Getting An error occurred while signing: Failed to sign file.exe. SignTool Error: No certificates were found that met all the given criteria

Question

OK - so this is really odd. I have a TFS build that signs a file and I'm getting the message above. If I look at the log from the build it says that it successfully signed and timestamped my file, (there's a .proj file that manually calls signtool) but below that in a different step (not sure where exactly) - I assume that its in the ClickOnce signing I get the error.

I'm able to sign the file myself using Signtool using the same parameters as the build uses so I thought perhaps I needed to import he cert, so I opened mmc, added the certificates snap-in, went through the Import Wizard using Local Machine to install it (the TFS build runs under a different account than mine and I don't know the password for that account so I figured that installing it at a machine level would work). I browsed for the file and imported it successfully in the Trusted Root Certification Authorities (see below):

and still I get the error when I build. The signtool is called from a .proj file called in the TFS build, but then again by the build during ClickOnce. After importing the cert through the VS screen I now see this:

And get this error:

C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Unable to find code signing certificate in the current user’s Windows certificate store. To correct this, either disable signing of the ClickOnce manifest or install the certificate into the certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user’s personal certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Importing key file "les.pfx" was canceled.

The cert is in the same folder as the .csproj as well as being imported into the store.

Here's the cert info and the Thumbprint matches what's in the .csproj file:

Any ideas what I could be missing here?

Answer 1

According to the error message, you have to import the certificate into agent machine's personal store. When you reference the certificate from the personal store, it will not ask for the password, and thus you can access your code signing certificate.

If multiple projects being built with ClickOnce, then you have to import the certificate into each of the projects.

Please try to use the Visual Studio Command Prompt to import the certificate in your build agent machine:

1. Click Start → All Programs → Microsoft Visual Studio → Visual Studio Tools → Visual Studio Command Prompt.

2. Type the following command sample:

   sn -i "c:\Pathtofile\.pfx" VS_KEY_C1D3ACB8FBF1AGK4
   

Note: The sn.exe with the -i parameter, installs a key pair from into a key container named.

3. Re-import the pfx file into Visual Studio.

You can also try to create a PowerShell script and run pre-build scripts in your build definition to import the certificate.

The PowerShell script sample for your reference:

$pfxpath = 'pathtoees.pfx'
$password = 'password'

Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()

Reference these threads:

• Visual studio team services deploymen/buildt certificate error
• Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'
• Build and Publish a ClickOnce App using Team Build/VSO. (The last section about using a certificate from store)