You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Problem connecting to Key Vault for ClickOnce signing. We got a signing certificate that works only in Azure Key Vault, so to use it for signing a ClickOnce application we had to do many things. But we ran into the issue.
Just as a clarification, all credentials passed to "sign" are correct. If I replace "sign" with "AzureSignTool" passing the same credentials, exe-file will be signed OK. but we need not only EXE.
2024-02-27T10:56:54.6624513Z ##[section]Starting: Signing ClickOnce
2024-02-27T10:56:54.6712973Z ==============================================================================
2024-02-27T10:56:54.6713060Z Task : PowerShell
2024-02-27T10:56:54.6713115Z Description : Run a PowerShell script on Linux, macOS, or Windows
2024-02-27T10:56:54.6713274Z Version : 2.232.1
2024-02-27T10:56:54.6713314Z Author : Microsoft Corporation
2024-02-27T10:56:54.6713362Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2024-02-27T10:56:54.6713445Z ==============================================================================
2024-02-27T10:56:55.3740543Z Generating script.
2024-02-27T10:56:55.4043164Z ========================== Starting Command Output ===========================
2024-02-27T10:56:55.4209497Z ##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'C:\a\_temp\94fbe7e9-9ae4-4340-9a80-a6d012cb1871.ps1'"
2024-02-27T10:56:56.5141016Z fail: Sign.Core.ISigner[0]
2024-02-27T10:56:56.5151746Z ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5160275Z Azure.Identity.AuthenticationFailedException: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5167723Z ---> MSAL.NetCore.4.56.0.0.MsalServiceException:
2024-02-27T10:56:56.5175412Z ErrorCode: invalid_client
2024-02-27T10:56:56.5185353Z Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z
2024-02-27T10:56:56.5192658Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
2024-02-27T10:56:56.5201063Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)
2024-02-27T10:56:56.5210286Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.ExecuteRequestAsync[T](Uri endPoint, HttpMethod method, RequestContext requestContext, Boolean expectErrorsOn200OK, Boolean addCommonHeaders, Func`2 onBeforePostRequestData)
2024-02-27T10:56:56.5222314Z at Microsoft.Identity.Client.OAuth2.OAuth2Client.GetTokenAsync(Uri endPoint, RequestContext requestContext, Boolean addCommonHeaders, Func`2 onBeforePostRequestHandler)
2024-02-27T10:56:56.5232183Z at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
2024-02-27T10:56:56.5240875Z at Microsoft.Identity.Client.OAuth2.TokenClient.SendHttpAndClearTelemetryAsync(String tokenEndpoint, ILoggerAdapter logger)
2024-02-27T10:56:56.5249357Z at Microsoft.Identity.Client.OAuth2.TokenClient.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, String scopeOverride, String tokenEndpointOverride, CancellationToken cancellationToken)
2024-02-27T10:56:56.5257660Z at Microsoft.Identity.Client.Internal.Requests.RequestBase.SendTokenRequestAsync(IDictionary`2 additionalBodyParameters, CancellationToken cancellationToken)
2024-02-27T10:56:56.5265824Z at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
2024-02-27T10:56:56.5274096Z at Microsoft.Identity.Client.Internal.Requests.ClientCredentialRequest.ExecuteAsync(CancellationToken cancellationToken)
2024-02-27T10:56:56.5282088Z at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
2024-02-27T10:56:56.5290159Z at Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenForClientParameters clientParameters, CancellationToken cancellationToken)
2024-02-27T10:56:56.5298040Z at Azure.Identity.AbstractAcquireTokenParameterBuilderExtensions.ExecuteAsync[T](AbstractAcquireTokenParameterBuilder`1 builder, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5305967Z at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientCoreAsync(String[] scopes, String tenantId, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5313881Z at Azure.Identity.MsalConfidentialClient.AcquireTokenForClientAsync(String[] scopes, String tenantId, Boolean enableCae, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5321680Z at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-02-27T10:56:56.5329960Z StatusCode: 401
2024-02-27T10:56:56.5339247Z ResponseBody: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'bbb25bb2-c308-4961-a986-ceda584233c3'. Trace ID: eaf6a9b0-b847-44d9-974a-98387978c800 Correlation ID: 6d94306b-96bd-4cde-adbb-36164e93bce3 Timestamp: 2024-02-27 10:56:56Z","error_codes":[7000215],"timestamp":"2024-02-27 10:56:56Z","trace_id":"eaf6a9b0-b847-44d9-974a-98387978c800","correlation_id":"6d94306b-96bd-4cde-adbb-36164e93bce3","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
2024-02-27T10:56:56.5346124Z Headers: Cache-Control: no-store, no-cache
2024-02-27T10:56:56.5354079Z Pragma: no-cache
2024-02-27T10:56:56.5362032Z Strict-Transport-Security: max-age=31536000; includeSubDomains
2024-02-27T10:56:56.5370047Z X-Content-Type-Options: nosniff
2024-02-27T10:56:56.5377702Z P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
2024-02-27T10:56:56.5386159Z client-request-id: 6d94306b-96bd-4cde-adbb-36164e93bce3
2024-02-27T10:56:56.5394087Z x-ms-request-id: eaf6a9b0-b847-44d9-974a-98387978c800
2024-02-27T10:56:56.5401921Z x-ms-ests-server: 2.1.17396.8 - SCUS ProdSlices
2024-02-27T10:56:56.5409426Z x-ms-clitelem: 1,7000215,0,,
2024-02-27T10:56:56.5416954Z X-XSS-Protection: 0
2024-02-27T10:56:56.5425407Z Set-Cookie: fpc=As9pJbPRAFtJl8b14ygayrKCDbBsAQAAAPe2b90OAAAA; expires=Thu, 28-Mar-2024 10:56:56 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
2024-02-27T10:56:56.5432149Z Date: Tue, 27 Feb 2024 10:56:55 GMT
2024-02-27T10:56:56.5439967Z
2024-02-27T10:56:56.5447907Z --- End of inner exception stack trace ---
2024-02-27T10:56:56.5455467Z at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
2024-02-27T10:56:56.5462557Z at Azure.Identity.ClientSecretCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
2024-02-27T10:56:56.5470203Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueFromCredentialAsync(TokenRequestContext context, Boolean async, CancellationToken cancellationToken)
2024-02-27T10:56:56.5477771Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
2024-02-27T10:56:56.5485175Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AccessTokenCache.GetHeaderValueAsync(HttpMessage message, TokenRequestContext context, Boolean async)
2024-02-27T10:56:56.5492676Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.AuthenticateAndAuthorizeRequestAsync(HttpMessage message, TokenRequestContext context)
2024-02-27T10:56:56.5501824Z at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthorizeRequestOnChallengeAsyncInternal(HttpMessage message, Boolean async)
2024-02-27T10:56:56.5510999Z at Azure.Core.Pipeline.BearerTokenAuthenticationPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5519576Z at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5527990Z at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5536951Z at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
2024-02-27T10:56:56.5547160Z at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
2024-02-27T10:56:56.5557579Z at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
2024-02-27T10:56:56.5567886Z at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
2024-02-27T10:56:56.5577709Z at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
2024-02-27T10:56:56.5587760Z at Sign.Core.KeyVaultService.GetKeyVaultCertificateAsync(Uri keyVaultUrl, TokenCredential tokenCredential, String certificateName) in /_/src/Sign.Core/KeyVault/KeyVaultService.cs:line 71
2024-02-27T10:56:56.5596983Z at Sign.Core.KeyVaultService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.Core/KeyVault/KeyVaultService.cs:line 47
2024-02-27T10:56:56.5607000Z at Sign.Core.Signer.SignAsync(IReadOnlyList`1 inputFiles, String outputFile, FileInfo fileList, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 78
2024-02-27T10:56:56.6876976Z ##[error]PowerShell exited with code '1'.
2024-02-27T10:56:56.7180096Z ##[section]Finishing: Signing ClickOnce
It looks like an issue. Just again, client credentials are 100% valid.
The text was updated successfully, but these errors were encountered:
What parameters are you passing in? For any sensitive values, you can mask those out. The error message indicates that there's an invalid client secret in the authentication.
Describe the bug
Problem connecting to Key Vault for ClickOnce signing. We got a signing certificate that works only in Azure Key Vault, so to use it for signing a ClickOnce application we had to do many things. But we ran into the issue.
Just as a clarification, all credentials passed to "sign" are correct. If I replace "sign" with "AzureSignTool" passing the same credentials, exe-file will be signed OK. but we need not only EXE.
Repro steps
Actual behavior
It looks like an issue. Just again, client credentials are 100% valid.
The text was updated successfully, but these errors were encountered: