sign icon indicating copy to clipboard operation
sign copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Possible to debug SignService locally?

Open andrewmolyneux opened this issue 4 years ago • 3 comments

Is it feasible at all to spin up SignService under the Visual Studio debugger on my development workstation, or is there stuff in there that absolutely has to run on Azure?

My motivation is that I've had no end of trouble getting it working on Azure, and then it apparently only worked briefly before failing again (see issue #333) so I'm now wondering if I might be able to try it locally to speed up the process of figuring out what the problem is (assuming I can reproduce it locally). As a last resort, if I can understand how the code signing actually works I can maybe write my own code to do the signing as part of my Azure pipeline and reduce the number of moving parts significantly.

andrewmolyneux avatar Jan 07 '21 19:01 andrewmolyneux

You should be able to debug it locally, that's what I do. You'll want to make sure your user account has the right permissions on the Key Vault (especially the configuration one) so that it can pull down the config on start. then in the Azure Authentication preference in VS, make sure the right identity is selected.

I will usually set multiple startup projects, with the client and service.

In the appsettings.json for the client, put in the right Url/id's

in the launchsettings.json for the client, I'll have something like

    "SignClient-OBO-PS1": {
      "commandName": "Project",
      "commandLineArgs": "sign -c d:\\dev\\SignService\\src\\SignClient\\appsettings.json -i D:\\dev\\signtest\\init.ps1 -o D:\\dev\\signtest\\signed\\init.ps1 -n Claire -r someaccount@thedomain -s ThePassword"
    },

In the server launchSettings.json, make sure you have the right configuration keyvault url in there:

    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "launchUrl": "https://localhost:44351/",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development",
        "ASPNETCORE_HOSTINGSTARTUP__KEYVAULT__CONFIGURATIONENABLED": "true",
        "ASPNETCORE_HOSTINGSTARTUP__KEYVAULT__CONFIGURATIONVAULT": "https://signservice-dev-settings.vault.azure.net/"        
      }
    },

clairernovotny avatar Jan 07 '21 19:01 clairernovotny

Thanks Claire! It's getting a bit late in the day for me now but I'll have a go at that in the morning and let you know if I encounter any problems.

andrewmolyneux avatar Jan 07 '21 19:01 andrewmolyneux

Also trying to set this up. When the SignService starts it popups an authentication windows, where I authenticate myself and it fails saying

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '141f.....

This application guid is the secret for AzureAd--ClientId so it must have authenticated something to read this value. Is there an additional step of configuring the replyto url ?

Edit.

For me I had to go to the Azure portal, find the app registration for SignService Server, then under Authentication, add https://localhost:44351/signin-oidc or whatever you have in your service launchsettings.json

Notes: Dont try to sign an empty .ps1 file as that wont work, zero sized files dont get copied to the random file that the service looks for.

yowl avatar Sep 09 '21 15:09 yowl