search

HodorNV / ALOps

ALOps
59 stars 24 forks source link

BC23 App Signing ALOpsAppSign - Error: The form specified for the subject is not one supported or known by the specified trust provider #698

Open pri-kise opened 10 months ago

pri-kise commented 10 months ago

Describe the bug I currentyl receive always the error The form specified for the subject is not one supported or known by the specified trust provider when trying to sign an app for BC 23.0

the used yaml please provide the yaml that you used. It helps you put the yaml like this:

The File:

name: $(Build.BuildId)

variables:
  - group: 'ALOps Settings'
  - name: 'appversionno'
    value: '?.?.*.0'
  - name: 'artifactversion'
    value: '23.0'
  - name: 'artifactcountry'
    value: 'de'
  - name: 'artifacttype'
    value: 'OnPrem'

pool:
  name: BusinessCentralBuildAgents

trigger:
  - main

stages:
  - template: templates/CreateRuntimeArtifact.yml
    parameters:
      appversiontemplate: '$(appversionno)'
      alcodeanalyzer: 'AppSourceCop,CodeCop,UICop'
      artifacttype: '$(artifacttype)'
      artifactcountry: '$(artifactcountry)'
      artifactversion: '$(artifactversion)'
      codeSigningPasscode: '$(CodeSigningPasscode)' # Part of the 'ALOps Settings' variable group

The template:

parameters:
  artifacttype: 'OnPrem'
  artifactcountry: 'de'
  artifactversion: '21.0'
  alcodeanalyzer: 'AppSourceCop,CodeCop,PerTenantExtensionCop,UICop'
  appversiontemplate: ''
  codeSigningPasscode: ''
  sasToken: ''
  releasePipelineId: 0

stages:
  - stage: CreateRuntimeAppFiles
    displayName: 'Create Runtime App'
    dependsOn: [] # Run indepedently
    jobs:
      - job: 'CreateRuntimeApp'
        displayName: 'Job to create Runtime App'
        workspace:
          clean: all # What to clean up before the job runs - outputs | resources | all
        steps:
          - task: ALOpsDockerCreate@1
            displayName: 'Create Docker Container'
            inputs:
              artifactversion: '${{parameters.artifactversion}}'
              artifacttype: '${{parameters.artifacttype}}'
              artifactcountry: '${{parameters.artifactcountry}}'
              licensefile: '\\files\DevOps\Common\prisma_BC.bclicense'

          - task: ALOpsDockerStart@1
            displayName: 'Start Docker Container'
            inputs:
              memory_gb: '8'

          - task: ALOpsDockerWait@1
            displayName: 'Wait for Docker Container'
            inputs:
              search_string: 'Ready for connections!'

          - template: DownloadDependencies.yml # Template reference

          - task: ALOpsAppPublish@1
            displayName: 'Publish Dependencies'
            inputs:
              usedocker: true
              nav_artifact_app_filter: '*.app'
              batch_publish_folder: '$(System.ArtifactsDirectory)'

          - task: ALOpsAppCompiler@1
            displayName: 'App Compiler'
            inputs:
              usedocker: true
              targetproject: 'MainApp/app.json'
              al_analyzer: '${{parameters.alcodeanalyzer}}'
              nav_app_version: '${{parameters.appversiontemplate}}'
              publish_artifact: false
              app_file_suffix: '_BC${{parameters.artifactversion}}'

          - task: ALOpsAppSign@1
            displayName: 'App Sign'
            inputs:
              usedocker: true
              artifact_path: '$(ALOPS_COMPILE_ARTIFACT)'
              pfx_path: '\\files\DevOps\Common\CodeSigning\CodeSigning.pfx'
              pfx_password: '${{parameters.codeSigningPasscode}}'
              timestamp_uri: 'http://timestamp.digicert.com/'
              publish_artifact: false

          - task: ALOpsAppPublish@1
            displayName: 'App Publish'
            inputs:
              usedocker: true
              nav_artifact_app_filter: '*.app'

          - task: ALOpsAppRuntimePackage@1
            displayName: 'Create Runtime Package' 
            inputs:
              usedocker: true
              targetproject: 'MainApp/app.json'
              publish_artifact: true         

          - task: ALOpsDockerRemove@1
            displayName: 'Remove Docker Container'
            condition: always()

the output Also the complete output is necessary for us to see what is going on. Also use backtics:


name                                                                                                       value
----                                                                                                       -----
usedocker                                                                                                   True
fixed_tag                                                                                                       
batchsigncompiledapps                                                                                      False
artifact_path           C:\agent\_work\740\a\publisher_MyAppName_1.1.40186.0_BC23.0.app
nav_artifact_app_filter                                                                                    *.app
pfx_path                                                       \\files\DevOps\Common\CodeSigning\CodeSigning.pfx
timestamp_uri                                                                     http://timestamp.digicert.com/
publish_artifact                                                                                           False
pfx_password                                                                                ***

*** For documentation, please visit   : https://www.alops.be/documentation

*** ALOps License:
  * Licensed To: publisher (Organisation License)

*** Importing required PS-Functions
*** Resolved App File: [C:\agent\_work\740\a\publisher_MyAppName_1.1.40186.0_BC23.0.app].
*** Starting App Sign for: 
  * C:\agent\_work\740\a\publisher_MyAppName_1.1.40186.0_BC23.0.app
*** App Sign: C:\agent\_work\740\a\publisher_MyAppName_1.1.40186.0_BC23.0.app
*** Connect Docker Session
*** Initiate Docker Session
*** Set Docker Container ErrorActionPreference = Stop
*** Setup Docker Session
*** Copy PFX [CodeSigning.pfx] => [c:\Run\DevOps\CodeSigning.pfx]
*** Copy Artifact: [C:\agent\_work\740\a\publisher_MyAppName_1.1.40186.0_BC23.0.app] => [c:\Run\DevOps\Artifacts\publisher_MyAppName_1.1.40186.0_BC23.0.app]
*** Fetching App to Sign in [c:\Run\DevOps\] with filter [*.app]
*** App File: C:\Run\DevOps\Artifacts\publisher_MyAppName_1.1.40186.0_BC23.0.app
*** Setup Pfx File
*** PFX File: c:\Run\DevOps\CodeSigning.pfx
*** Timestamp Service: http://timestamp.digicert.com/
*** Check for Powershell Authenticode CmdLets
*** Authenticode CmdLets exist, using Powershell
*** Sign App file with Pfx
*** Signing App with Powershell: C:\Run\DevOps\Artifacts\publisher_MyAppName_1.1.40186.0_BC23.0.app

SignerCertificate      : 
TimeStamperCertificate : 
Status                 : UnknownError
StatusMessage          : The form specified for the subject is not one supported or known by the specified trust 
                         provider
Path                   : C:\Run\DevOps\Artifacts\publisher_MyAppName_1.1.40186.0_BC23.0.app
SignatureType          : None
IsOSBinary             : False

##[error]Signature status: UnknownError. The form specified for the subject is not one supported or known by the specified trust provider.
*** Transfer App Artifact from Docker container.
##[error]Der Vorgang kann nicht ausgeführt werden, weil die Sitzung "Availability" auf "None" festgelegt ist.
Finishing: App Sign

Expected behavior The problem seems to be isolated to BC 23 any other pipline for BC21 or BC22 is working fine.

Additional Context I searched in the repository for similiar issues and found only the following one https://github.com/HodorNV/ALOps/issues/681 But I don't know if this is a different issue, since we only have this problem for BC23.

I'd happy for an updated yaml file, if there is anything I can change.

PeterConijn commented 10 months ago

We are encountering the same issue on our BC23 builds.

PeterConijn commented 10 months ago

@pri-kise Have you been able to make any headway with this?

pri-kise commented 10 months ago

No. I didn't found any solution yet.

waldo1001 commented 10 months ago

Can you may be try to sign outside a docker container?

- task: ALOpsAppCompiler@2
  inputs:
    artifacttype: 'Sandbox'
    versionselect: Current
    ...

- task: ALOpsAppSign@1
  inputs:
    usedocker: false
    batchsigncompiledapps: true
    publish_artifact: true
    pfx_path: $(pfxurl)
    pfx_password: $(pfxpwd)
PeterConijn commented 10 months ago

Tried signing outside docker. Same error:

[error]Signature status: UnknownError. The form specified for the subject is not one supported or known by the specified trust provider.

waldo1001 commented 9 months ago

We assume this has something to do with not having the right version of navsip. We'll see what we can do about that from the sign-step.

PeterConijn commented 9 months ago

I could not get any meaningful information out of this, but here is the signing section of the log for a succeeding build alongside that of a failing build for the same app. The only change in the yml between the two is that we at some point changed the file filter from '.app' to '._APP.app' to see if excluding the runtime app would help (undoing this did not fix anything).

Failing_Signage_Log.txt Succeeding_Signage_Log.txt

waldo1001 commented 8 months ago

We are going to try to include NavSip.dll in our steps, so there is no confusion.