Ao usar signtool.exe com uma "Conta de Assinatura Confiável do Azure" em scripts devops do Azure, o processo trava em:
Enviando resumo para assinatura...
Este é o bloco de script do PowerShell que usamos no Azure DevOps, que é baseado na documentação da Conta de Assinatura Confiável do Azure :
- task: PowerShell@2
displayName: Preparing Windows EXE signing tools
inputs:
targetType: 'inline'
workingDirectory: $(Pipeline.Workspace)/windows-signing-tool
script: |
Set-PSDebug -Trace 1
Invoke-WebRequest -Uri https://dist.nuget.org/win-x86-commandline/latest/nuget.exe -OutFile .\nuget.exe
.\nuget.exe install Microsoft.Windows.SDK.BuildTools -Version 10.0.22621.3233 -x
.\nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.53 -x
./"Microsoft.Windows.SDK.BuildTools\bin\10.0.22621.0\x86\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "Microsoft.Trusted.Signing.Client\bin\x86\Azure.CodeSigning.Dlib.dll" /dmdf ".\signing-metadata.json" "<obscurecFolder>/MyProject.exe"
A saída do log:
========================== Starting Command Output ===========================
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\c16ea5da-1997-4e32-9ef5-9e9268766943.ps1'"
DEBUG: 5+ >>>> Invoke-WebRequest -Uri https://dist.nuget.org/win-x86-commandline/latest/nuget.exe -OutFile
.\nuget.exe
DEBUG: 6+ >>>> .\nuget.exe install Microsoft.Windows.SDK.BuildTools -Version 10.0.22621.3233 -x
Feeds used:
https://api.nuget.org/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Attempting to gather dependency information for package 'Microsoft.Windows.SDK.BuildTools.10.0.22621.3233' with respect to project '<obscurecFolder>\windows-signing-tool', targeting 'Any,Version=v0.0'
Gathering dependency information took 751 ms
Attempting to resolve dependencies for package 'Microsoft.Windows.SDK.BuildTools.10.0.22621.3233' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Windows.SDK.BuildTools.10.0.22621.3233'
Resolved actions to install package 'Microsoft.Windows.SDK.BuildTools.10.0.22621.3233'
Retrieving package 'Microsoft.Windows.SDK.BuildTools 10.0.22621.3233' from 'nuget.org'.
GET https://api.nuget.org/v3-flatcontainer/microsoft.windows.sdk.buildtools/10.0.22621.3233/microsoft.windows.sdk.buildtools.10.0.22621.3233.nupkg
OK https://api.nuget.org/v3-flatcontainer/microsoft.windows.sdk.buildtools/10.0.22621.3233/microsoft.windows.sdk.buildtools.10.0.22621.3233.nupkg 7ms
Installed Microsoft.Windows.SDK.BuildTools 10.0.22621.3233 from https://api.nuget.org/v3/index.json to C:\Users\VssAdministrator\.nuget\packages\microsoft.windows.sdk.buildtools\10.0.22621.3233 with content hash v67zwCb9JOpfPxdSroZukIKHruU6FUB+KwcmSPcVvUFyYtcyvcUign5y8jPQNi54CVzWvaTg646e62LbanUkxg==.
Adding package 'Microsoft.Windows.SDK.BuildTools.10.0.22621.3233' to folder '<obscurecFolder>\windows-signing-tool'
Added package 'Microsoft.Windows.SDK.BuildTools.10.0.22621.3233' to folder '<obscurecFolder>\windows-signing-tool'
Successfully installed 'Microsoft.Windows.SDK.BuildTools 10.0.22621.3233' to <obscurecFolder>\windows-signing-tool
Executing nuget actions took 5.09 sec
DEBUG: 7+ >>>> .\nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.53 -x
Feeds used:
C:\Users\VssAdministrator\.nuget\packages\
https://api.nuget.org/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Attempting to gather dependency information for package 'Microsoft.Trusted.Signing.Client.1.0.53' with respect to project '<obscurecFolder>\windows-signing-tool', targeting 'Any,Version=v0.0'
Gathering dependency information took 1.09 sec
Attempting to resolve dependencies for package 'Microsoft.Trusted.Signing.Client.1.0.53' with DependencyBehavior 'Lowest'
Resolving dependency information took 0 ms
Resolving actions to install package 'Microsoft.Trusted.Signing.Client.1.0.53'
Resolved actions to install package 'Microsoft.Trusted.Signing.Client.1.0.53'
Retrieving package 'Microsoft.Trusted.Signing.Client 1.0.53' from 'nuget.org'.
GET https://api.nuget.org/v3-flatcontainer/microsoft.trusted.signing.client/1.0.53/microsoft.trusted.signing.client.1.0.53.nupkg
OK https://api.nuget.org/v3-flatcontainer/microsoft.trusted.signing.client/1.0.53/microsoft.trusted.signing.client.1.0.53.nupkg 9ms
Installed Microsoft.Trusted.Signing.Client 1.0.53 from https://api.nuget.org/v3/index.json to C:\Users\VssAdministrator\.nuget\packages\microsoft.trusted.signing.client\1.0.53 with content hash lou6NowgbY3S/Yn0+WSeI+Dl8SCmvmqkeAzt2Pgs51QL5/kHh+w8FJgutYGM+j2TB11a9zNc0EBWjOGWdwWtoQ==.
Adding package 'Microsoft.Trusted.Signing.Client.1.0.53' to folder '<obscurecFolder>\windows-signing-tool'
Added package 'Microsoft.Trusted.Signing.Client.1.0.53' to folder '<obscurecFolder>\windows-signing-tool'
Successfully installed 'Microsoft.Trusted.Signing.Client 1.0.53' to <obscurecFolder>\windows-signing-tool
Executing nuget actions took 1.45 sec
Isso significa que os três primeiros comandos funcionaram bem...
depois disso temos:
./"Microsoft.Windows.SDK.BuildTools\bin\10.0.22621.0\x86\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "Microsoft.Trusted.Signing.Client\bin\x86\Azure.CodeSigning.Dlib.dll" /dmdf ".\signing-metadata.json" "<obscurecFolder>/MyProject.exe"
Trusted Signing
Version: 1.0.53
"Metadata": {
"Endpoint": "https://eus.codesigning.azure.net",
"CodeSigningAccountName": "ObscuredTrustedSignAccName",
"CertificateProfileName": "ObscuredTrustedSignAccCertificateProfileName",
"ExcludeCredentials": []
}
Submitting digest for signing...
Quando executado localmente, a saída do mesmo último comando é:
Trusted Signing
Version: 1.0.60
"Metadata": {
"Endpoint": "https://eus.codesigning.azure.net",
"CodeSigningAccountName": "ObscuredTrustedSignAccName",
"CertificateProfileName": "ObscuredTrustedSignAccCertificateProfileName",
"ExcludeCredentials": []
}
Submitting digest for signing...
OperationId 12121212-acbc-acbc-acbc-49603042d34c: InProgress
Signing completed with status 'Succeeded' in 20.5563194s
Successfully signed: <obscurecFolder>/MyProject.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Por que o signtool.exe não continua quando executado pelo DevOps, mas funciona bem no meu ambiente local?