jabbera / vsts-authenticode

A task to authenticode sign dlls
MIT License
7 stars 4 forks source link

The specified PFX password is not correct. #23

Closed roel4ez closed 4 years ago

roel4ez commented 5 years ago

I'm having an issue with the signing, in that it always fails with the following error.

2019-05-24T12:17:41.8180915Z [command]C:\BUILD\agent_work_tasks\authenticode-sign_752fe535-ed47-4c2c-afcf-0778adb0bb12\4.0.0\x64\signtool.exe sign /tr http://timestamp.verisign.com/scripts/timstamp.dll /td sha256 /f **** /p **** /fd sha256 "C:\BUILD\agent_work*****.exe" 2019-05-24T12:17:41.8850389Z SignTool Error: The specified PFX password is not correct.

It correctly retries 5 times, but the error is always the same. This happens on a build agent version 2.117.2 running on Windows Server 2016.

1) I am sure the password is correct. The password is fetched from a secure variable. 2) when running the command on my local machine (Windows 10) it works as expected. Version of signtool in authenticode-sign is 10.0.14393.795. My local version is 10.0.17763.1.

I have tried to overwrite the location of the signtool with the latest version in the C:\Program Files (x86)\Windows Kits\10\bin***\folder, but the same error happens.

I've been struggling with this for a while. Any ideas?

roel4ez commented 5 years ago

After migrating the build to a new build server, which is Windows 2019, it works as expected.

This is not so much a fix, but a workaround.

biilmann-orifarm commented 4 years ago

@roel4ez: I've just struggled with a similar problem: I could use signtool to sign on my dev machine (running Windows 10, build 1909) - but issuing the exact same command on my build server (Azure DevOps self-hosted Agent, Windows Server 2016 Standard) gave "Error: The specified PFX password is not correct". With a little assist from one of our Ops-guys, we imported the cert to the cert store on my dev machine, exported it with a new password - and then used that newly exported cert + updated password on the build server. This worked for us. Hope this can save some time for others!

ChristophBachmann commented 4 years ago

Having same issue on self-hosted agent (Windows 10, version of signtool is 10.0.18362.1). When setting the password as cleartext to the Pipeline task, it works. But when using a secure variable and mapping as env variable (as documented here: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#secret-variables), it does not work, it fails with error "SignTool Error: The specified PFX password is not correct.".

I have founded my error. In a Command Line Task the variable needs to be surrounded with %MY_VAR%, not $env:MY_VAR as documented here: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/command-line?view=azure-devops&tabs=yaml#arguments Wasn't that clear for me. So if someone else is struggling, maybe that helps :-)