Why will AI not code-sign from an Azure Pipeline Build Agent?

[jmoleary]

I have a Digicert USB Dongle.
I exported the .CER file and set up the code-signing to use this file as described in the AI User guide.
And it works just fine.
But only if I build the AI project interactively.

But when my Azure Pipeline, self-hosted build agent goes off, the code-signing step fails. It gives me this error message

[ DefaultBuild ]
Creating MSI database (en)
The digital signing of the C:\Program Files (x86)\Caphyon\Advanced Installer 20.7.1\custact\x86\viewer.exe file failed. Error message: 'SignTool Error: No certificates were found that met all the given criteria.

But the certificate file is sitting right there, in the folder where AI expects it to be. In fact, if I go over to that agent PC (it's on my desk) and open up the very same AIP project in the same folder that the build agent just failed on, and I build it -- it code signs just fine.

So why can AI not find the certificate from a build agent?


This is the Azure pipeline step. Pretty simple (I've obscured the license file text

Code: Select all

- task: AdvancedInstaller@2
  displayName: 'Build Installer'
  inputs:
    advinstLicense: '****'
    aipPath: '$(mobileFolder)/Installer/MyApp.aip'

(Note that the machine has the very latest AI version 20.7.1)

Edited to add: I tried reinstalling the Azure Build agent (which runs as a Windows Service) to run under one of my own accounts instead of as the service-account it uses by default. It did not fix the issue.

[Catalin]

Hello,

From what I can see, you have a similar thread going on with my colleague Liviu here:

Unable to code-sign with USB Dongle and Azure Pipeline Agent

Could you please take a look over that and let me know if it helps?

From what I understand there, this isn't really something we can assist you, but rather something that your certificate vendor can assist you with.

Best regards,
Catalin

[jmoleary]

My apologies. I never saw Liviu's final reply on that thread. It was so long ago.

Back then I was able to work around the issue by signing my older, software-based .PFX file (from a software-only certificate that we'd purchased totally separate from our Digicert Dongle). Somehow, as long as the USB was also plugged in, it seemed to work. Now I'm starting to think the dongle wasn't doin anything.

Anyway, now that the certificate has expired and we have only the Digicert certificate so I have to find a way to make it work with just this.

I will follow Liviu's suggestion and try to make Azure Key Vault work.

[Catalin]

Hello,

My apologies. I never saw Liviu's final reply on that thread. It was so long ago.

No worries about this!

Thank you for your followup on this and I hope the solution offered by my colleague Liviu will help.

Best regards,
Catalin