Certificate path argument is not passed when using condition

[little-fort]

I have successfully implemented the code signing task in a YAML-based pipeline like so:

- task: CodeSigning@2
  displayName: 'Sign Artifacts'
  inputs:
    secureFileId: 'File.pfx'
    signCertPassword: 'password'
    files: $(Build.StagingDirectory)\**\!(Newtonsoft*|System*|Microsoft*).+(dll|exe)
    timeServer: 'http://timestamp.digicert.com'
    hashingAlgorithm: 'SHA256'
    description: 'Description text'

In order to speed up our pre-merge validation builds, I recently added a condition to several of our pack/publish tasks so that they will be skipped when they are not needed. For the code signing task, the condition is implemented like so:

- task: CodeSigning@2
  condition: eq(variables.IsPR, 'false')
  displayName: 'Sign Artifacts'
  inputs:
    secureFileId: 'File.pfx'
    signCertPassword: 'password'
    files: $(Build.StagingDirectory)\**\!(Newtonsoft*|System*|Microsoft*).+(dll|exe)
    timeServer: 'http://timestamp.digicert.com'
    hashingAlgorithm: 'SHA256'
    description: 'Description text'

I have also tried using the eq(variables['IsPr'], 'false') syntax for the condition but the result was the same. In either case, when the IsPR variable is true, the task is skipped as expected. But when the IsPR variable is false, the task produces the following error:

2021-05-17T19:00:53.9717474Z Signing file: (Redacted filepath)
2021-05-17T19:00:53.9739929Z [command]C:\DevOps_Agent\_work\_tasks\codesigning_0e0f3bf7-d96c-45d6-aa76-f9afb71fb77e\2.2.0\signtool.exe sign /fd SHA256 /t http://timestamp.digicert.com /f "" /p password /d "Description text" (Redacted filepath)
2021-05-17T19:00:54.0136355Z SignTool Error: File not found: undefined
2021-05-17T19:00:54.0136734Z 
2021-05-17T19:00:54.0162483Z 
2021-05-17T19:00:54.0532759Z ##[error]Error: The process 'C:\DevOps_Agent\_work\_tasks\codesigning_0e0f3bf7-d96c-45d6-aa76-f9afb71fb77e\2.2.0\signtool.exe' failed with exit code 1
2021-05-17T19:00:54.0646031Z ##[section]Finishing: Sign Artifacts

The /f argument should have the path to the .pfx file, but instead it passes an empty string. If the condition is removed from the code signing task, then it runs successfully as expected.

[StefanKert]

Hey there,

sorry for the delay. Can you run a build with debug logs enabled to see what is being passed? It looks like the secureFileId is somehow skipped in that case.

[little-fort]

Hi, I finally had time to get back to this. I got some debug logs generated and also investigated it further. What's happening is the SECURE_FILE_PATH task variable is not being set, but it seems that this could be expected behavior.

Here is the log start from a successful run without a condition set:

2021-06-18T18:09:09.6782074Z ##[debug]Evaluating condition for step: 'Sign Artifacts'
2021-06-18T18:09:09.6784303Z ##[debug]Evaluating: SucceededNode()
2021-06-18T18:09:09.6784857Z ##[debug]Evaluating SucceededNode:
2021-06-18T18:09:09.6785776Z ##[debug]=> True
2021-06-18T18:09:09.6786453Z ##[debug]Result: True
2021-06-18T18:09:09.6787232Z ##[section]Starting: Sign Artifacts
2021-06-18T18:09:09.7097257Z ==============================================================================
2021-06-18T18:09:09.7097621Z Task         : Code Signing
2021-06-18T18:09:09.7097936Z Description  : Codesign assemblies and applications
2021-06-18T18:09:09.7098204Z Version      : 2.2.0
2021-06-18T18:09:09.7098426Z Author       : Stefan Kert
2021-06-18T18:09:09.7098848Z Help         : v2.2.0 - [More Information](https://github.com/StefanKert/azuredevops-codesigning-task#readme)
2021-06-18T18:09:09.7099299Z ==============================================================================
2021-06-18T18:09:09.7156351Z ##[debug]Using node path: C:\DevOps_Agent\externals\node\bin\node.exe
2021-06-18T18:09:09.9794505Z ##[debug]agent.TempDirectory=C:\DevOps_Agent\_work\_temp
2021-06-18T18:09:09.9836607Z ##[debug]loading inputs and endpoints
2021-06-18T18:09:09.9837631Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2021-06-18T18:09:09.9940297Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2021-06-18T18:09:09.9941418Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2021-06-18T18:09:09.9942122Z ##[debug]loading INPUT_DESCRIPTION
2021-06-18T18:09:09.9942766Z ##[debug]loading INPUT_FILES
2021-06-18T18:09:09.9943430Z ##[debug]loading INPUT_HASHINGALGORITHM
2021-06-18T18:09:09.9944072Z ##[debug]loading INPUT_SECUREFILEID
2021-06-18T18:09:09.9944709Z ##[debug]loading INPUT_SIGNCERTPASSWORD
2021-06-18T18:09:09.9945368Z ##[debug]loading INPUT_SIGNTOOLLOCATIONMETHOD
2021-06-18T18:09:09.9946015Z ##[debug]loading INPUT_TIMESERVER
2021-06-18T18:09:09.9946658Z ##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
2021-06-18T18:09:09.9947383Z ##[debug]loading SECUREFILE_TICKET_51535c5f-a7eb-4078-85ac-9cc66bd45621
2021-06-18T18:09:09.9948105Z ##[debug]loading VSTS_TASKVARIABLE_SECURE_FILE_PATH
2021-06-18T18:09:09.9948719Z ##[debug]loaded 13

Here is the log start from a failed run caused by setting a task condition:

2021-06-18T17:20:21.0360880Z ##[debug]Evaluating condition for step: 'Sign Artifacts'
2021-06-18T17:20:21.0362860Z ##[debug]Evaluating: eq(variables['IsPR'], 'false')
2021-06-18T17:20:21.0363378Z ##[debug]Evaluating eq:
2021-06-18T17:20:21.0363852Z ##[debug]..Evaluating indexer:
2021-06-18T17:20:21.0364923Z ##[debug]....Evaluating variables:
2021-06-18T17:20:21.0365854Z ##[debug]....=> Object
2021-06-18T17:20:21.0367060Z ##[debug]....Evaluating String:
2021-06-18T17:20:21.0367638Z ##[debug]....=> 'IsPR'
2021-06-18T17:20:21.0368357Z ##[debug]..=> 'false'
2021-06-18T17:20:21.0368902Z ##[debug]..Evaluating String:
2021-06-18T17:20:21.0369374Z ##[debug]..=> 'false'
2021-06-18T17:20:21.0369934Z ##[debug]=> True
2021-06-18T17:20:21.0370869Z ##[debug]Expanded: eq('false', 'false')
2021-06-18T17:20:21.0371419Z ##[debug]Result: True
2021-06-18T17:20:21.0372101Z ##[section]Starting: Sign Artifacts
2021-06-18T17:20:21.0807763Z ==============================================================================
2021-06-18T17:20:21.0808192Z Task         : Code Signing
2021-06-18T17:20:21.0808464Z Description  : Codesign assemblies and applications
2021-06-18T17:20:21.0808714Z Version      : 2.2.0
2021-06-18T17:20:21.0808953Z Author       : Stefan Kert
2021-06-18T17:20:21.0809332Z Help         : v2.2.0 - [More Information](https://github.com/StefanKert/azuredevops-codesigning-task#readme)
2021-06-18T17:20:21.0809777Z ==============================================================================
2021-06-18T17:20:21.0881780Z ##[debug]Using node path: C:\DevOps_Agent\externals\node\bin\node.exe
2021-06-18T17:20:21.8498921Z ##[debug]agent.TempDirectory=C:\DevOps_Agent\_work\_temp
2021-06-18T17:20:21.8541465Z ##[debug]loading inputs and endpoints
2021-06-18T17:20:21.8542479Z ##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
2021-06-18T17:20:21.8674064Z ##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
2021-06-18T17:20:21.8675143Z ##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
2021-06-18T17:20:21.8675838Z ##[debug]loading INPUT_DESCRIPTION
2021-06-18T17:20:21.8676427Z ##[debug]loading INPUT_FILES
2021-06-18T17:20:21.8677032Z ##[debug]loading INPUT_HASHINGALGORITHM
2021-06-18T17:20:21.8677647Z ##[debug]loading INPUT_SECUREFILEID
2021-06-18T17:20:21.8678260Z ##[debug]loading INPUT_SIGNCERTPASSWORD
2021-06-18T17:20:21.8678897Z ##[debug]loading INPUT_SIGNTOOLLOCATIONMETHOD
2021-06-18T17:20:21.8679520Z ##[debug]loading INPUT_TIMESERVER
2021-06-18T17:20:21.8680118Z ##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
2021-06-18T17:20:21.8680801Z ##[debug]loading SECUREFILE_TICKET_51535c5f-a7eb-4078-85ac-9cc66bd45621
2021-06-18T17:20:21.8681440Z ##[debug]loaded 12

The failed run is only loading 12 variables as opposed to the expected 13—the VSTS_TASKVARIABLE_SECURE_FILE_PATH value is not generated. That said, this issue is not entirely unheard of:

StackOverflow: Unable to download secure files conditionally in Azure Pipelines

Based on this and the few other discussions I could find revolving around Azure's secure files library and task conditions, it seems like the order in which the pipeline handles resource gathering and condition evaluation is what prevents this from working.

As a workaround/minor feature addition, I put together some changes that should give me a way of working around this issue. I'll submit a PR that you can review whenever you have time.