search

Azure / trusted-signing-action

MIT License
35 stars 12 forks source link

TrustedSigning Fails with 2147024885/0x8007000b #29

Closed JeffBrownTech closed 4 months ago

JeffBrownTech commented 4 months ago

I'm attempting to sign an MSIXBundle file using a self-hosted Windows agent in an Azure DevOps pipeline. Task details:

  - task: TrustedSigning@0
    inputs:
      ExcludeSharedTokenCacheCredential: true
      ExcludeVisualStudioCredential: true
      ExcludeVisualStudioCodeCredential: true
      ExcludeAzurePowerShellCredential: true
      Endpoint: 'https://eus.codesigning.azure.net/'
      CodeSigningAccountName: 'account'
      CertificateProfileName: 'profile'
      FilesFolder: '$(System.DefaultWorkingDirectory)/MyApp/UWPPackages'
      FilesFolderFilter: 'msixbundle'
      FilesFolderRecurse: true
      FilesFolderDepth: '5'
      FileDigest: 'SHA256'

The task fails with the message below:

Starting: TrustedSigning
==============================================================================
Task         : Trusted Signing
Description  : This task enables users to sign their files with the Trusted Signing service.
Version      : 0.3.16
Author       : Microsoft
Help         : 
==============================================================================

Azure Code Signing

Version: 1.0.52

"Metadata": {
  "Endpoint": "https://eus.codesigning.azure.net/",
  "CodeSigningAccountName": "account",
  "CertificateProfileName": "profile",
  "ExcludeCredentials": [
    "SharedTokenCacheCredential",
    "VisualStudioCredential",
    "VisualStudioCodeCredential",
    "AzurePowerShellCredential",
    "InteractiveBrowserCredential"
  ]
}

Submitting digest for signing...

OperationId <guid>: InProgress

Signing completed with status 'Succeeded' in 13.8591381s

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)
##[error]SignTool failed with exit code 1
Finishing: TrustedSigning

I enabled debug output, got some more information but nothing that stood out as to why:

Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)
SignTool Error: An unexpected internal error has occurred.
##[debug]Leaving C:\agent\_work\_tasks\TrustedSigning_347b65f8-289b-4164-8663-6dea65cb0cc3\0.3.16\TrustedSigning.ps1.
##[debug]Caught exception from task script.
##[debug]Error record:
##[debug]SignTool failed with exit code 1
##[debug]At C:\Program Files\WindowsPowerShell\Modules\TrustedSigning\0.3.15\TrustedSigning.psm1:210 char:13
##[debug]+             throw "SignTool failed with exit code $($result)"
##[debug]+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##[debug]    + CategoryInfo          : OperationStopped: (SignTool failed with exit code 1:String) [], RuntimeException
##[debug]    + FullyQualifiedErrorId : SignTool failed with exit code 1
##[debug] 
##[debug]Script stack trace:
##[debug]at Invoke-TrustedSigning, C:\Program Files\WindowsPowerShell\Modules\TrustedSigning\0.3.15\TrustedSigning.psm1: line 210
##[debug]at <ScriptBlock>, C:\agent\_work\_tasks\TrustedSigning_347b65f8-289b-4164-8663-6dea65cb0cc3\0.3.16\TrustedSigning.ps1: line 226
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]at <ScriptBlock>, <No file>: line 22
##[debug]at <ScriptBlock>, <No file>: line 18
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]Exception:
##[debug]System.Management.Automation.RuntimeException: SignTool failed with exit code 1
##[error]SignTool failed with exit code 1
##[debug]Processed: ##vso[task.logissue type=error]SignTool failed with exit code 1
##[debug]Processed: ##vso[task.complete result=Failed]

I attempted to also sign using SignTool on my Windows 11 workstation and get this message:

SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: app.msixbundle

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1

I have diagnostic logging enabled on the trusted signing account to a storage account, but it does not yield any further details. Any assistance or guidance would be helpful as I have not found any thing yet.

JeffBrownTech commented 4 months ago

It does seem something specific with msxibundle file, I can sign another file in the same directory, so not sure what I'm missing for it. Signing another file was successful using the TrustedSigning PowerShell module.

JeffBrownTech commented 4 months ago

I believe I have this resolved. In the .csproj file, there are several condition blocks that set different PropertyGroup sections with the current certificate signing process information, such as the Publisher, PackageCertificateKeyFile, thumbprint, etc.

Once I removed these and hard-coded the Publisher name to match the certificate profile in the trusted signing resource, it was able to sign the msixbundle file.

I thought I could avoid this as I included -property:AppxPackageSigningEnabled=false in the msbuild task in the pipeline, but it seems it was still causing issues.

However, if any one can provide more clarity on the signing process in that it took 23 signing operations to successfully sign one file, does that sound about right?

japarson commented 4 months ago

Hi @JeffBrownTech, could you provide the logs which show 23 signing operations? Is the MSIXBundle the only file that you are signing?

JeffBrownTech commented 4 months ago

@japarson Thank you for following up, I believe I found why. I'm not a dev and am unfamiliar with msixbundle files. Talking with a developer today, he showed how the msixbundle is basically a zip file with multiple files in it. In this case, the one I was test signing had 23-24 files in, all individually signed. I believe this mystery is solved.