Unable to code-sign with USB Dongle and Azure Pipeline Agent

[jmoleary]

I have an EV Code Signing Certificate with a dongle from DigiCert. I need to change my nightly Azure Pipeline build to use it. But I cannot get the AI Build step to code-sign with it. Note that we've long used a local Build Agent to build on our local machine so the only change here is the code-signing.

I've already got it AI code-signing fine with our old, .PFX certificate file and password (stored in Azure DevOps and downloaded at build time). Below is our old pipeline step that works with our old certificate. where no dongle was needed.

Code: Select all

- task: AdvancedInstaller@2
  displayName: 'Build Installer'
  inputs:
    advinstLicense: '******'
    aipPath: '$(appFolder)/Installer/MyApp.aip'
    aipExtraCommands: 
        'SetDigitalCertificateFile -file $(codeSignCertificate.secureFilePath) -password $(signingPassword)'

So with this new one, I cannot get a .PFX file, just a .CER file. So here's what I've tried

1. Just use the .CER file in place of the old .PFX
I know that the .CER file does not need to be protected but I tried to make my pipeline download/use THAT in place of the old .PFX file. But the AI Build step complained "Invalid PFX File!". So I guess I cannot use a .CER file there.


2. Follow the instructions (haha) and just specify the password
Next I found this page with instructions here for EV code-signing

https://www.advancedinstaller.com/user- ... gning.html

This works fine if I just manually build the installer with AI, but it requires me to enter the password. And the only options it gives me are to either manually enter the password once (not an option for a pipeline) or to "store encrypted password in project file". I don't want to do that either. I want to keep my password in Devops pipeline variables and to continue to specify it in my AI Pipeline build task. I tried to do it like this:

Code: Select all

aipExtraCommands: 
        'SetDigitalCertificatePassword -password $(signingPassword)'

But this fails with the message " Error: SetDigitalCertificatePassword -password ***" (I did update the password used, I promise)

3. Try to use the encrypted password in the AI project File

Finally I gave in and chose the option to "store encrypted password". I built locally,typed it in and it worked fine So I completely removed the entire aipExtraCommands section from my pipeline YAML (no need to specify a password or file if the info is all in the .AIP file, right?) checked it all in and kicked off a new build. But when I then do a build through the pipeline, the same build fails. Only this time the error message is as follows

Code: Select all

The digital signing of the APPDIR\gshostid_v143.exe file failed. Error message: 'SignTool Error: No certificates were found that met all the given criteria.
Certificate "3dafd32c5dfa8cca83c3f799a7d1b29d2e495b1c" is missing from store!

So basically there seems to be no way to build with Azure Pipelines at all

1. Can someone tell me what I am doing wrong?
2. Is it possible to do this without storing the encrypted password in the project file?

[Liviu]

Hello,

Sorry for the delayed reply on this.

Can you please try to ask your certificate vendor to generate a .pfx file for you? Meanwhile, you can try to manually convert your .cer file to .pfx using a
tool like Pvk2Pfx. More details on the How to create .pfx file from certificate and private key article.

After that, you can follow the steps from our Adding the certificate file as a Azure pipeline resource article.

Hope this helps! Please let us know if you have any questions.

Best regards,
Liviu

[jmoleary]

I will try to look into that but, just so I understand clearly before spending another day on this, are you certain that it is possible to use a .PFX file when a dongle is required by Digicert in the code-signing step?

[Liviu]

Hello,

From what we know this should be possible, but to be honest we never run a real test for this use case. This is why we encourage you to contact your certificate vendor and ask them how you can export your certificate into a PFX file (in case you did not have to much success with using the Pvk2Pfx certificate conversion tool).

Best regards,
Liviu

[jmoleary]

Unfortunately, Digicert tells me this is not possible. If it were it would defeat the purpose of the dongle in the first place. They will not let me export a PFX with password.

So I either need to make this work one of two ways.

• Make AI to use the .CER file with password stored in the project file OR

• Completely take over the signtool command line (That's why I asked the other question about making AI show me what it uses for the signtool command line)

But of course I need to be able to make this happen non-interactively from a service account. From the message that AI is giving me (relayed via signtool), it would appear that somehow whatever step AI is using is making signtool consult the current users Windows certificate store. I need to find a way to make that not happen. I need it to be able to get everything it needs from the .CER file. Without this I cannot sign my code.

Again, all this stuff works just fine if I do it manually while logged in. But surely someone else must be using AI, a dongle, and an Azure Devops Build agent, no?

[Liviu]

Hello,

We further investigated this and here is what we found.

It seems that you must have your certificate imported in Azure Key Vault. From my investigation so far it seems you need a certificate that has a hardware security module (HSM), and not one with a physical USB key.

Can you please ask your provider (DigiCert) how to import your certificate into Azure Key Vault?

If you successfully import it into Key Vault, then you can use our support for Key Vault. For that you just need to follow the steps described in our Loading the certificate from Azure Key Vault article.

Hope this helps!

Best regards,
Liviu

[jmoleary]

Hi Liviu,

My apologies. I never saw your final reply on this thread. It was so long ago.

Back then I was able to work around the issue by signing my older, software-based .PFX file (from a software-only certificate that we'd purchased totally separate from our Digicert Dongle). Somehow, as long as the USB was also plugged in, it seemed to work. Now I'm starting to think the dongle wasn't doin anything.

Anyway, now that the certificate has expired and we have only the Digicert certificate so I have to find a way to make it work with just this.

I will follow your suggestion and try to make Azure Key Vault work.

[Liviu]

Hello,

Everything should work as expected if you follow our article.

However, feel free to notify us if you encounter any problems during this implementation.

Best regards,
Liviu