search

microsoft / github-actions-for-desktop-apps

This repo contains a sample WPF application to demonstrate how to create CI/CD pipelines using GitHub Actions.
MIT License
353 stars 110 forks source link

Continuous integration Deployment - Code sign Failed #47

Closed JeanMarcFlamand closed 2 years ago

JeanMarcFlamand commented 2 years ago

Recommended by Microsoft Q&A HuiLiu-MSFT

I'm trying to code sign my application using GitHub Actions cd-net6-temp.yml from Lance branch and latest updated notes from Readme.md for codes signing.

From the workflow run, the following error are:

error : Certificate could not be opened: ….. error : The specified network password is not correct…. error : [D:\a\MPC-MassPropertiesCalculator\MPC-MassPropertiesCalculator\MPC-MassPropertiesCalculator.Installer\MPC-MassPropertiesCalculator.Installer.wapproj]

Can you confirm that's an issue or error created by me in my CD-dotnet6.0-desktop.yml

Here my latest workflow run link

LanceMcCarthy commented 2 years ago

Hi Jean-Marc,

that error is specifically related to the network location the pfx file is pointing to. In your wapproj, there must still be a path to a PFX file that is on an internal network share (which of course isn't available to the PC that is building the project).

I looked at your wapproj file and there is indeed a PFX file at https://github.com/JeanMarcFlamand/MPC-MassPropertiesCalculator/blob/20beb35c7b1265c3f6b5a76f82d8589736d23cc0/MPC-MassPropertiesCalculator.Installer/MPC-MassPropertiesCalculator.Installer.wapproj#L160

It's a good thing you didn't check that in with your code... it should only be encoded as base64 and stored as a GitHub Actions secret.

In your workflow, I see that you attempt to load up the secret, decode the base64 and save it as a PFX file https://github.com/JeanMarcFlamand/MPC-MassPropertiesCalculator/blob/20beb35c7b1265c3f6b5a76f82d8589736d23cc0/.github/workflows/CI-dotnet6.0-desktop.yml#L97

So, my recommendation would be to just completely remove the PFX reference in the wapproj file because it is unused in your build anyways.

JeanMarcFlamand commented 2 years ago

Hi Lance

Thanks for the quick response.

Did remove from wapproj https://github.com/JeanMarcFlamand/MPC-MassPropertiesCalculator/commit/088f7 3cecdd7cdaaae7ade75b76978432d223eb5

This line of code

The errors are the same see the workflow run

https://github.com/JeanMarcFlamand/MPC-MassPropertiesCalculator/runs/6799603 980?check_suite_focus=true#step:10:578

Question

When I look at the first error

Certificate could not be opened: JeanMarcFlamand.pfx. [D:\a\MPC-MassPropertiesCalculator\MPC-MassPropertiesCalculator\MPC-MassProp ertiesCalculator.Installer\MPC-MassPropertiesCalculator.Installer.wapproj]

The string "MPC-MassPropertiesCalculator" is called twice. Is that normal ?

I thought it might be due to the duplication of this string

Jean-Marc Flamand

[Lance: Edit 1] removed email response's signature that contained Jean-Marc's phone number

LanceMcCarthy commented 2 years ago

The file path looks correct. The first part of the path of the name is the name of the repository itself:

image

You just coincidentally have the name of the repository as the same name of the code's root folder:

so D:\a\MPC-MassPropertiesCalculator\MPC-MassPropertiesCalculator\MPC-MassPropertiesCalculator.Installer\ is correct

Note: This is why I tend to put my source code in a src root folder.

Further Research

I'm not sure what is going on with the signing using that certificate. It doens't look like the file paths are incorrect. The decoding of the base64 is saving it to the WAP project's folder and that is where it is expected to be found.

I looked around the build output a little more closely and error seems to be happening when MSBuild tried to use the password for that PFX file I researched the error and there are a few different fixes available depending on what is actually wrong with yours.

At this point I can pretty confidently say that it's not a workflow issue, but rather a PFX use issue.

If you'd like to see a different workflow that I use a PFX to sign my package, see this line https://github.com/LanceMcCarthy/MediaFileManager/blob/843bfc6102d9a642431efe6d2fafd0469df73178/.github/workflows/cd_release_sideload.yml#L136

JeanMarcFlamand commented 2 years ago

FYI Did raise issue to COMODOSTORE Support Here the details about the ticket.

Can't use my certificate to sign my app using Github action workflow here my latest workflow run. Here the issue raised from my starting workflow points Ref Continuous integration Deployment - Code sign Failed

Can you confirm that the following steps were correct to generate the pfx file?

From my saved crt and private key backed up on my local machine I did use OPENSSL to generate the pfx. Here the commands : pkcs12 -export -out I:\7JTFCode\CodeSigningCert\JeanMarcFlamand.pfx -inkey I:\7JTFCode\CodeSigningCert\JeanMarcFlamand.key -in I:\7JTFCode\CodeSigningCert\JeanMarcFlamand.crt note: the password length I did use is 16 characters.

Per Code Signing instruction did encode the pfx into text file that was saved in the githubsecret. Here the command used [convert]::ToBase64String((Get-Content -path 'I:\7JTFCode\CodeSigningCert\JeanMarcFlamand.pfx' -Encoding byte)) | Out-File 'I:\7JTFCode\CodeSigningCert\BASE64_ENCODED_PFX.txt'

Notes : Signing the app with the same pfx used in the github workflow, works on my local machine with the MSIX tool used in VisualStudio 2022.

The .gighub workflow used windows server 2022. ValidCertificateUsingMSIXonLocalMachine

LanceMcCarthy commented 2 years ago

I purchased a code signing certificate from DigiCert, so I'm honestly not the right person to ask about generating and using a self-signed certificate for code signing and distribution. I've never generated one from scratch (well, except SSL certs) for use in code signing (my code sign and kernel mode code sign certs were both provided by an authority).

You could also look into using Azure KeyVault to sign your packages. I do this for some of my production apps https://docs.microsoft.com/en-us/windows/msix/desktop/sign-with-akv-cert .

Here's a full tutorial https://www.ssl.com/how-to/code-signing-with-azure-devops/

JeanMarcFlamand commented 2 years ago

Tanks for all provided informations. Best Regards.

JeanMarcFlamand commented 2 years ago

This morning I'm happy. I was able to codesign my app and perform my first GitHub release. I'm not sure where the problem came from as I made several changes before the workflow worked. I still must correct the release because the package cannot be downloaded even if it is displayed in the release.

image

Here two major changes I made with the new certificate I uploaded recently.

  1. For the PFX creation, I have a password of 30 characters including only letters and numbers. I didn't use a symbol this time.

  2. I did the encode the PFX file with OpenSSL software In lieu of powershell Command:

    openssl base64 -in -out

Ref Powershell Command: $pfx_cert = Get-Content '.\GitHubActionsDemo.pfx' -Encoding Byte [System.Convert]::ToBase64String($pfx_cert) | Out-File 'SigningCertificate_Encoded.txt'

I still must correct the release because now the package cannot be downloaded even if it is displayed in the release.

LanceMcCarthy commented 2 years ago

I'm not sure about the self-sign with Open SSL (SSL certs are not code signing certs), as Imentinoed earlier this demo uses an already configured PFX file.

Take a look at Gerald's video where he creates a self-signed certificate and uses it in GitHub Actions. It's very straightforward https://www.youtube.com/watch?v=8lvdLa0v8zY

JeanMarcFlamand commented 2 years ago

OK I will look at the provided links

Regards

From: Lance McCarthy @.> Sent: June 8, 2022 3:13 PM To: microsoft/github-actions-for-desktop-apps @.> Cc: Jean-Marc Flamand @.>; Author @.> Subject: Re: [microsoft/github-actions-for-desktop-apps] Continuous integration Deployment - Code sign Failed (Issue #47)

The file path looks correct. The first part of the path of the name is the name of the repository itself:

https://user-images.githubusercontent.com/3520532/172695865-3b9d1f46-cf33-4 bc4-a5a5-8e7dafd1fccb.png

You just coincidentally have the name of the repository as the same name of the code's root folder:

so D:\a\MPC-MassPropertiesCalculator\MPC-MassPropertiesCalculator\MPC-MassPrope rtiesCalculator.Installer\ is correct

Note: This is why I tend to put my source code in a src root folder, like this project

Further Research

I'm not sure what is going on with the signing using that certificate. It doens't look like the file paths are incorrect. The decoding of the base64 is saving it to the WAP project's folder and that is where it is expected to be found.

I looked around the build output a little more closely and error seems to be happening when MSBuild tried to use the password for that PFX file I researched the error and there are a few different fixes available depending on what is actually wrong with yours.

At this point I can pretty confidently say that it's not a workflow issue, but rather a PFX use issue.

If you'd like to see a different workflow that I use a PFX to sign my package, see this line https://github.com/LanceMcCarthy/MediaFileManager/blob/843bfc6102d9a642431ef e6d2fafd0469df73178/.github/workflows/cd_release_sideload.yml#L136

- Reply to this email directly, view it on GitHub https://github.com/microsoft/github-actions-for-desktop-apps/issues/47#issu ecomment-1150296708 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ADDZSBSDLH3PFEPK5DLEEYDVO DWFBANCNFSM5YHKX67Q . You are receiving this because you authored the thread. https://github.com/notifications/beacon/ADDZSBUKNQKA3AUGPVAUZVTVODWFBA5CNFS M5YHKX672YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOISICFBA .gif Message ID: @. @. b.com> >