signtool command on self-hosted vsts build agent does not complete

Question

I have a self-hosted build agent for building a .NET 4.7.2 Application from VSTS. In my pipeline I build an Installer using Squirrel.Windows and everything runs smoothly, except the signing of the binaries and subsequently the installer.

the agent runs under nt authority/network service
the correct certificate is installed in that user's personal certificate store

Here's the part of my powershell script that packs the installer:

function Squirrelify{
param(
    $AppName,
    $BuildConfiguration,
    $BinariesDirectory
)

Set-Alias Squirrel '.\imBackend\util\squirrel_tools\Squirrel.exe'
Set-Alias Signtool 'C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe'

$ReleaseDirectory = "$BinariesDirectory\Releases"

# build paths
$OutputDirectory = "$ReleaseDirectory\DeployPackages\$AppName\" + $BuildInfo.Branch
$BasePath = $BinariesDirectory + "\$AppName\bin\Release"

# create Nuspec file from template
$NugetInfo = (MakeNuspec -ApplicationName $AppName)

# sign binaries
Write-Host Trying to sign binaries in $BasePath

Signtool sign /v /n Dresen /t http://timestamp.digicert.com $BasePath\*.dll $BasePath\*.exe | Write-Host

# pack it
Write-Host Trying to pack Configuration $BuildConfiguration from $NugetInfo.NuspecFileName to $NugetInfo.NupkgFileName into $OutputDirectory BasePath is $BasePath
nuget pack $NugetInfo.NuspecFileName -Version $BuildInfo.SemVer -Properties Configuration="$BuildConfiguration" -OutputDirectory "$OutputDirectory" -BasePath "$BasePath"

###########################
# create squirrel installer
###########################

$SquirrelSourcePackage = "$OutputDirectory\" + $NugetInfo.NupkgFileName
$SquirrelReleaseDirectory = "$ReleaseDirectory\$AppName\" + $BuildInfo.Branch

# releasify
Write-Host "Releasifying $SquirrelSourcePackage -> $SquirrelReleaseDirectory"
Squirrel --releasify $SquirrelSourcePackage --releaseDir $SquirrelReleaseDirectory | Write-Host

# sign installer files
Signtool sign /v /n Dresen /t http://timestamp.digicert.com $SquirrelReleaseDirectory\Setup.exe $SquirrelReleaseDirectory\Setup.msi | Write-Host

}

and this is the complete output of that task:

2018-07-28T11:42:31.8123466Z ##[section]Starting: Create Squirrel Installer
2018-07-28T11:42:31.8127937Z ==============================================================================
2018-07-28T11:42:31.8128218Z Task         : PowerShell
2018-07-28T11:42:31.8128330Z Description  : Run a PowerShell script on Windows, macOS, or Linux.
2018-07-28T11:42:31.8128453Z Version      : 2.136.0
2018-07-28T11:42:31.8128548Z Author       : Microsoft Corporation
2018-07-28T11:42:31.8128663Z Help         : [More Information](https://go.microsoft.com/fwlink/?LinkID=613736)
2018-07-28T11:42:31.8128785Z ==============================================================================
2018-07-28T11:42:32.9293302Z Generating script.
2018-07-28T11:42:32.9393795Z Formatted command: . 'C:\agent\_work\1\s\imBackend\PostBuildScript.ps1' -BuildConfiguration Release -BinariesDirectory C:\agent\_work\1\a
2018-07-28T11:42:33.0109805Z ##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'C:\agent\_work\_temp\b93f5747-c0d9-49e9-a079-0deb8ab3bc4a.ps1'"
2018-07-28T11:42:33.9288388Z Updating NugetPackageName Variable for Process
2018-07-28T11:42:33.9318288Z Trying to sign binaries in C:\agent\_work\1\a\WPFDeployTest\bin\Release
2018-07-28T11:42:33.9568860Z The following certificate was selected:
2018-07-28T11:42:33.9569695Z     Issued to: Dresen und Grun GbR
2018-07-28T11:42:33.9569859Z 
2018-07-28T11:42:33.9570033Z     Issued by: thawte SHA256 Code Signing CA - G2
2018-07-28T11:42:33.9570188Z 
2018-07-28T11:42:33.9570354Z     Expires:   Sat Mar 02 23:59:59 2019
2018-07-28T11:42:33.9570484Z 
2018-07-28T11:42:33.9570651Z     SHA1 hash: 547CDFE07FB478033E0B9F1E9C10FF22AA90E9E3
2018-07-28T11:42:33.9570802Z 
2018-07-28T11:42:33.9570924Z 
2018-07-28T11:42:33.9571083Z Done Adding Additional Store
2018-07-28T11:42:34.2674054Z Trying to pack Configuration Release from C:\agent\_work\1\s\imBackend\WPFDeployTest.nuspec to WPFDeployTest.1.0.34.nupkg into C:\agent\_work\1\a\Releases\DeployPackages\WPFDeployTest\Stable BasePath is C:\agent\_work\1\a\WPFDeployTest\bin\Release
2018-07-28T11:42:34.7840009Z Attempting to build package from 'WPFDeployTest.nuspec'.
2018-07-28T11:42:35.2935047Z Successfully created package 'C:\agent\_work\1\a\Releases\DeployPackages\WPFDeployTest\Stable\WPFDeployTest.1.0.34.nupkg'.
2018-07-28T11:42:35.3411736Z Releasifying C:\agent\_work\1\a\Releases\DeployPackages\WPFDeployTest\Stable\WPFDeployTest.1.0.34.nupkg -> C:\agent\_work\1\a\Releases\WPFDeployTest\Stable
2018-07-28T11:42:36.9636469Z 
2018-07-28T11:42:39.8226626Z The following certificate was selected:
2018-07-28T11:42:39.8227431Z     Issued to: Dresen und Grun GbR
2018-07-28T11:42:39.8227599Z 
2018-07-28T11:42:39.8227782Z     Issued by: thawte SHA256 Code Signing CA - G2
2018-07-28T11:42:39.8227944Z 
2018-07-28T11:42:39.8228117Z     Expires:   Sat Mar 02 23:59:59 2019
2018-07-28T11:42:39.8228251Z 
2018-07-28T11:42:39.8228430Z     SHA1 hash: 547CDFE07FB478033E0B9F1E9C10FF22AA90E9E3
2018-07-28T11:42:39.8228633Z 
2018-07-28T11:42:39.8228760Z 
2018-07-28T11:42:39.8228930Z Done Adding Additional Store
2018-07-28T11:42:39.9227507Z PostBuildScript done.
2018-07-28T11:42:40.0272475Z ##[error]PowerShell exited with code '1'.
2018-07-28T11:42:40.0621056Z ##[section]Finishing: Create Squirrel Installer

As you can see the (correct) certificate is selected, then after "Done Adding Additional Store" it just proceeds with the next step.

Oddly enough the script exits with an error code, but everything is packed as it is supposed to, the pipeline completes and the installer is uploded - but not signed.

When I run the exact same command on server that hosts the build agent from a powershell with as the user "nt authority/network service", the command completes without issue.

PS C:\Windows\system32> Signtool sign /v /n Dresen /t http://timestamp.digicert.com C:\agent\_work\1\a\WPFDeployTest\bin\Release\*.dll C:\agent\_work\1\a\WPFDeployTest\bin\Release\*.exe
The following certificate was selected:
    Issued to: Dresen und Grun GbR
    Issued by: thawte SHA256 Code Signing CA - G2
    Expires:   Sat Mar 02 23:59:59 2019
    SHA1 hash: 547CDFE07FB478033E0B9F1E9C10FF22AA90E9E3

Done Adding Additional Store
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\CSharpLibrary.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\DeltaCompressionDotNet.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\DeltaCompressionDotNet.MsDelta.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\DeltaCompressionDotNet.PatchApi.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\imLogging.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\imUtilities.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\imUtilitiesNET46.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\log4net.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Microsoft.Web.Infrastructure.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Mono.Cecil.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Mono.Cecil.Mdb.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Mono.Cecil.Pdb.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Mono.Cecil.Rocks.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Newtonsoft.Json.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\NuGet.Squirrel.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\PropertyChanged.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\SharpCompress.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Splat.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\Squirrel.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\System.Web.Helpers.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\System.Web.Razor.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\System.Web.WebPages.Deployment.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\System.Web.WebPages.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\UpdateManager.dll
Successfully signed: C:\agent\_work\1\a\WPFDeployTest\bin\Release\WPFDeployTest.exe

Number of files successfully Signed: 25
Number of warnings: 0
Number of errors: 0

I have stumbled across many issues completing this complex build pipeline but this I cannot get over. What am I missing here?

I'm using this Task now for signing: https://marketplace.visualstudio.com/items?itemName=jabbera.authenticode-sign and it works fine. Still interested what could be wrong here, though. — themightylc, Jul 28 '18 at 17:35
Set `system.debug = true` to capture and share the logs here for troubleshoot. — Andy Li-MSFT, Jul 30 '18 at 09:26
thanks, I will do that. I knew I was missing some output but didn't know how to get there. Right now, my pipeline works as intended but I will investigate furter as soon as I have a little time. — themightylc, Jul 30 '18 at 11:12

signtool command on self-hosted vsts build agent does not complete

0 Answers0