search

vcsjones / AzureSignTool

SignTool Library and Azure Key Vault Support
MIT License
285 stars 89 forks source link

Signing failed with error 80072EFE #266

Closed romanp-nexusgroup closed 2 months ago

romanp-nexusgroup commented 3 months ago

Signing stopped working for us on a pipeline build. We have last successfull build about one week ago. Today signing fails with this error:

AzureSignTool.exe sign --verbose -d "Nexus Personal" -ac .\package\wix\cross-certs\digicert-intermediate.cer -ac .\package\wix\cross-certs\digicert-root.cer -fd sha256 -tr http://sha256timestamp.ws.symantec.com/sha256/timestamp -kva SECRETSECRET -kvc nexus-ev-code-sign-2026-05-12 -kvu https://kv-codesigning-dev-32447.vault.azure.net/ ..\pd5-build-64\Debug\crdsiem64.dll --verbose
trce: AzureSignTool.SignCommand[0]
      Including additional certificate 92C1588E85AF2201CE7915E8538B492F605B80C6.
trce: AzureSignTool.SignCommand[0]
      Including additional certificate 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43.
trce: AzureSignTool.SignCommand[0]
      Retrieving certificate nexus-ev-code-sign-2026-05-12.
trce: AzureSignTool.SignCommand[0]
      Retrieved certificate nexus-ev-code-sign-2026-05-12.
trce: AzureSignTool.SignCommand[0]
      Creating context
info: AzureSignTool.SignCommand[0]
      => File: ..\pd5-build-64\Debug\crdsiem64.dll
      Signing file.
trce: AzureSignTool.SignCommand[0]
      => File: ..\pd5-build-64\Debug\crdsiem64.dll
      Getting SIP Data
trce: AzureSignTool.SignCommand[0]
      => File: ..\pd5-build-64\Debug\crdsiem64.dll
      Calling SignerSignEx3 with flags: SIGN_CALLBACK_UNDOCUMENTED
fail: AzureSignTool.SignCommand[0]
      => File: ..\pd5-build-64\Debug\crdsiem64.dll
      Signing failed with error 80072EFE.
info: AzureSignTool.SignCommand[0]
      => File: ..\pd5-build-64\Debug\crdsiem64.dll
      Stopping file signing.
info: AzureSignTool.SignCommand[0]
      Successful operations: 0
info: AzureSignTool.SignCommand[0]
      Failed operations: 1
romanp-nexusgroup commented 3 months ago

I experimented with the arguments, and turns out, after removing this one

-tr http://sha256timestamp.ws.symantec.com/sha256/timestamp

the signing succeeds. I then replaced the timestamp server with digicert one and it still works.

-tr http://timestamp.digicert.com

Looks like some issue with symantec server? Would be nice to indicate timestamp server issues with some error message if possible.

cbirchy87 commented 2 months ago

We had this issue also. Changing to http://timestamp.digicert.com fixed this issue for us.

vcsjones commented 2 months ago

DigiCert shut down the sha256timestamp.ws.symantec.com timestamp endpoint. The correct replacement is `timestamp.digicert.com.

See DigiCert's announcement and guidance for the shutdown.

https://docs.digicert.com/en/whats-new/change-log/certcentral.html#august-19--2024