Running in Azure pipeline to sign clickonce not working

[apavelm]

Describe the bug
Problem connecting to Key Vault for ClickOnce signing. We got a signing certificate that works only in Azure Key Vault, so to use it for signing a ClickOnce application we had to do many things. But we ran into the issue.
Just as a clarification, all credentials passed to "sign" are correct. If I replace "sign" with "AzureSignTool" passing the same credentials, exe-file will be signed OK. but we need not only EXE.

Repro steps

- task: DotNetCoreCLI@2
        displayName: 'Install Azure SignTool'
        inputs:
          command: custom
          custom: tool
          arguments: 'update --global AzureSignTool'
        continueOnError: true

      - task: DotNetCoreCLI@2
        inputs:
          command: custom
          custom: tool
          arguments: 'update --global sign --version 0.9.1-beta.24123.2'
        displayName: Install SignTool tool
        continueOnError: true

      - task: PowerShell@2
        displayName: 'Signing ClickOnce'
        inputs:
          targetType: 'inline'
          script: |
            sign code azure-key-vault '**\*.clickonce' .... <other required parameters>
          failOnStderr: true
          workingDirectory: $(Agent.TempDirectory)

Actual behavior

2024-02-27T10:56:54.6624513Z ##[section]Starting: Signing ClickOnce
2024-02-27T10:56:54.6712973Z ==============================================================================
2024-02-27T10:56:54.6713060Z Task         : PowerShell
2024-02-27T10:56:54.6713115Z Description  : Run a PowerShell script on Linux, macOS, or Windows
2024-02-27T10:56:54.6713274Z Version      : 2.232.1
2024-02-27T10:56:54.6713314Z Author       : Microsoft Corporation
2024-02-27T10:56:54.6713362Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2024-02-27T10:56:54.6713445Z ==============================================================================
2024-02-27T10:56:55.3740543Z Generating script.
2024-02-27T10:56:55.4043164Z ========================== Starting Command Output ===========================
2024-02-27T10:56:55.4209497Z ##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'C:\a\_temp\94fbe7e9-9ae4-4340-9a80-a6d012cb1871.ps1'"
2024-02-27T10:56:56.5141016Z fail: Sign.Core.ISigner[0]
2024-02-27T10:56:56.5151746Z       ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5160275Z       Azure.Identity.AuthenticationFailedException: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5167723Z        ---> MSAL.NetCore.4.56.0.0.MsalServiceException: 
2024-02-27T10:56:56.5175412Z 	ErrorCode: invalid_client
2024-02-27T10:56:56.5185353Z Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5192658Z          at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
2024-02-27T10:56:56.5201063Z          at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
2024-02-27T10:56:56.5210286Z          at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`2 onBeforePostRequestData)
2024-02-27T10:56:56.5222314Z          at Microsoft.Identity.Client.OAuth2.OAuth2Client.GetTokenAsync(Uri endPoint, RequestContext requestContext, Boolean addCommonHeaders, Func`2 onBeforePostRequestHandler)
2024-02-27T10:56:56.5232183Z          at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
2024-02-27T10:56:56.5240875Z          at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
2024-02-27T10:56:56.5249357Z          at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
2024-02-27T10:56:56.5257660Z          at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
2024-02-27T10:56:56.5265824Z          at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
2024-02-27T10:56:56.5274096Z          at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
2024-02-27T10:56:56.5282088Z          at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
2024-02-27T10:56:56.5290159Z          at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
2024-02-27T10:56:56.5298040Z          at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5305967Z          at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5313881Z          at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5321680Z          at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-02-27T10:56:56.5329960Z 	StatusCode: 401 
2024-02-27T10:56:56.5339247Z 	ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z","error_codes":[7000215],"timestamp":"2024-02-27 10:56:56Z","trace_id":"eaf6a9b0-b847-44d9-974a-98387978c800","correlation_id":"6d94306b-96bd-4cde-adbb-36164e93bce3","error_uri":"https://login.microsoftonline.com/error?code=7000215"} 
2024-02-27T10:56:56.5346124Z 	Headers: Cache-Control: no-store, no-cache
2024-02-27T10:56:56.5354079Z       Pragma: no-cache
2024-02-27T10:56:56.5362032Z       Strict-Transport-Security: max-age=31536000; includeSubDomains
2024-02-27T10:56:56.5370047Z       X-Content-Type-Options: nosniff
2024-02-27T10:56:56.5377702Z       P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
2024-02-27T10:56:56.5386159Z       client-request-id: 6d94306b-96bd-4cde-adbb-36164e93bce3
2024-02-27T10:56:56.5394087Z       x-ms-request-id: eaf6a9b0-b847-44d9-974a-98387978c800
2024-02-27T10:56:56.5401921Z       x-ms-ests-server: 2.1.17396.8 - SCUS ProdSlices
2024-02-27T10:56:56.5409426Z       x-ms-clitelem: 1,7000215,0,,
2024-02-27T10:56:56.5416954Z       X-XSS-Protection: 0
2024-02-27T10:56:56.5425407Z       Set-Cookie: fpc=As9pJbPRAFtJl8b14ygayrKCDbBsAQAAAPe2b90OAAAA; expires=Thu, 28-Mar-2024 10:56:56 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
2024-02-27T10:56:56.5432149Z       Date: Tue, 27 Feb 2024 10:56:55 GMT
2024-02-27T10:56:56.5439967Z       
2024-02-27T10:56:56.5447907Z          --- End of inner exception stack trace ---
2024-02-27T10:56:56.5455467Z          at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-02-27T10:56:56.5462557Z          at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-02-27T10:56:56.5470203Z          at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5477771Z          at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
2024-02-27T10:56:56.5485175Z          at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
2024-02-27T10:56:56.5492676Z          at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)
2024-02-27T10:56:56.5501824Z          at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
2024-02-27T10:56:56.5510999Z          at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5519576Z          at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5527990Z          at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5536951Z          at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5547160Z          at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
2024-02-27T10:56:56.5557579Z          at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
2024-02-27T10:56:56.5567886Z          at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
2024-02-27T10:56:56.5577709Z          at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
2024-02-27T10:56:56.5587760Z          at Sign.Core.KeyVaultService.GetKeyVaultCertificateAsync(Uri keyVaultUrl, TokenCredential tokenCredential, String certificateName) in /_/src/Sign.Core/KeyVault/KeyVaultService.cs:line 71
2024-02-27T10:56:56.5596983Z          at Sign.Core.KeyVaultService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.Core/KeyVault/KeyVaultService.cs:line 47
2024-02-27T10:56:56.5607000Z          at Sign.Core.Signer.SignAsync(IReadOnlyList`1 inputFiles, String outputFile, FileInfo fileList, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 78
2024-02-27T10:56:56.6876976Z ##[error]PowerShell exited with code '1'.
2024-02-27T10:56:56.7180096Z ##[section]Finishing: Signing ClickOnce

It looks like an issue. Just again, client credentials are 100% valid.

[clairernovotny]

What parameters are you passing in? For any sensitive values, you can mask those out. The error message indicates that there's an invalid client secret in the authentication.