OK - so this is really odd. I have a TFS build that signs a file and I'm getting the message above. If I look at the log from the build it says that it successfully signed and timestamped my file, (there's a .proj file that manually calls signtool) but below that in a different step (not sure where exactly) - I assume that its in the ClickOnce signing I get the error.

I'm able to sign the file myself using Signtool using the same parameters as the build uses so I thought perhaps I needed to import he cert, so I opened mmc, added the certificates snap-in, went through the Import Wizard using Local Machine to install it (the TFS build runs under a different account than mine and I don't know the password for that account so I figured that installing it at a machine level would work). I browsed for the file and imported it successfully in the Trusted Root Certification Authorities (see below):

enter image description here and still I get the error when I build. The signtool is called from a .proj file called in the TFS build, but then again by the build during ClickOnce. After importing the cert through the VS screen I now see this: enter image description here

And get this error:

C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Unable to find code signing certificate in the current user’s Windows certificate store. To correct this, either disable signing of the ClickOnce manifest or install the certificate into the certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user’s personal certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Importing key file "les.pfx" was canceled.

The cert is in the same folder as the .csproj as well as being imported into the store.

Here's the cert info and the Thumbprint matches what's in the .csproj file:

enter image description here

enter image description here

enter image description here

Any ideas what I could be missing here?

1

There are 1 answers

0
Andy Li-MSFT On BEST ANSWER

According to the error message, you have to import the certificate into agent machine's personal store. When you reference the certificate from the personal store, it will not ask for the password, and thus you can access your code signing certificate.

If multiple projects being built with ClickOnce, then you have to import the certificate into each of the projects.

Please try to use the Visual Studio Command Prompt to import the certificate in your build agent machine:

  1. Click StartAll ProgramsMicrosoft Visual StudioVisual Studio ToolsVisual Studio Command Prompt.
  2. Type the following command sample:

    sn -i "c:\Pathtofile\.pfx" VS_KEY_C1D3ACB8FBF1AGK4
    

Note: The sn.exe with the -i parameter, installs a key pair from into a key container named.

  1. Re-import the pfx file into Visual Studio.

You can also try to create a PowerShell script and run pre-build scripts in your build definition to import the certificate.

The PowerShell script sample for your reference:

$pfxpath = 'pathtoees.pfx'
$password = 'password'

Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()

Reference these threads: