在 Azure 发布管道中出现“未找到证书”错误

Question

I'm working on migrating a TFS build/release to Azure DevOps Services (ADS) for a WPF app. The build works fine, but I'm having problems with the release. This is the first ADS release I've ever worked on.

The original TFS build/release was done by a colleague who's since moved on. He used a PowerShell script to sign the ClickOnce manifest in the TFS release.

I'm getting an error I searched here here on Stack Overflow, Signtool error: No certificates were found that met all given criteria with a Windows Store App?

Looking through the answers to the posted, one of the answers is to clear the checkbox for the project's properties, "Sign the ClickOnce manifests". I've looked and discovered that checkbox isn't checked. I don't believe this is the cause of the error. And the PowerShell script my colleague wrote signed the manifest anyway. We need all manifests signed.

My colleague got a certificate from a signing authority. It is valid until sometime in 2022, so it hasn't expired.

I took the certificate off the server it was on and put it into this project's Pipeline | Library | Secure Files location in ADS. I'm using the Code Signing marketplace extension to sign the manifest. Here's the task in the ADS release pipeline:

steps:
- task: stefankert.codesigning.codesigning-task.codesigning@2
  displayName: 'Code Signing '
  inputs:
    secureFileId: 'DER Encoded Binary.cer'
    signCertPassword: '$(signingCert.securePassword)'
    files: '**/*.manifest'
    timeServer: 'http://timestamp.comodoca.com'
    description: 'ACDC ClickOnce'

I created a variable group in the Pipeline Library. The signingCert.securePassword is the name of one of the variable that has the password for the certificate.

The error suggests to me that the pipeline can't find the file "DER Encoded Binary.cer" in the library | Secure Files. What am I doing wrong?

Addendum:

Looking at the log of the task closer, I see that it's finding the manifest file. Here's the line where it's using the signtool.exe:

[command]D:\a_tasks\codesigning_0e0f3bf7-d96c-45d6-aa76-f9afb71fb77e\2.2.0\signtool.exe sign /fd SHA256 /t http://timestamp.comodoca.com /f "D:\a_temp\DER Encoded Binary.cer" /p *** /d "ACDC ClickOnce" D:\a\r1\a_ACDC\drop\ACDC\bin\Release\ACDC.exe.manifest

Answer 1

I think the "secureFileId" refers to the GUID of the secure file. If you click on the secure file, it will navigate you to a url to alter and view the settings of the secure file. In the URL, you'll notice the GUID. Something like: http://MyServer:8080/tfs/YourProjectCollection/YourProject/_library?itemType=SecureFiles&view=SecureFileView&secureFileId= abcd1234-12ab-01a1-ab12-9d1c827a4 &path=YourSecureFile.pfx