ALOpsAppSign error

[GhOnBc]

Describe the bug Since today we receive the following error in our build pipeline

`##[error]Signature status: UnknownError. ASN1 bad tag value met. *** Transfer App Artifact from Docker container.

[error]Cannot perform operation because the session Availability is set to None.

`

the used yaml please provide the yaml that you used. It helps you put the yaml like this:

- task: ALOpsAppSign@1
  inputs:
    usedocker: true
    pfx_path: '$(PFXPath)'
    pfx_password: '$(PFXPass)'

Expected behavior To have the app successfully signed

Additional context The build pipeline worked as expected yesterday, without changing anything, today it doesn't work anymore. When signing the same app with the same certificate trough bccontainerhelper, it works

[lassej5]

We have the same issue with code signing

[kasperdj]

We have same issue - all pipelines are failing

[CarloAxians]

We have the same problem. This happened before, see ticket #479

[fvet]

@waldo1001 We have a similar issue with code signing

SignerCertificate      : 
TimeStamperCertificate : 
Status                 : UnknownError
StatusMessage          : ASN1 bad tag value met
Path                   : ***.app
SignatureType          : None
IsOSBinary             : False

##[error]Signature status: UnknownError. ASN1 bad tag value met.

[MortenRa]

Just for info, we do not experience any problems with signing, so this seems to related when using docker

task: ALOpsAppSign@1
    displayName: 'ALOps App Sign'
    env:
      pfx_password: $(CodeSignPfxPassword)
    inputs:
      pfx_path: $(CodeSignPfxFile)
      timestamp_uri: $(TimeStampUri) #'http://timestamp.comodoca.com/authenticode' 
      usedocker: false

[CarloAxians]

We don't use docker, but still having this problem:

  displayName: 'Sign Extension'
  inputs:
    usedocker: false
    artifact_path: $(ALOPS_COMPILE_ARTIFACT)
    pfx_path: $(pfx-path)
    pfx_password: $(pfx-password)
    timestamp_uri: $(timestamp_uri)
    publish_artifact: true`

[waldo1001]

Hi - I'm trying to figure out what happened.

First of all: we didn't push any new version: so everything works like it worked yesterday. That's a good thing, because that means we need to look at the only thing that could have been changed:

For signing the app, we're dependent of external services.

A few that we could use:

• http://timestamp.digicert.com/
• http://timestamp.comodoca.com/authenticode

Could you please use the timestamp_uri parameter in the step, and change it to the one you're not using atm?

I was personally able to replicate the problem with the http://timestamp.comodoca.com/authenticode parameter:

And solve it with http://timestamp.digicert.com:

Sorry, guys - but it's an external service we're suffering from...

@GhOnBc , you said it worked with BCCH. Can you check the url that BCCH is using?

[GhOnBc]

@waldo1001 I did not use any timestampserver in my BCCH test. But if I use 'http://timestamp.sectigo.com', I receive an error. Error information: "Error: SignerSign() failed." (-2146869243/0x80096005)

This was the one we are using in our ALOps step, but then we tried with removing the timestamp and the error remains. Does ALOps default to one when we ommit the parameter?

I am now running the pipeline with http://timestamp.digicert.com

[CarloAxians]

I have changed the uri to http://timestamp.digicert.com/ in our pipelines and now everything is working fine again. Thanks @waldo1001 for your quick response.

[GhOnBc]

to confirm: using http://timestamp.digicert.com/ works not using any timestamp_uri gives the mentioned error

[dsaveyn]

@waldo1001 We have a similar issue with code signing

SignerCertificate      : 
TimeStamperCertificate : 
Status                 : UnknownError
StatusMessage          : ASN1 bad tag value met
Path                   : ***.app
SignatureType          : None
IsOSBinary             : False

##[error]Signature status: UnknownError. ASN1 bad tag value met.

I can confirm that adding http://timestamp.digicert.com/ as timestamp_uri also solves the issue at our end.

[waldo1001]

I will keep this issue open, and see with the development department on how we could get this more stable ... 🤔

[waldo1001]

Not much we can do. It happened before and it will probably happen again :(.
The one that works now, didn't work before, which made us switch to the current default, which is now failing.

[pri-kise]

We receive the following error on AppSigning. Is this related?

Starting: ALOps App Sign
==============================================================================
Task         : ALOps App Sign
Description  : CodeSign an AL Extension for Business Central
Version      : 1.454.3402
Author       : Hodor
Help         : Codesign Business Central extension with .pfx.
==============================================================================
*** Validate configuration
*** Task Inputs:

name                                                                                                              value
----                                                                                                              -----
usedocker                                                                                                         False
fixed_tag                                                                                                              
batchsigncompiledapps                                                                                             False
artifact_path           ...t\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app
nav_artifact_app_filter                                                                                           *.app
pfx_path                                                              \\files\DevOps\Common\CodeSigning\CodeSigning.pfx
timestamp_uri                                                                                                          
publish_artifact                                                                                                   True
pfx_password                                                                                       ***

*** For documentation, please visit   : https://www.alops.be/documentation

*** ALOps License:
  * Licensed To: publisher (Organisation License)

*** Importing required PS-Functions
*** Resolved App File: [C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app].
*** Starting App Sign for: 
  * C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app
*** App Sign: C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app
*** Registering NavSip
*** NavSip registration OK
*** App File: C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app
*** Setup Pfx File
*** PFX File: \\files\DevOps\Common\CodeSigning\CodeSigning.pfx
*** Check for Powershell Authenticode CmdLets
*** Authenticode CmdLets exist, using Powershell
*** Sign App file with Pfx
*** Signing App with Powershell: C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app

SignerCertificate      : 
TimeStamperCertificate : 
Status                 : UnknownError
StatusMessage          : Das für den Antragsteller angegebene Formular wird vom angegebenen Vertrauensanbieter nicht 
                         unterstützt oder ist ihm nicht bekannt
Path                   : C:\agent\_work\298\a\publisher_BC Suite Data 
                         Provider_19.0.25513.0_sandbox_19.0_de.app
SignatureType          : None
IsOSBinary             : False

##[error]Signature status: UnknownError. Das für den Antragsteller angegebene Formular wird vom angegebenen Vertrauensanbieter nicht unterstützt oder ist ihm nicht bekannt.
*** Uploading Signed APP as Build-Artifact
*** Sign App Completed.
*** Cleanup VSTS Environment: True
Async Command Start: Upload Artifact
Uploading 1 files
Fail to upload 'C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app' due to 'The process cannot access the file 'C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app' because it is being used by another process.'.
System.IO.IOException: The process cannot access the file 'C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app' because it is being used by another process.
   at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
   at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
   at Microsoft.VisualStudio.Services.Agent.Worker.Build.FileContainerServer.UploadAsync(IAsyncCommandContext context, Int32 uploaderId, CancellationToken token)
1 files failed to upload, retry these files after a minute.
Retry file upload after 60 seconds.
Retry file upload after 55 seconds.
Retry file upload after 50 seconds.
Retry file upload after 45 seconds.
Retry file upload after 40 seconds.
Retry file upload after 35 seconds.
Retry file upload after 30 seconds.
Retry file upload after 25 seconds.
Retry file upload after 20 seconds.
Retry file upload after 15 seconds.
Retry file upload after 10 seconds.
Retry file upload after 5 seconds.
Start retry 1 failed files upload.
File upload succeed after retry.
Upload 'C:\agent\_work\298\a\publisher_AppName_19.0.25513.0_sandbox_19.0_de.app' to file container: '#/21271816/AppName'
Associated artifact 12989 with build 25513
Async Command End: Upload Artifact
Finishing: ALOps App Sign

[waldo1001]

Seems different, but try it with the url?

If not - create new issue, and make sure to provide yaml.

Are you sure you use a decent certificate? has anything "worked before"?

[pri-kise]

It only happens randomly. Now it's working again.

[waldo1001]

Well - that's a typical behaviour of these online services, I'm afraid.
Did you try to set up " http://timestamp.digicert.com/ " as your timestamp_uri? Seems to be quite stable lately

[DanielGoehler]

@waldo1001 It occurs sporadically rarely for a few minutes and then it is gone again. We try http://timestamp.digicert.com/