Steeltoe
Steeltoe copied to clipboard
SteeltoeOSS
Warning during package signing
Since the changes in https://github.com/SteeltoeOSS/Steeltoe/pull/1510, the Steeltoe Package pipeline produces several warnings in the Sign Packages step:
The client secret options are obsolete and should no longer be specified.Error response [guid] 401 Unauthorized(appears 5x with different guids)
Should investigate whether they can be fixed.
Copy of raw logs from https://dev.azure.com/SteeltoeOSS/Steeltoe/_build/results?buildId=31335&view=logs&j=42d352a7-d37e-51f9-7ed6-8f20de56fe46&t=3a248c22-9aaf-5f99-25e9-d21cd334579a:
2025-05-01T07:34:12.9391672Z ##[section]Starting: Sign packages
2025-05-01T07:34:12.9411035Z ==============================================================================
2025-05-01T07:34:12.9411582Z Task : PowerShell
2025-05-01T07:34:12.9411925Z Description : Run a PowerShell script on Linux, macOS, or Windows
2025-05-01T07:34:12.9412104Z Version : 2.247.1
2025-05-01T07:34:12.9412452Z Author : Microsoft Corporation
2025-05-01T07:34:12.9412629Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2025-05-01T07:34:12.9413210Z ==============================================================================
2025-05-01T07:34:15.4807239Z Generating script.
2025-05-01T07:34:15.5461378Z ========================== Starting Command Output ===========================
2025-05-01T07:34:15.5818090Z ##[command]"C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\c9f06014-febd-4c66-9239-895ba7cdfe4c.ps1'"
2025-05-01T07:34:17.1161529Z The client secret options are obsolete and should no longer be specified.
2025-05-01T07:34:17.6343650Z warn: Azure.Core[8]
2025-05-01T07:34:17.6345487Z Error response [278cb0fa-1457-453a-b5c1-c72ad88e66aa] 401 Unauthorized (00.2s)
2025-05-01T07:34:17.6346309Z Cache-Control:no-cache
2025-05-01T07:34:17.6347037Z Pragma:no-cache
2025-05-01T07:34:17.6347687Z x-ms-keyvault-region:westus
2025-05-01T07:34:17.6348620Z x-ms-client-request-id:278cb0fa-1457-453a-b5c1-c72ad88e66aa
2025-05-01T07:34:17.6349663Z x-ms-request-id:ebd85fb9-8890-44f5-877c-8ae55cca3bac
2025-05-01T07:34:17.6350368Z x-ms-keyvault-service-version:1.9.2336.1
2025-05-01T07:34:17.6351081Z x-ms-keyvault-network-info:conn_type=Ipv4;addr=13.83.5.189;act_addr_fam=InterNetwork;
2025-05-01T07:34:17.6352360Z X-Content-Type-Options:REDACTED
2025-05-01T07:34:17.6353093Z Strict-Transport-Security:REDACTED
2025-05-01T07:34:17.6353993Z WWW-Authenticate:Bearer authorization="https://login.microsoftonline.com/***", resource="https://vault.azure.net"
2025-05-01T07:34:17.6354673Z Date:Thu, 01 May 2025 07:34:17 GMT
2025-05-01T07:34:17.6355215Z Content-Type:application/json; charset=utf-8
2025-05-01T07:34:17.6356020Z Expires:-1
2025-05-01T07:34:17.6356908Z Content-Length:97
2025-05-01T07:34:17.6357756Z
2025-05-01T07:34:18.4897373Z warn: Azure.Core[8]
2025-05-01T07:34:18.4899051Z Error response [7b678bf9-7012-4cff-9d68-422849abc86d] 401 Unauthorized (00.0s)
2025-05-01T07:34:18.4900187Z Cache-Control:no-cache
2025-05-01T07:34:18.4901310Z Pragma:no-cache
2025-05-01T07:34:18.4902367Z x-ms-keyvault-region:westus
2025-05-01T07:34:18.4907101Z x-ms-client-request-id:7b678bf9-7012-4cff-9d68-422849abc86d
2025-05-01T07:34:18.4908539Z x-ms-request-id:fba57da3-9456-44ee-8504-d14daa6477c2
2025-05-01T07:34:18.4909905Z x-ms-keyvault-service-version:1.9.2336.1
2025-05-01T07:34:18.4911136Z x-ms-keyvault-network-info:conn_type=Ipv4;addr=13.83.5.189;act_addr_fam=InterNetwork;
2025-05-01T07:34:18.5011616Z X-Content-Type-Options:REDACTED
2025-05-01T07:34:18.5013174Z Strict-Transport-Security:REDACTED
2025-05-01T07:34:18.5014150Z WWW-Authenticate:Bearer authorization="https://login.microsoftonline.com/***", resource="https://vault.azure.net"
2025-05-01T07:34:18.5015103Z Date:Thu, 01 May 2025 07:34:17 GMT
2025-05-01T07:34:18.5017407Z Content-Type:application/json; charset=utf-8
2025-05-01T07:34:18.5018362Z Expires:-1
2025-05-01T07:34:18.5019272Z Content-Length:97
2025-05-01T07:34:18.5020511Z
2025-05-01T07:34:18.5053471Z warn: Azure.Core[8]
2025-05-01T07:34:18.5054410Z Error response [b10cce58-3c98-45a5-9c7d-a280df254155] 401 Unauthorized (00.0s)
2025-05-01T07:34:18.5058322Z Cache-Control:no-cache
2025-05-01T07:34:18.5073724Z Pragma:no-cache
2025-05-01T07:34:18.5075060Z x-ms-keyvault-region:westus
2025-05-01T07:34:18.5078556Z x-ms-client-request-id:b10cce58-3c98-45a5-9c7d-a280df254155
2025-05-01T07:34:18.5079802Z x-ms-request-id:48a76087-d8ef-4442-8fdf-c8efaf059595
2025-05-01T07:34:18.5080986Z x-ms-keyvault-service-version:1.9.2336.1
2025-05-01T07:34:18.5081834Z x-ms-keyvault-network-info:conn_type=Ipv4;addr=13.83.5.189;act_addr_fam=InterNetwork;
2025-05-01T07:34:18.5082869Z X-Content-Type-Options:REDACTED
2025-05-01T07:34:18.5084017Z Strict-Transport-Security:REDACTED
2025-05-01T07:34:18.5085842Z WWW-Authenticate:Bearer authorization="https://login.microsoftonline.com/***", resource="https://vault.azure.net"
2025-05-01T07:34:18.5087443Z Date:Thu, 01 May 2025 07:34:17 GMT
2025-05-01T07:34:18.5088529Z Content-Type:application/json; charset=utf-8
2025-05-01T07:34:18.5089269Z Expires:-1
2025-05-01T07:34:18.5089975Z Content-Length:97
2025-05-01T07:34:18.5090704Z
2025-05-01T07:34:18.5165008Z warn: Azure.Core[8]
2025-05-01T07:34:18.5165662Z Error response [9ad627c4-baae-45da-9d6e-11f3d421a3b9] 401 Unauthorized (00.0s)
2025-05-01T07:34:18.5167708Z Cache-Control:no-cache
2025-05-01T07:34:18.5168700Z Pragma:no-cache
2025-05-01T07:34:18.5169572Z x-ms-keyvault-region:westus
2025-05-01T07:34:18.5170404Z x-ms-client-request-id:9ad627c4-baae-45da-9d6e-11f3d421a3b9
2025-05-01T07:34:18.5171179Z x-ms-request-id:9d5c703c-598d-4147-b01a-4dfe8a4a9ff8
2025-05-01T07:34:18.5171596Z x-ms-keyvault-service-version:1.9.2336.1
2025-05-01T07:34:18.5171956Z x-ms-keyvault-network-info:conn_type=Ipv4;addr=13.83.5.189;act_addr_fam=InterNetwork;
2025-05-01T07:34:18.5172912Z X-Content-Type-Options:REDACTED
2025-05-01T07:34:18.5174052Z Strict-Transport-Security:REDACTED
2025-05-01T07:34:18.5174550Z WWW-Authenticate:Bearer authorization="https://login.microsoftonline.com/***", resource="https://vault.azure.net"
2025-05-01T07:34:18.5174925Z Date:Thu, 01 May 2025 07:34:18 GMT
2025-05-01T07:34:18.5175408Z Content-Type:application/json; charset=utf-8
2025-05-01T07:34:18.5175843Z Expires:-1
2025-05-01T07:34:18.5176579Z Content-Length:97
2025-05-01T07:34:18.5177063Z
2025-05-01T07:34:18.5187636Z warn: Azure.Core[8]
2025-05-01T07:34:18.5188667Z Error response [f7f5e39e-34b5-45ae-8bc2-99b1337f7c55] 401 Unauthorized (00.0s)
2025-05-01T07:34:18.5189857Z Cache-Control:no-cache
2025-05-01T07:34:18.5190536Z Pragma:no-cache
2025-05-01T07:34:18.5190930Z x-ms-keyvault-region:westus
2025-05-01T07:34:18.5191292Z x-ms-client-request-id:f7f5e39e-34b5-45ae-8bc2-99b1337f7c55
2025-05-01T07:34:18.5191618Z x-ms-request-id:e9fbd864-e399-462b-9c90-4dbea97a4da6
2025-05-01T07:34:18.5191908Z x-ms-keyvault-service-version:1.9.2336.1
2025-05-01T07:34:18.5192497Z x-ms-keyvault-network-info:conn_type=Ipv4;addr=13.83.5.189;act_addr_fam=InterNetwork;
2025-05-01T07:34:18.5193151Z X-Content-Type-Options:REDACTED
2025-05-01T07:34:18.5193664Z Strict-Transport-Security:REDACTED
2025-05-01T07:34:18.5194241Z WWW-Authenticate:Bearer authorization="https://login.microsoftonline.com/***", resource="https://vault.azure.net"
2025-05-01T07:34:18.5194986Z Date:Thu, 01 May 2025 07:34:17 GMT
2025-05-01T07:34:18.5195318Z Content-Type:application/json; charset=utf-8
2025-05-01T07:34:18.5195604Z Expires:-1
2025-05-01T07:34:18.5195889Z Content-Length:97
2025-05-01T07:34:18.5196305Z
2025-05-01T07:34:27.4146965Z ##[section]Finishing: Sign packages
It seems like there's a trend towards using a managed identity for signing, and I think these warnings are likely related since we're interacting with a vault in Azure without doing Azure authentication
- CLI: simplify Azure authentication · Issue #724 · dotnet/sign
- Sample Workflows Require Updating · Issue #850 · dotnet/sign
- Signing NuGet Packages Using Azure DevOps and Workload Identity Federation – Aaronontheweb
I've sent an email to the .NET Foundation, I don't think there's anything we can do without their help
Update from the foundation... Managed identity is coming, but the timeline for us to migrate is unclear. We can continue with this solution for now