Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error signing clickonce with Trusted Signing #735

Closed
JaapMosselman opened this issue Jul 2, 2024 · 3 comments
Closed

Error signing clickonce with Trusted Signing #735

JaapMosselman opened this issue Jul 2, 2024 · 3 comments

Comments

@JaapMosselman
Copy link

``I am trying to use the new Trusted Signing option of dotnet sign which @dlemstra added.
I am able to sign a msi, works fine, but have problems with clickonce.

I use this powershell in my devops pipeline:
.\sign code trusted-signing "$applicationFile"
--base-directory "$applicationDir" --application-name "...."
--publisher-name "...." --trusted-signing-endpoint "...."
--trusted-signing-account "...." --trusted-signing-certificate-profile "...."
--managed-identity-client-id "...."

I get this error:
fail: Sign.Core.ISigner[0] Specified method is not supported. System.ApplicationException: Specified method is not supported. ---> System.NotSupportedException: Specified method is not supported. at System.Deployment.Internal.CodeSigning.SignedCmiManifest2.AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, String timeStampUrl, Boolean disallowMansignTimestampFallback) in /_/src/Sign.Core/Native/mansign2.cs:line 676 at System.Deployment.Internal.CodeSigning.SignedCmiManifest2.Sign(CmiManifestSigner2 signer, String timeStampUrl, Boolean disallowMansignTimestampFallback) in /_/src/Sign.Core/Native/mansign2.cs:line 357 at Sign.Core.ManifestSigner.Sign(FileInfo file, X509Certificate2 certificate, RSA rsaPrivateKey, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/ManifestSigner.cs:line 42 --- End of inner exception stack trace --- at Sign.Core.ManifestSigner.Sign(FileInfo file, X509Certificate2 certificate, RSA rsaPrivateKey, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/ManifestSigner.cs:line 52 at Sign.Core.ClickOnceSigner.SignCoreAsync(String args, FileInfo file, RSA rsaPrivateKey, X509Certificate2 certificate, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/ClickOnceSigner.cs:line 220 at Sign.Core.RetryingSigner.SignAsync(String args, FileInfo file, RSA rsaPrivateKey, X509Certificate2 publicCertificate, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/RetryingSigner.cs:line 40 at Sign.Core.ClickOnceSigner.<>c__DisplayClass9_0.<<SignAsync>b__0>d.MoveNext() in /_/src/Sign.Core/DataFormatSigners/ClickOnceSigner.cs:line 134 --- End of stack trace from previous location --- at System.Threading.Tasks.Parallel.<>c__531.<b__53_0>d.MoveNext()
--- End of stack trace from previous location ---
at Sign.Core.ClickOnceSigner.SignAsync(IEnumerable1 files, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/ClickOnceSigner.cs:line 82 at Sign.Core.AggregatingSigner.SignAsync(IEnumerable1 files, SignOptions options) in //src/Sign.Core/DataFormatSigners/AggregatingSigner.cs:line 204
at Sign.Core.Signer.<>c__DisplayClass3_0.<b__0>d.MoveNext() in //src/Sign.Core/Signer.cs:line 155
--- End of stack trace from previous location ---
at System.Threading.Tasks.Parallel.<>c__531.<<ForEachAsync>b__53_0>d.MoveNext() --- End of stack trace from previous location --- at Sign.Core.Signer.SignAsync(IReadOnlyList1 inputFiles, String outputFile, FileInfo fileList, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 84

`

Any hint what the problem is?
@dlemstra
Copy link
Contributor

dlemstra commented Jul 2, 2024
edited
Loading

The issue seems to be here (mansign2.cs):

private static void AuthenticodeSignLicenseDom(XmlDocument licenseDom, CmiManifestSigner2 signer, string timeStampUrl, bool disallowMansignTimestampFallback)
{
    // Make sure it is RSA, as this is the only one Fusion will support.
    // HACK: do this in a better way
    RSA rsaPrivateKey = null;
    if (signer.Certificate.HasPrivateKey)
    {
        rsaPrivateKey = signer.Certificate.GetRSAPrivateKey();
    }
    else if (signer.StrongNameKey is RSAKeyVault provider)
    {
        rsaPrivateKey = provider;
    }

There seems to be an explicit check for RSAKeyVault and we could also add RSATrustedSigning but I really wonder if we can solve this differently? Maybe we could do this instead:

// Make sure it is RSA, as this is the only one Fusion will support.
RSA rsaPrivateKey = signer.Certificate.HasPrivateKey
    ? signer.Certificate.GetRSAPrivateKey()
    : signer.StrongNameKey as RSA;

if (rsaPrivateKey == null)
{
    throw new NotSupportedException();
}

@dlemstra dlemstra mentioned this issue Jul 2, 2024
Merged
@JaapMosselman
Copy link
Author

Thanks, @dlemstra . I am eagerly waiting for the new prerelease :-).

This was referenced Jul 4, 2024
Open
Closed
@dtivel dtivel closed this as completed in 20aa7bc Jul 10, 2024
@JaapMosselman
Copy link
Author

@dtivel Thanks, when will this come available on NuGet?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dlemstra @JaapMosselman