sign
sign copied to clipboard
Published
20 hours ago •
dotnet
dotnet
Running in Azure pipeline to sign clickonce not working
Describe the bug Problem connecting to Key Vault for ClickOnce signing. We got a signing certificate that works only in Azure Key Vault, so to use it for signing a ClickOnce application we had to do many things. But we ran into the issue. Just as a clarification, all credentials passed to "sign" are correct. If I replace "sign" with "AzureSignTool" passing the same credentials, exe-file will be signed OK. but we need not only EXE.
Repro steps
- task: DotNetCoreCLI@2
displayName: 'Install Azure SignTool'
inputs:
command: custom
custom: tool
arguments: 'update --global AzureSignTool'
continueOnError: true
- task: DotNetCoreCLI@2
inputs:
command: custom
custom: tool
arguments: 'update --global sign --version 0.9.1-beta.24123.2'
displayName: Install SignTool tool
continueOnError: true
- task: PowerShell@2
displayName: 'Signing ClickOnce'
inputs:
targetType: 'inline'
script: |
sign code azure-key-vault '**\*.clickonce' .... <other required parameters>
failOnStderr: true
workingDirectory: $(Agent.TempDirectory)
Actual behavior
2024-02-27T10:56:54.6624513Z ##[section]Starting: Signing ClickOnce
2024-02-27T10:56:54.6712973Z ==============================================================================
2024-02-27T10:56:54.6713060Z Task : PowerShell
2024-02-27T10:56:54.6713115Z Description : Run a PowerShell script on Linux, macOS, or Windows
2024-02-27T10:56:54.6713274Z Version : 2.232.1
2024-02-27T10:56:54.6713314Z Author : Microsoft Corporation
2024-02-27T10:56:54.6713362Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2024-02-27T10:56:54.6713445Z ==============================================================================
2024-02-27T10:56:55.3740543Z Generating script.
2024-02-27T10:56:55.4043164Z ========================== Starting Command Output ===========================
2024-02-27T10:56:55.4209497Z ##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'C:\a\_temp\94fbe7e9-9ae4-4340-9a80-a6d012cb1871.ps1'"
2024-02-27T10:56:56.5141016Z fail: Sign.Core.ISigner[0]
2024-02-27T10:56:56.5151746Z ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5160275Z Azure.Identity.AuthenticationFailedException: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5167723Z ---> MSAL.NetCore.4.56.0.0.MsalServiceException:
2024-02-27T10:56:56.5175412Z ErrorCode: invalid_client
2024-02-27T10:56:56.5185353Z Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5192658Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
2024-02-27T10:56:56.5201063Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
2024-02-27T10:56:56.5210286Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`2 onBeforePostRequestData)
2024-02-27T10:56:56.5222314Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.GetTokenAsync(Uri endPoint, RequestContext requestContext, Boolean addCommonHeaders, Func`2 onBeforePostRequestHandler)
2024-02-27T10:56:56.5232183Z at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
2024-02-27T10:56:56.5240875Z at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
2024-02-27T10:56:56.5249357Z at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
2024-02-27T10:56:56.5257660Z at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
2024-02-27T10:56:56.5265824Z at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
2024-02-27T10:56:56.5274096Z at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
2024-02-27T10:56:56.5282088Z at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
2024-02-27T10:56:56.5290159Z at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
2024-02-27T10:56:56.5298040Z at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5305967Z at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5313881Z at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5321680Z at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-02-27T10:56:56.5329960Z StatusCode: 401
2024-02-27T10:56:56.5339247Z ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z","error_codes":[7000215],"timestamp":"2024-02-27 10:56:56Z","trace_id":"eaf6a9b0-b847-44d9-974a-98387978c800","correlation_id":"6d94306b-96bd-4cde-adbb-36164e93bce3","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
2024-02-27T10:56:56.5346124Z Headers: Cache-Control: no-store, no-cache
2024-02-27T10:56:56.5354079Z Pragma: no-cache
2024-02-27T10:56:56.5362032Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2024-02-27T10:56:56.5370047Z X-Content-Type-Options: nosniff
2024-02-27T10:56:56.5377702Z P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
2024-02-27T10:56:56.5386159Z client-request-id: 6d94306b-96bd-4cde-adbb-36164e93bce3
2024-02-27T10:56:56.5394087Z x-ms-request-id: eaf6a9b0-b847-44d9-974a-98387978c800
2024-02-27T10:56:56.5401921Z x-ms-ests-server: 2.1.17396.8 - SCUS ProdSlices
2024-02-27T10:56:56.5409426Z x-ms-clitelem: 1,7000215,0,,
2024-02-27T10:56:56.5416954Z X-XSS-Protection: 0
2024-02-27T10:56:56.5425407Z Set-Cookie: fpc=As9pJbPRAFtJl8b14ygayrKCDbBsAQAAAPe2b90OAAAA; expires=Thu, 28-Mar-2024 10:56:56 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
2024-02-27T10:56:56.5432149Z Date: Tue, 27 Feb 2024 10:56:55 GMT
2024-02-27T10:56:56.5439967Z
2024-02-27T10:56:56.5447907Z --- End of inner exception stack trace ---
2024-02-27T10:56:56.5455467Z at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-02-27T10:56:56.5462557Z at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-02-27T10:56:56.5470203Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5477771Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
2024-02-27T10:56:56.5485175Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
2024-02-27T10:56:56.5492676Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)
2024-02-27T10:56:56.5501824Z at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
2024-02-27T10:56:56.5510999Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5519576Z at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5527990Z at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5536951Z at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5547160Z at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
2024-02-27T10:56:56.5557579Z at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
2024-02-27T10:56:56.5567886Z at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
2024-02-27T10:56:56.5577709Z at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
2024-02-27T10:56:56.5587760Z at Sign.Core.KeyVaultService.GetKeyVaultCertificateAsync(Uri keyVaultUrl, TokenCredential tokenCredential, String certificateName) in /_/src/Sign.Core/KeyVault/KeyVaultService.cs:line 71
2024-02-27T10:56:56.5596983Z at Sign.Core.KeyVaultService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.Core/KeyVault/KeyVaultService.cs:line 47
2024-02-27T10:56:56.5607000Z at Sign.Core.Signer.SignAsync(IReadOnlyList`1 inputFiles, String outputFile, FileInfo fileList, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 78
2024-02-27T10:56:56.6876976Z ##[error]PowerShell exited with code '1'.
2024-02-27T10:56:56.7180096Z ##[section]Finishing: Signing ClickOnce
It looks like an issue. Just again, client credentials are 100% valid.
What parameters are you passing in? For any sensitive values, you can mask those out. The error message indicates that there's an invalid client secret in the authentication.
