AzureSignTool within an AzureDevOps pipeline to sign the
setup.exe
file produced by my build process. - Double-check that this is “enough” in this case.
What I’ve Done
- Obtained the cert
- Uploaded the cert into an Azure KeyVault I created
- Registered an app in my Azure AD
- Granted the app access to the Azure KeyVault
- Used the app ID as my client ID and a generated client secret as my secret.
- Installed AzureSignTool as a global tool within my pipeline steps:
- task: DotNetCoreCLI@2
inputs:
command: 'custom'
custom: 'tool'
arguments: 'install --global azuresigntool'
displayName: Install AzureSignTool
- Called the AzureSignTool from the command line (info redacted);
- task: CmdLine@2
displayName: 'Sign outputted .exe with AzureSignTool'
inputs:
script: "AzureSignTool.exe sign -du 'https://killeencode.com' -kvu 'https://[REDACTED].vault.azure.net' -kvi '[REDACTED]' -kvs '[REDACTED]' -kvc '[REDACTED]' -v setup.exe"
workingDirectory: '$(Build.ArtifactStagingDirectory)'
The Problem
No matter what, AzureSignTool appears unable to find the cert:
trce: AzureSignTool.Program[0]
Retrieving certificate '[REDACTED]'.
fail: AzureSignTool.Program[0]
Failed to retrieve certificate '[REDACTED]' from Azure Key Vault. Please verify the name of the certificate and the permissions to the certificate.
info: AzureSignTool.Program[0]
Failed to get configuration from Azure Key Vault.
##[error]Cmd.exe exited with code '-2147024809'.
What I’ve confirmed (or so I think)
- The KeyVault URL is correct – copied it directly from portal
- The application ID from my Azure AD app registration is being used as the input to
-kvi
- The client secret for my application in AD is being used as the input to
-kvs
- The cert name is correct (copied from keyvault in portal)
- The application’s service principal has permissions on the key vault (Owner for now)
- In the KeyVault’s access policy, the application’s service principal has every single permission (for now, to remove this as a variable)
Things I think it could be
The DevOps pipeline is under a different account than the azure subscription, and thus a different directory. I am wondering if the DevOps pipeline isn’t able to access the keyvault across subscriptions? Although with the client ID and secret, I thought that’d be mitigated.
Any insight into what it could be would be greatly appreciated; I’m somewhat new to this and I’ve exhausted the other resources I’m aware of. Hoping someone with more experience here can spot it quickly,
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (9 by maintainers)
Top GitHub Comments
Surely enough, as you suggested, I ran the same exact call locally on a DLL file rather than a
setup.exe
and it retrieved the cert and signed it correctly.I think this actually might be something I dig into on the Azure DevOps side as a possible bug. I’ll try recreating this pipeline under the account that has access to this subscription to see if that confirms the workaround.
Regardless, your quick walkthrough was helpful! I’ll turn it into a doc PR before closing this issue.
Now that I’ve added the brief text-based walkthrough with example calls in Azure DevOps, I’m going to go ahead and close this.
@vcsjones thanks for your quick help again! Really got me un-stuck quickly.