search

dotnet / arcade

Tools that provide common build infrastructure for multiple .NET Foundation projects.
MIT License
666 stars 341 forks source link

Signing fails for PowerShell scripts #825

Closed tmat closed 6 years ago

tmat commented 6 years ago 
27> 20.14.20.11 Failed to sign 'E:\A\_work\344\s\artifacts\tmp\Release\ContainerSigning\F7C7744E9FEFDF7697817C1C71F36C8C703A6437FF3436962693BE5753EE6FA2\install.ps1' (OpId: eb588ad9-bfd2-49a6-b04a-349ee24ce6f5) because of  An exception occurred in the NEO Static Signer service.
exception: Sign operation failed for: sign    /NPH /as /fd "SHA256" /f "C:\Signing\P7B\230012_437965_MOPR_20180627.p7b" /kc "230012_437965_MOPR_20180627" /sha1 "C3A3D43788E7ABCD287CB4F5B6583043774F99D2" /csp "nCipher Security World Key Storage Provider" /du "http://www.microsoft.com" /d "Microsoft" /tr "http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer" /td sha256 "D:\Sign\eb588ad9-bfd2-49a6-b04a-349ee24ce6f5\322087dd-5203-42a4-b1d1-7828b110e9d1\install.ps1" For RequestId: eb588ad9-bfd2-49a6-b04a-349ee24ce6f5. Command execution result from the tool: Done Adding Additional Store
Number of errors: 1
SignTool Error: Multiple signature support is not implemented for this filetype.
SignTool Error: An error occurred while attempting to sign: D:\Sign\eb588ad9-bfd2-49a6-b04a-349ee24ce6f5\322087dd-5203-42a4-b1d1-7828b110e9d1\install.ps1
.

The scripts: https://github.com/dotnet/roslyn-analyzers/blob/master/assets/install.ps1 https://github.com/dotnet/roslyn-analyzers/blob/master/assets/uninstall.ps1

jcagme commented 6 years ago

FYI @JohnTortugo

JohnTortugo commented 6 years ago

Thanks @jcagme .

Seems like we were trying to sign a file that was already signed.. How should this be handled? Do we want to skip those files or remove the existing signature and sign again?

tmat commented 6 years ago

These files are not signed.

tmat commented 6 years ago

I'm actually not sure how signed PowerShell file looks like, but I guess it likely has the signature in it in some kind of comment form.

JohnTortugo commented 6 years ago

Talked with Trevor Short (not sure about his github alias) and he clarified the issue. The certificate that we are using to sign the file is trying to sign the file twice and that is the reason of the error. This kind of file should actually be signed with a different certificate: Microsoft400.

I'll create a PR in a few minutes.