I am trying to use Makecert.exe to create a signing certificate that I can use with our internal VS.NET applications, to be deployed using Clickonce on our local network
I have been following the MSDN guide MSDN: Certificate Expiration in ClickOnce Deployment
so I tried the below:
C:\Program Files (x86)\Microsoft Visual Studio 12.0>Makecert -sv DMTeam.pvk
-n "CN=DMTeam" DMTeam.cer -b 03/04/2015 -e 12/31/2020
in order to have a certificate for our applications
When I run the above command using the VS command prompt, I get the below error:
Error: Unable to create file for the subject ('DMTeam.pvk')
Error: Can't create the key of the subject ('DMTeam.pvk')
Failed
so what am doing wrong?
The key is to run the command prompt with Administrator privileges.
I did something very similar, though I wrote the pvk and cer files to my c:\Temp folder:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>MakeCert –sv C:\Temp\DMTeam.pvk –n “CN=DMTeam” c:\Temp\DMTeam.cer –b 03/04/2015 –e 12/31/2020 -r
Don't forget the "-r" option as it will "Create a self-signed certificate"! Without it the project will not build when you use the created pfx file.
I ran this under the VS2012 x86 Native Tools Command Prompt (with Run as Administrator) and it works just fine. Run without Administrative privileges and then it fails.
Then to create the pfx file do the following:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>pvk2pfx –pvk C:\Temp\DMTeam.pvk –spc C:\Temp\DMTeam.cer –pfx –po PasswordForPFXFile
Here are some good references:
See section: Test Certificates, MakeCert, RenewCert, and The Big Workaround
https://msdn.microsoft.com/en-us/library/ff369721.aspx
https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx
ClickOnce signer's certificate not valid for signing when using makecer/pvk2pfx
My ClickOnce app now builds fine in Visual Studio 2013.
Related
I installed the key pair into the key container. I am then able to build. If I restart the computer, then I get the error again.
(ResolveKeySource target) ->
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\Microsoft.Common.CurrentVersion.targets(3222,5): error MSB3325: Cannot import the following key file: jmr-Digicert-2020-NoChain.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_17C40AADFD2DB0A9 [C:\Source\RsyncNet\NetSync.csproj]
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\Microsoft.Common.CurrentVersion.targets(3222,5): error MSB3321: Importing key file "jmr-Digicert-2020-NoChain.pfx" was canceled. [C:\Source\RsyncNet\NetSync.csproj]
The solution, at least until I restart the computer, is to open an administrative command prompt and enter these commands:
"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\sn.exe" -d VS_KEY_XXXXXXXXXXXXXXXXX
"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\x64\sn.exe" -i "C:\Documents\Signing\mycert.pfx" VS_KEY_XXXXXXXXXXXXXXXXX
The first command deletes the existing key, required, as it is there, while the second line adds the key. I get prompted to enter the password. After that the solution builds.
FYI: -i option: Install key pair from <infile> into a key container named <container>.
The Visual Studio version makes no difference, as I had the same problem with VS2017.
Thoughts?
Installing Votive, an extension for Wix - Windows Installer fails for both Votive 2017 and Votive 2019 Visual Studio extension. The reason is a certificate validation error. How can you update your root certificates and install the Visual Studio extension without getting certificate validation error?
It was possible to install Votive using the following Powershell commands to refresh the root certificates with Windows Update.
mkdir c:\certs #temporary folder where the certificates will be installed/updated
cd c:\certs
certutil.exe -generateSSTFromWU roots.sst
$sstStore = ( Get-ChildItem -Path C:\certs\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
The -generateSSTFromWU option downloads all certificates into a .sst file that can be opened with MMC by double clicking, but I ran the Powershell commands listed above to also get all certificates installed.
After doing this, Votive extension installed and I could open the Visual Studio solution with the .wixproj Wix project inside. This worked for both Votive 2017 and Votive 2019.
It is possible to install WixToolset with Chocolatey, but I needed the Visual Studio Extension - called Votive.
I have a Visual Studio setup project. Normally I use the Microsoft Visual Studio Installer Projects extension, and run an MSBuild Exec task with command line using devenv. This works on my dev box and my existing build machine. However I'm looking to migrate to a hosted pipeline agent using the VS2017 image.
I was hoping the installer extension might already be installed, so I tried my build and got an error:
"C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\devenv.com" "D:\a\2\s\Source\Build..\WindowsFormsApp1\WindowsFormsApp1.sln" /Build "Debug" /Project "Setup1" /ProjectConfig "Debug" /Log
The operation could not be completed. The parameter is incorrect.
I tried adding the VSIX to my repo, and then issuing a command line install of the VSIX as such:
"C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\VSIXInstaller.exe" /a /quiet /log:MyTestApp.log D:\a\2\s\Source\Build\InstallerProjects.vsix
However that seems to block for about 10 minutes, and then fails with an error (I suspect the UI is blocking even though I used the /quiet arg to suppress the UI):
... exited with code -2146233088.
Is there any way to build a Visual Studio installer project using a MS-hosted pipeline agent?
How to build Visual Studio Installer Project in Azure Devops Pipeline Hosted Agent
AFAIK, I am afraid we could not build Visual Studio Installer Project in Azure Devops Pipeline Hosted Agent at this moment.
I encountered a similar issue two weeks ago, after a period of investigation, I started to try the same idea as you, using command line to install the Microsoft Visual Studio Installer Projects extension.
However, I got the timeout issue. I could not install that extension on the hosted agent. To test the reason for this, I use the same command lien to installed that extension on another local machine. Indeed, there is a UI window to confirm if you want to install this extension, even after I give the /admin parameter:
Check the options here.
Then I try to open the command line with Administrator and execute the same command line, it can successfully install that extension. So, I want to execute the command line in the Azure DevOps pipeline. But no success. Because we could not execute command line script as admin using Command Line Script task.
It seems we have to set our private agent.
Hope this helps.
This question already has answers here:
Inno Setup - Signing fails with "Sign Tool failed with exit code 0x1"
(2 answers)
Closed 4 years ago.
I have Inno Setup with Inno Script Studio installed, along with Visual Studio 2013. I have a digital certificate, protected with a password, named certificate.p12. I also have the Windows 8.1 driver SDK installed (although I'm running Windows 7 Professional x64). The compiled output I'm including in my installer is already signed.
I configured Inno Script Studio with a sign tool named my_signtool and with this command:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /f "z:\full\path\to\certificate.p12" /p "password" $f
...and in my .iss file, I have:
SignTool=my_signtool
With this setup on my computer, it works perfectly. I compile the project and Inno Setup automatically signs the installer and its uninstaller.
But, I have a colleague with what should be the exact same setup. He has Visual Studio 2013, Inno Setup and Inno Script Studio, a copy of the certificate, and its password. When he tries to compile it, Inno Setup fails by saying attempting to run the signtool against uninst.e32.tmp returns 0x1. When he runs the exact command it tries to run manually in the command prompt, it fails by stating uninst.e32.tmp isn't available, but that seems normal because I suspect Inno Setup is just cleaning up after itself after the error (or is it?).
I've tried replacing the quotes with $q in the definition of the sign tool to no avail. In fact, aside from the path to signtool.exe itself, none of the paths involved have spaces in them anyway.
Both our outputs look like this initially. Immediately after this is where they diverge: mine continues to run, and his complains that the sign tool failed with 0x1.
Starting compile. [Monday, January 12 2015 at 10:11:03 AM]
Compiling script with Inno Setup 5.5.5 (a) [ISDLLCompileScriptA]
[PreCompile] Processing.
[PreCompile] Processing is still being tested.
[PreCompile] Processing finished.
[ISPP] Preprocessing.
[ISPP] Preprocessed.
Parsing [Setup] section, line 14
...
Parsing [Setup] section, line 41
Reading file (WizardImageFile)
File: C:\Program Files (x86)\Inno Setup 5\WIZMODERNIMAGE.BMP
Reading file (WizardSmallImageFile)
File: C:\Program Files (x86)\Inno Setup 5\WIZMODERNSMALLIMAGE.BMP
Preparing Setup program executable
Updating icons (SETUP.E32)
Running Sign Tool command: "C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /f "z:\full\path\to\certificate.p12" /p "password" "Z:\full\path\to\uninst.e32.tmp"
Any guess what simple detail I'm overlooking where my environment works fine every time, but his fails even though it's configured the same way?
I had this same issue and just needed to run Inno Script Studio as Administrator and then I had no problem.
I also had this problem, but running as Admin did not solve the issue. In the end, I can't explain it, but I changed where I got my timestamp and then it all worked fine -- though there was something else that was throwing me off.
I am using InnoSetup 5.5.9 with signtool. I added a SignTool which I defined as:
"C:\PATH_TO_KSIGN\kSign\signtool.exe" sign /f "MYCERT.pfx" /t "http://tsa.starfieldtech.com" /p "MYPASSWORD" $f
The standard timestamp field from the example pages is "http://timestamp.comodoca.com/authenticode". If I use that, the process fails with the errors from the original question.
The other thing that threw me was that if I run the resulting setup build through InnoSetup, it tells me "Publisher: unknown". However, if I take the same installer and run it on a different machine, then it gets the Publisher correct.
I hope this can help someone!
-jonathan
I'm trying to sign an assembly in Visual Studio 2010 with our PFX file, after I enter the password for the private key I get "An attempt was made to reference a token that does not exist"
Running Visual Studio as Administrator fixed this issue for me.
I have the same problem. Just use signtool from the Visual Studio command prompt instead. Sometimes signtool will claim your password is invalid, but usually after a couple of tries it starts working for me.
signtool.exe sign /f YOURCERT.pfx /p YOURPASSWORD YOURTARGET.exe
If you want Visual Studio to automatically sign the files and work with ClickOnce, this is what I had to do:
Get a copy of OpenSSL. It is available for Windows. Or use a Linux box as they all pretty much all have it.
Run the following to export to a key file:
openssl pkcs12 -in certfile.pfx -out backupcertfile.key
openssl pkcs12 -export -out certfiletosignwith.pfx -keysig -in backupcertfile.key
Then in the project properties you can use the PFX file.
This is what worked for me.
First try to build your project with the Key signing option enabled for your project. The build will fail, goto the 'Output' window and you'll see an error like:
Error 1 Cannot import the following key file: MyKey.pfx. The
key file may be password protected. To correct this, try to import the
certificate again or manually install the certificate to the Strong
Name CSP with the following key container name:
VS_KEY_7B9423FE45F4DBEB Project.SomeName
Save the Key Store name (e.g. VS_KEY_7B9423FE45F4DBEB), you will need this later.
Now follow these steps:
Import the digital certificate key (PFX) in the Windows Certificate Store. Double click the PFX key in Windows Explorer and install/import it into your key store (I actually imported it into the trusted root certificates store by selecting manually choose store).
Start Visual Studio 2010 as regular user (I don't face this key signing issue as an Administrator, but I want to debug my apps as a user) (keep it open through this entire process)
From the Start Menu open the Visual Studio Command Prompt (2010) shortcut (x64 if you on a x64 machine) AS AN ADMINISTRATOR (right click on the Visual Studio 2010 Command Prompt shortcut and select run as Administrator). This should open an administrative command prompt with the Visual Studio environment setup. (not a regular command prompt)
In the command prompt, enter sn -d VS_KEY_xxxx with Key Store name from error message you saved at the beginning
Then enter sn -i xxx.pfx VS_KEY_xxxx, enter password when prompted, xxx.pfx if your digital certificate
Go back to Visual Studio and rebuild your project