How to use DigiCert Signing Manager Controller (smctl) in Azure DevOps classic pipeline?

49 views Asked by At

This following task, which signs a setup program using DigiCert Signing Manager Controller (smctl), works without any problem, if I use it in a Azure YAML pipeline.

- task: CmdLine@2
  displayName: 'Sign setup file'
  inputs:
    script: 
      smctl sign --verbose --keypair-alias=$(digicert-key-pair-alias) --certificate=$(Agent.TempDirectory)\KeyCert.pem  --config-file $(SSMClientToolsSetup.PKCS11_CONFIG) --input $(System.ArtifactsDirectory)
  env:
    SM_HOST: $(CodeSigningHost)
    SM_API_KEY: $(digicert-api-key)
    SM_CLIENT_CERT_PASSWORD: $(digicert-cert-pw)
    SM_CLIENT_CERT_FILE: $(caCertificate.secureFilePath)

Using the exact same task in an Azure DevOps release pipeline doesn't work: See this screenshot:

Signing task

I'm getting this error:

Command : 
 signtool sign  /tr http://timestamp.digicert.com /td SHA256  /fd  SHA256   /csp "DigiCert Signing Manager KSP" /kc "***" /f "D:\a\_temp\KeyCert.pem"  "D:\a\1\a\setup\ApplicationService_Setup_4.2.0.57.exe" 
Error : 
Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2146893779/0x8009002d)
 
 exit status 1: SignTool Error: An unexpected internal error has occurred.

I'm calling in both pipelines the same necessary tasks as described in DigiCert instructions. The DigiCert tools are downloaded and installed correctly in both pipelines. The necessary certificate and all environment variables are also there.

For my understanding the signing process should work in both types of pipelines. I'm calling the same tasks in both pipelines. Both pipelines have access to the secure file containing the certificate to sign and to the variable group, that contains the secret parameters used by the DigiCert tools.

0

There are 0 answers