Comodo EV Certificate and Jenkins Build Server issue

[BaseHead]

Hey!
So....AI works great standalone with a Comodo EV Cert but I get this error when batching it on a Jenkins Build Server

The digital signing of the APPDIR\BaseHead.exe file failed. Error message: 'SignTool Error: No certificates were found that met all the given criteria.
Certificate "3cab782003a8c3f69e8a13d48234369c0718779f" is missing from store!

I "think" it's cuz Comodo put the EV cert it Private store instead of a Public one.
Any ideas how to fix this so I can have full build server bliss?

Also.... My cert is on a hardware Smart Card AND it's up for renewal in a few weeks so if there is a better option to ditch the hardware I'm all ears

Thx so much!
Steve

[Catalin]

Hello Steve,

Could you please give me some more details about how you have configured your project in "Digital Signature" page (for instance, a screenshot would really help)?

Judging by the details you have provided, I am assuming you are using the "Use from certificate store:" option.

If that is the case, could you please tell me where you have your certificate installed so I can run few tests on my machine?

Best regards,
Catalin

[BaseHead]

thx for the help
Yup...here is my settings

AI Sign.PNG (705.66 KiB) Viewed 3338 times

and here is where the SmartCard based EV cert shows up on my PC automatically

AI Sign2.PNG (914.33 KiB) Viewed 3338 times

It never came with a soft cert to install and I don't thing even available for EV certs, but I could be wrong.

lmk what else you need!
s.

[Catalin]

Hello Steve,

Most likely, this is more of an issue regarding Jenkins and your machine rather than Advanced Installer.

Unfortunately, I am not an expert in Jenkins, therefore I can not really help that much.

Nonetheless, I will try my best to assist you, hopefully we will get to the end of this.

Thank you for the provided screenshots. Based on them, I would like to clarify some things:

I am noticing the use of certlm.msc (the Certificate Manager for the local machine). As you may already know, accessing the local machine's Certificate Manger requires administrator privileges (e.g. the user being an administrator or the user having the rights to read from it).

I am not quite sure how you have configured your Jenkins server. For instance, on my test machine, Jenkins is configured to run as a service and the user under which it's ran is the LocalSystem account. This user has extensive privileges on the local computer, therefore it can access the local Certificate Stores.

Most likely, since you are using a production environment, I am assuming your Jenkins service runs under a different account which has the "Log on as a service" policy set for it.

My question here would be, is the account under which the Jenkins service runs an administrator account? If not, then this might be a privilege issue, since the account that runs the service can not access the local Certificate Stores.

Another thing that I've noticed is this:

Certificate "3cab782003a8c3f69e8a13d48234369c0718779f" is missing from store!

Obviously, as seen from the screenshot, your certificate has a totally different name.

I am not sure what "3cab782003a8c3f69e8a13d48234369c0718779f" represents here. To have a better look about this, could you please:

- open certlm.msc

- Personal --> Certificates --> double click on your certificate --> Details tab --> let me know if the above string matches any field from there?

Hope this helps somehow!

Best regards,
Catalin

[BaseHead]

Thx for the reply once again!

Yep it looks like that is the Thumbprint of my Smart Cart Cert that is set in AI

AI3.PNG (901.04 KiB) Viewed 3303 times

I only have a single admin account but I think you are right this is a Jenkins problem more than anything cuz I just noticed I'm getting errors with basic signing commands like the below saying it can't find the the cert also inside Jenkins
ScSignTool -pin A2XXXr sign /a License Request.exe

thx for your help but I think I need to get that to work first before I can expect the AI plugin to work with code signing also
cya!

[Catalin]

You are always welcome, Steve!

I hope everything will work out in the end.

Best regards,
Catalin

[BaseHead]

Ok for anyone that stubbles onto this with the same problem....
I figured it out and the answer is to create an agent Node in Jenkins to do the work for you.
It can be on the same machine no problem

here are some helpful links on how to create this.
https://wiki.jenkins.io/display/JENKINS ... on+Windows

http://jenkins-ci.361315.n4.nabble.com/ ... 67273.html

Then once completed I still didn't have much luck until I opened the new agent service that was just created in Windows Services and and changed it from Local System Account and forced told it to logon to 'This Account' even though I only have one on this system that is already and Admin
This is a really important step also I have found

AI Service.PNG (814.37 KiB) Viewed 3280 times

[Catalin]

Hello Steve,

Thank you very much for your followup on this and for sharing your solution with us.

I am sure this will be of help for futher users facing a similar scenario.

I remember reading about the same suggestion, but the post was quite old and therefore I decided against suggesting it.

Anyway, I am really glad everything works as expected now.

Best regards,
Catalin