rafw86
Posts: 13
Joined: Tue May 19, 2020 9:43 am

Signing installation package via AzureDevops build task with issues

Thu Jul 15, 2021 5:46 pm

Hello,

I have successfully configured the AzureDevOps build task to create an installation package and sign it with a certificate stored in Azure Key Vault.
The application consists of 3 executable files which all are signed. Also the installer exe, msi and cab files are signed as stated in the "Files Configured for Signing"

The results of the installer build are as follow:
- Building locally on my own machine with providing the AzureKeyVault secret - everything looks good and is signed. After installing the application it works properly
- Building via Azure DevOps build task - one of the 3 executable files is being signed with an issue which I can see after installation when I check the file signature:
signing issue.png
signing issue.png (5.58KiB)Viewed 50214 times
Also, when I queue several build containing signing one after another I got from time to time build task error saying that: "Could not extract digital certificate from ... *.cab1"

I am using advanced installer version: 18.4.0

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Signing installation package via AzureDevops build task with issues

Fri Jul 16, 2021 9:01 am

Hi,

Can you confirm that the machine your builds run on is a Windows Server 2016?

We were able to replicate these issues only on Windows Server 2016 OS. On this OS version it seems the Microsoft API we use for Azure KeyVault signing it randomly fails. We will try to report this issue to Microsoft and also in the meantime our dev team investigate for any possible workaround solutions, but so far we didn't manage to find a workaround.

When any resolution found we will update this forum thread.

In the meantime, if this issue is a blocker for you, as a workaround I will suggest you to add your certificate file as a pipeline resource in Azure DevOps (instead of using it from Azure Key Vault). Have a look over the first section (1. Adding the certificate file as a pipeline resource) of our article:

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

rafw86
Posts: 13
Joined: Tue May 19, 2020 9:43 am

Re: Signing installation package via AzureDevops build task with issues

Fri Jul 16, 2021 10:19 am

Thank you for your response,
actually the build process is splitted into two agents:
- build of the artifacts is made on a virtual machine hosted on Azure with windows 10 pro with version 10.0.19042 Build 19042
- build of installer with artifacts downloaded from the first step - azure self-hosted agent, windows-2019, agent version 2.188.4, Microsoft Windows Server 2019 10.0.17763
I may try to use the workaround you have attached and will let you know about results, but can it be an issue also on this OS?

rafw86
Posts: 13
Joined: Tue May 19, 2020 9:43 am

Re: Signing installation package via AzureDevops build task with issues

Mon Jul 19, 2021 1:54 pm

I made several tests and it really seems to be the problem with signing from certificate stored in Azure Key Vault. With the work around which requires me to upload the certificate into AzureDevOps library everything seems to be fine. I can live with that solution for now, but do you have this issue in focus? When approximately can I expect this to be fixed on Azure DevOps task?

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Signing installation package via AzureDevops build task with issues

Tue Jul 20, 2021 4:09 pm

Hello Rafael,

My colleague Daniel is offline for the week and from what I can see my colleague Dan has continued his thread over the e-mail.

Thank you for your follow on this!

We are glad to hear the workaround suffices your needs for now.
but do you have this issue in focus? When approximately can I expect this to be fixed on Azure DevOps task?
Regarding your question, from what I can see in our bug tracking tool, the issue is under testing now. However, as my colleague Daniel previosuly mentioned, we only managed to reproduce this on a Windows Server 2016 machine. We might need to provide you with a RC version before the actual release so you can test it on your environment (Windows Server 2019).

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube


Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Signing installation package via AzureDevops build task with issues

Tue Jul 20, 2021 4:33 pm

You are always welcome, Rafael!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Signing installation package via AzureDevops build task with issues

Wed Jul 28, 2021 2:35 pm

Hello,

This has been fixed in version 18.5 of Advanced Installer, released on July 27th, 2021.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

rafw86
Posts: 13
Joined: Tue May 19, 2020 9:43 am

Re: Signing installation package via AzureDevops build task with issues

Wed Jul 28, 2021 2:39 pm

Thanks for the info, I will check that with the latest Advanced Installer version.

Kind regards,
Rafael

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Signing installation package via AzureDevops build task with issues

Wed Jul 28, 2021 2:43 pm

You are always welcome, Rafael!

Hope everything will work as expected!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube


Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Signing installation package via AzureDevops build task with issues

Wed Aug 11, 2021 8:36 am

This is great! Thank you for confirming the fix!

Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”