Search code examples
azuresigntooltrusted-signing

Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)

I'm getting this error when trying to use SignTool to sign my msix file.

I've verified I have Trusted Signing Certificate Profile Signer role assigned in Azure.

I also verified the publisher name of the AppxManifest.xml in the msix matches my certificate profile.

CN=Publisher Name, O=Organization Name, L=City, S=Province, C=CA

Following this procedure https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

& "C:\temp\test\microsoft.windows.sdk.buildtools.10.0.22621.3233.nupkg\bin\10.0.22621.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\temp\test\microsoft.trusted.signing.client.1.0.53.nupkg\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\temp\test\metadata.json" "C:\temp\test\my-app_1.0.128.0_x64.msix"

Trusted Signing

Version: 1.0.53

"Metadata": {

"Endpoint": "https://wus2.codesigning.azure.net",

"CodeSigningAccountName": "",

"CertificateProfileName": "",

"CorrelationId": "",

"ExcludeCredentials": []

}

Submitting digest for signing...

Unhandled managed exception

Azure.RequestFailedException: Service request failed.

Status: 403 (Forbidden)

Headers:

Date: Fri, 10 May 2024 21:09:50 GMT

Connection: keep-alive

Strict-Transport-Security: REDACTED

x-azure-ref: REDACTED

X-Cache: REDACTED

Content-Length: 0

at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)

at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)

at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)

at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)

at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)

SignTool Error: An unexpected internal error has occurred.

Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)

Solution

  • The issue was my authentication "InteractiveBrowserCredential" was not working for some reason. I had to disable all authentication options except Azure CLI and retry. https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.

    {
  "Endpoint": "https://eus.codesigning.azure.net",
  "CodeSigningAccountName": "account",
  "CertificateProfileName": "profile",
  "ExcludeCredentials": [
    "ManagedIdentityCredential",
    "EnvironmentCredential",
    "WorkloadIdentityCredential",
    "SharedTokenCacheCredential",
    "VisualStudioCredential",
    "VisualStudioCodeCredential",
    
    "AzurePowerShellCredential",
    "AzureDeveloperCliCredential",
    "InteractiveBrowserCredential"
  ]
}