Does AL-Go supports HSM Secured Certificates? - Githubissues

microsoft / AL-Go

The plug-and-play DevOps solution for Business Central app development on GitHub

MIT License

267 stars 113 forks source link

Does AL-Go supports HSM Secured Certificates? #675

Closed janlehmkuhl closed 11 months ago

janlehmkuhl commented 1 year ago

Does AL-Go Support HSM Secured Certificates? We are currently in the situation that our certificate has expired and we now have a new certificate secured with HSM.

https://github.com/microsoft/AL-Go/issues/564#issuecomment-1677202513

freddydk commented 1 year ago

Yes, setup connection to an Azure KeyVault and specify keyVaultCodesignCertificateName in settings. See https://aka.ms/ALGoSettings#keyVaultCodesignCertificateName

janlehmkuhl commented 11 months ago

Does anyone have an idea of how to integrate an HSM-secured certificate (DigiCert) with Azure Key Vault? To be honest, we're somewhat desperate and neither DigiCert nor Microsoft can assist us.

janlehmkuhl commented 11 months ago

After going back and forth with DigiCert, we found out that there was a system error when uploading the CSR file. Once that was corrected, it now works.

freddydk commented 11 months ago

Thanks for the update

janlehmkuhl commented 11 months ago

It now appears that I have successfully linked the certificate. Unfortunately, something is still not working properly with the AzureSignTool. It says that the .app file might be corrupt. What could be the cause of this? Are there any clues or indicators I should look for?

info: AzureSignTool.SignCommand[0] => File: C:\CTMBuildAgent01-1_work\Rent\Rent.buildartifacts\Apps\CTM Computer Technik Marketing GmbH_Rent for Dynamics 365 Business Central_22.2.962.1.app Signing file. fail: AzureSignTool.SignCommand[0] => File: C:\CTMBuildAgent01-1_work\Rent\Rent.buildartifacts\Apps\CTM Computer Technik Marketing GmbH_Rent for Dynamics 365 Business Central_22.2.962.1.app The file cannot be signed because it is not a recognized file type for signing or it is corrupt. fail: AzureSignTool.SignCommand[0] => File: C:\CTMBuildAgent01-1_work\Rent\Rent.buildartifacts\Apps\CTM Computer Technik Marketing GmbH_Rent for Dynamics 365 Business Central_22.2.962.1.app Signing failed with error 800B0003. info: AzureSignTool.SignCommand[0] => File: C:\CTMBuildAgent01-1_work\Rent\Rent.buildartifacts\Apps\CTM Computer Technik Marketing GmbH_Rent for Dynamics 365 Business Central_22.2.962.1.app Stopping file signing. info: AzureSignTool.SignCommand[0] Successful operations: 0 info: AzureSignTool.SignCommand[0] Failed operations: 1 AL-Go action ran: Sign Telemetry Correlation Id: b25dcf47-77a8-4cd6-87cf-8bdfa21d9c43 Removing BcContainerHelper Error: Unexpected error when running action. Error Message: Command failed with exit code -1610612734, StackTrace: at Retry-Command, C:\CTMBuildAgent01-1_work_actions\microsoft\AL-Go-Actions\v3.2\AL-Go-Helper.ps1: line 2107 <- at , C:\CTMBuildAgent01-1_work_actions\microsoft\AL-Go-Actions\v3.2\Sign\Sign.ps1: line 44 <- at , C:\CTMBuildAgent01-1_work_temp\7fabd1c9-cb34-4161-8724-0551c6ab4bdc.ps1: line 4 <- at , : line 1 Error: Process completed with exit code 1.

janlehmkuhl commented 11 months ago

Seems to be related to our Build Agents; everything runs smoothly under the GitHub Runner.

aholstrup1 commented 11 months ago

The error message "The file cannot be signed because it is not a recognized file type for signing or it is corrupt." sounds a bit like the NavSip.dll isn't registered successfully on your self-hosted runner. Not sure why that is though. Have you been able to sign .app files on these machines before?

janlehmkuhl commented 11 months ago

It is the first time ever signing an app with azuresigntool because we switched from a password-protected PFX-File to an HSM KeyVault. I will try to setup a new agent.

Gesendet von Outlook für iOShttps://aka.ms/o0ukef

Von: Alexander Holstrup @.> Gesendet: Wednesday, September 6, 2023 7:39:28 PM An: microsoft/AL-Go @.> Cc: Lehmkuhl, Jan @.>; Author @.> Betreff: Re: [microsoft/AL-Go] Does AL-Go supports HSM Secured Certificates? (Issue #675)

The error message "The file cannot be signed because it is not a recognized file type for signing or it is corrupt." sounds a bit like the NavSip.dll isn't registered successfully on your self-hosted runner. Not sure why that is though. Have you been able to sign .app files on these machines before?

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/AL-Go/issues/675#issuecomment-1708823288, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AWSLDPJRX6C3TPHXNXSURU3XZCYNBANCNFSM6AAAAAA36B3UUY. You are receiving this because you authored the thread.Message ID: @.***>

janlehmkuhl commented 11 months ago

Unfortunately, it still fails with a new build agent. Exactly in the same place. I have installed the GitHub CLI, PowerShell 7 and the DotNET SDK 6.0 in addition to Docker. Something still seems to be wrong with this NAVSIP.dll. What could be missing?

freddydk commented 11 months ago

What user is the self-hosted agent running as?

janlehmkuhl commented 11 months ago

freddydk commented 11 months ago

Could you try to change that to Local System Account? (which should be the same - but I am confused that there is a password)

janlehmkuhl commented 11 months ago

Unfortunately, this did not help.

freddydk commented 11 months ago

OK - could you try to run the agents as an admin user maybe? (or network_Service) (just to rule out that)

janlehmkuhl commented 11 months ago

No problem, let's find out. But the problem is still there, unfortunately. Thanks for the tips

freddydk commented 11 months ago

@aholstrup1 - can you find out whether the NAVSip.dll has any dependencies (maybe on some C++ runtime or like, which might not be installed on this runner)?

janlehmkuhl commented 11 months ago

✅ The Visual C++ Redistributable Packages for Visual Studio 2013 in the 64bit version was the missing link. 🎉

https://www.microsoft.com/de-DE/download/details.aspx?id=40784

Thank you all

freddydk commented 11 months ago

Thanks Jan