Problem with Advanced Installer 22.8 and signtool in docker container

[francis]

I have been using Advanced Installer 22.2 for building my app.I recently tried to switch to version 22.8, but it fails during the "/build" command.

Our build is run from a gitlab CI pipeline and uses docker containers. So this happens when running the build inside a docker container.It has been working fine with version 22.2, but fails with version 22.8.

The error shown is:

Checking builds status
Build required.

[ DefaultBuild ]
Building package: C:\builds\kuvacode\smartshooter6\out\artifacts\capturegrid_win_v6_0-97-g2ffdc82.msi
Prepare build
Detecting MSI incompatible resources
ERROR: Digital signature. KB 3118401 is not installed. Selected "signtool.exe" requires the Windows update known as "Update for Universal C Runtime in Windows, KB 3118401".
Preparing files
Trusted Signing requires minimum Trusted Signing Client Tools 1.0.0 installed. Trusted Signing Client Tools will be downloaded and installed automatically.
The digital signing of the APPDIR\CaptureGRID6.exe file failed. Error message: '
Make sure that cloud signing account (Trusted Signer/Azure Key Vault/Device Guard) is configured correctly and your Internet connection is working.
For a possible solution please check our Digital Signature FAQ from:
https://www.advancedinstaller.com/user- ... ature.html '

Build finished because an error was encountered.
make[1]: *** [installer] Error -536805276

Note. this only happens when running the build inside a docker container. If I run the build on my local machine then it works correctly.

[Catalin]

Hello Francis and welcome to our forums,

When using Trusted Signing the Azure account used to access the certificate is selected by the Windows operating system. We cannot configure those credentials and logins.

On your machine there may be a problem with the Azure logins cached in the system. Can you try to manually open the Azure web site and login using your credentials:

https://portal.azure.com/

You can also take a look at the following article:
viewtopic.php?t=52565

Authentication is handled outside of Advanced Installer, by the operating system. We recommend that you use the Azure CLI to confirm authentication, and then try a test sign operation from the command line before returning to the Advanced Installer and building the project.

In our tests we also noticed issues with changing the Azure account due to conflicts in the OS credentials management system.

Also check the MS docs on authentication issues and recommendations:

https://learn.microsoft.com/en-us/azure ... igning/faq

https://learn.microsoft.com/en-us/dotne ... ure-dotnet

For one user, the problem was resolved after deleting the folder: C:\Users\<Username>\AppData\Local\.IdentityService

Let me know if that helped.

Best regards,
Catalin

[francis]

Please note that this is related to using advanced installer from inside of a windows docker container.
So I do not think it can be related to user credentials cached by the OS, because it uses a different method for identification with the azure trusted signing server.
That is, it uses the method described here:
https://www.advancedinstaller.com/user- ... gning.html

My build process, that is running from gitlab inside a windows docker container, sets up the environment variables for AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET.

So with Advanced Installer 22.2 it works fine, but with 22.8 and 22.9, it fails with that error message:

ERROR: Digital signature. KB 3118401 is not installed. Selected "signtool.exe" requires the Windows update known as "Update for Universal C Runtime in Windows, KB 3118401".

[Catalin]

Hello Francis,

Thank you for the followup on this.

I'm sorry to hear that my previous suggestions did not quite help.

Unfortunately, we were only able to reproduce this on our end by having the wrong certificate name specified.

That being said, could you please double check that and let me know if that is the case?

In addition to that, if the signing works just fine outside of Advanced Installer, I would also try to see if the "Custom Signtool" option helps here. Basically, you can call your own SignTool with the command line that you used outside of Advanced Installer.

Best regards,
Catalin

[francis]

Unfortunately, we were only able to reproduce this on our end by having the wrong certificate name specified.
That being said, could you please double check that and let me know if that is the case?

No, to clarify this point about the certificate and authentication; the authentication is automated though the use of the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID environment variables which point to my azure trusted signing server account. This is tested and working with AdvancedInstaller v22.3. If I change my build to using AdvancedInstalled v23.0 then the issue happens - nothing else is different apart from the version of AdvancedInstaller that is being used.
The build is all encapsulated in a docker container - so the only different is the AdvancedInstaller version that is installed inside the docker container.

What's odd is this line from the output:

Trusted Signing requires minimum Trusted Signing Client Tools 1.0.0 installed. Trusted Signing Client Tools will be downloaded and installed automatically.

i don't see this in v22.3, only in the later versions that aren't working.
Is it related to that somehow?
It seems to indicate that AdvancedInstaller is downloaded some new signing tools during the build, so it makes me suspicious.

Regarding switching to "custom signtool", I'd prefer to avoid this as I wanted AdvancedInstaller to hide these details. I currently use the "Use Trusted Signing" option, how can I map that to the actual command that is run with signtool?

[Catalin]

Hello Francis,

Thank you for your followup on this and for sharing the details with me.

The biggest problem here is that we weren't able to reproduce this at all on our end - the only way was by having the wrong certificate name specified.

I will try to discuss this tomorrow with our QA team to run some more tests and hopefully we will be able to reproduce the issue.

Best regards,
Catalin

[francis]

OK I think I found the root cause of this.
My docker container is built on top of this docker image from microsoft:

FROM mcr.microsoft.com/windows/servercore:ltsc2022

It seems the signtool from the latest Windows SDK 10.0.26100.0 is incompatiblity with this and will not run.
And it happens that the signtool included as part of AdvancedInstalled v23 is that one.

The fix was to move to the latest docker image from microsoft, which is:

FROM mcr.microsoft.com/windows/servercore:ltsc2025

I switched to that and now everything is working again!

[Catalin]

Hello Francis,

Thank you so much for your followup on this and for sharing the solution with us.

I am sure this will be of help for other users!

Best regards,
Catalin