Under Jenkins SignTool Error "No certificates were found", works fine logged on as user

[Eddie Sutton]

When I try to code sign in my Jenkins job I receive a SignTool error:

c:\jenkins\workspace\codesign-windows>

signtool sign /t http://timestamp.digicert.com /n "Acme Inc." code.exe 

SignTool Error: No certificates were found that met all the given criteria.

I am using a DigiCert Extend Validation ( EV ) USB token that requires the USB token be connected to the build machine.  This works fine when logged on as normal user.

I am running Jenkins as a Windows service.
Service Log On is set to Local System account.
Service is allowed to interact with desktop.

When I logon as a normal user to the build machine, it works fine.

1 - signtool sign /t http://timestamp.digicert.com /n "Acme Inc." code.exe
2 - This triggers a pop-up "Token Logon" dialog that requires user interaction
3 - I have a separate "Token Logon" watcher that finds the WIndows ID and enters password.
4 - Code is signed automatically

C:\jenkins\workspace\codesign-windows>signtool sign /t http://timestamp.digicert
.com /n "The Charles Machine Works, Inc." token-logon.exe
Done Adding Additional Store
Successfully signed: token-logon.exe

Any suggestions to try are much appreciated,

-Ed

[Ed of the Mountain]

Solved.

Disable jenkins service and replace with slave-agent.jnlp.

Yay! I finally have automatic EV code signing!

-Ed

[Giuseppe Tamburello]

Hi Ed... thanks for posting your solution, I was running into a similar issue when initially setting up the EV cert; but I have a quick question for you... does your Jenkins environment have multiple slaves, and is the 'signing' dedicated to a single slave machine or are you able to sign from multiple slave machine (while only having a single EV cert). Basically, we're moving from using a .pfx file for signing to 'the future' of using the EV USB dongle, and I'm not able to get jobs to successfully sign a file from Slave-A on Slave-B (being that Slave-B has the USB dongle connected to it).... have you run into this?

Thanks in advance,

-joe

[Vikram Parthasarathy]

Not related to Jenkins - I'm trying exactly the same thing with an IIS server and ran into the same problem. No luck yet.

By the way, the Symantec EV certificate/USB token has a way to enable single sign-on. I wonder if Digicert has something like that.

On Thursday, August 27, 2015 at 9:51:29 AM UTC-5, Ed of the Mountain wrote:

[Ed of the Mountain]

Each slave has it's own USB DigiCert token.

• I have multiple Jenkins slaves running on a common virtual machine host.
  
• I have 1 dedicated USB DigiCert token dedicated to the Windows build slave VM
  
• I have a second dedicated USB DigiCert token dedicated to the OS X build slave VM
  

VMware Workstate / Fusion or ESXi make it easy to share a USB token with a specific VM.  

As far as I know, you cannot connect the same USB token with multiple VMs.

However, additional DigiCert tokens are only $25.

-Ed

My Windows slave has a pop-up watcher to automatically logon written in C# as a console app:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Diagnostics;
using System.Threading;



// System.Windows.Automation needs add reference to:
// C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll
// C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll
using System.Windows.Automation;


namespace token_logon
{
    class Program
    {
        static int SatisfyEverySafeNetTokenPasswordRequest(string password)
        {
            int errorCode = 1;

            bool exitLoop = false;
            int count = 0;
            Automation.AddAutomationEventHandler(WindowPattern.WindowOpenedEvent, AutomationElement.RootElement, TreeScope.Children, (sender, e) =>
            {
                var element = sender as AutomationElement;
                if (element.Current.Name == "Token Logon")
                {
                    WindowPattern pattern = (WindowPattern)element.GetCurrentPattern(WindowPattern.Pattern);
                    pattern.WaitForInputIdle(10000);
                    var edit = element.FindFirst(TreeScope.Descendants, new AndCondition(
                        new PropertyCondition(AutomationElement.ControlTypeProperty, ControlType.Edit),
                        new PropertyCondition(AutomationElement.NameProperty, "Token Password:")));

                    var ok = element.FindFirst(TreeScope.Descendants, new AndCondition(
                        new PropertyCondition(AutomationElement.ControlTypeProperty, ControlType.Button),
                        new PropertyCondition(AutomationElement.NameProperty, "OK")));

                    if (edit != null && ok != null)
                    {
                        count++;
                        ValuePattern vp = (ValuePattern)edit.GetCurrentPattern(ValuePattern.Pattern);
                        vp.SetValue(password);
                        Console.WriteLine("SafeNet window (count: " + count + " window(s)) detected. Setting password...");

                        InvokePattern ip = (InvokePattern)ok.GetCurrentPattern(InvokePattern.Pattern);
                        ip.Invoke();

                        // Signal do loop to exit
                        // If wanted to get fancey, we could look for a password failed window
                        // and wait 1 second to see if "Token Logon" closes 
                        exitLoop = true;
                        errorCode = 0;
                    }
                    else
                    {
                        Console.WriteLine("SafeNet window detected but not with edit and button...");
                    }
                }
            });


            Stopwatch stopwatch = new Stopwatch();
            stopwatch.Start();
            while (false == exitLoop)
            {
                Thread.Sleep(100);
                if (10 < stopwatch.Elapsed.TotalSeconds)
                {
                    exitLoop = true;
                }
            }



            // Throws exception when console is hidden
            //while (false == exitLoop)
            //{

            //    if (Console.KeyAvailable)
            //    {
            //        ConsoleKeyInfo key = Console.ReadKey(true);
            //        switch (key.Key)
            //        {
            //            case ConsoleKey.Q:
            //                Console.WriteLine("Quit...");
            //                exitLoop = true;
            //                break;
            //            default:
            //                break;
            //        }

            //    }
            //    // Do something more useful
            //}

            Automation.RemoveAllEventHandlers();

            return errorCode;
        }

        static void DisplayUsage()
        {
            Console.WriteLine("Usage: You must start token-logon.exe in it's own process *before* calling signtool\n");

            Console.WriteLine("Batch Example:");
            Console.WriteLine("--------------");
            Console.WriteLine("start token-logon.exe myPaswd");
            Console.WriteLine("echo Use ping as delay to make sure token-logon.exe is started");
            Console.WriteLine("ping 127.0.0.1 -n 2 > nul");
            Console.WriteLine("signtool sign /t http://timestamp.digicert.com /n \"Acme, Inc.\" \"my-win-app-3.0.1234.exe\"");
        }

        static int Main(string[] args)
        {
            if (null == args)
            {
                DisplayUsage();
                return 1;

            }

            if (0 >= args.Length)
            {
                Console.WriteLine("*** Missing arguments");
                DisplayUsage();
                return 1;
            }

            string word = args[0];
            return SatisfyEverySafeNetTokenPasswordRequest(word);
        }
    }
}

-Ed

[Steve Sanders]

Does that mean you have to use a slave? New to Jenkins and am struggling to use our EV codesigning. Thanks.

[Patrick van der Velde]

We have had the same issue but with our TFS build system and in our case the issue is that the certificate is installed in the machine cert store. Unless the user is an administrator it cannot read from that store normally so we solved it by giving the build server user (which ever user runs the service) read access to the certificate that we want to use to sign our binaries.

regards

Petrik

[Quentin Silvestre]

Hi Ed,

I want to sign my code with an EV certificate but I don't know if I have to change my configuration:

Jenkins master is on a windows server on a Virtual Machine of our provider.

To build our code we use a VM windows 8.1 and a real Mac.

To avoid multiple computer, the  VM windows 8.1 is a VMWare image running on the Mac OS.

When I plug the token on the mac, I can tell VMWare to plug the token on the virtual machine.

Now on jenkins side, the windows slave is connected with JavaWebStart and I installed a service.

I have the same error as you.

SignTool Error: No certificates were found that met all the given criteria.

What is slave-agent.jnlp you think that could be the problem?

or I must have windows 8.1 on a real computer?

Thanks

-Quentin

[Tim Mills]

I'm investigating this solution and I'm curious if you know if RDPing into the box will cause bad things to happen?  My experience has been that the dongle doesn't work for RDP users and each time I RDP into the box I have to re-enter the password by logging into a local session.  I'm worried that this would cause code signing to fail if a build happens to sign while someone is RDPd in.

[Vikram Parthasarathy]

I've had the same experience. The dongle cannot be used from an RDP session. And RDPing into the machine will require the password to be re-entered. I spoke to the vendor (Safenet) and they said RDP is not supported and it was intentionally done for security purposes.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/RQyUWZilrRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/91f3155f-6b7c-4b39-b8c0-db31a0f7d008%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tim Mills]

My understanding was that a certain category of Safenet dongles could be configured to be "rdp enabled" though I'm not certain this is something digicert, or the dongles they issue, are capable of.  My hope was that Ed's solution would magically circumvent this limitation.  I'm also in the process of talking to verisign/symantec to see if their hardware solution handles jenkins/CI any better.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CADE%2BD%2BVq8CepSpWLmYpqM05q6aOFFc-cZFfj0NwZUcYT%2B%2BRteg%40mail.gmail.com.

[Vikram Parthasarathy]

My dongle is from Symantec. When I spoke to them about this last year, they didn't have much help to offer. Please let me know if you find something.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/571A8B92.7040702%40citystateentertainment.com.

[HaPe]

Hi Ed,

at present I have the same problem like you with Jenkins and signing certificates.

I use Certificate Token usb stick from GlobalSign.

I get the same error message and the behavior is the same like you above described. (signing works fine when I send the command via Admin console, Jenkins service runs as Admin...).

I am follows your advice and I have disabled the jenkins service and replaced it with slave-agent.jnlp

Unfortunately I get the same error message after restart node and build project:

No certificates were found that met all the given criteria.

This ist the starting message:

[01/23/17 10:37:50] Launching agent

$ "C:\Program Files (x86)\Jenkins\jre\bin"\java.exe -jar "C:\Program Files (x86)"\Jenkins\slave.jar

<===[JENKINS REMOTING CAPACITY]===>channel started

Slave.jar version: 3.3

This is a Windows agent

Agent successfully connected and online...

Do you have any suggestions to solve my problem?

Have start the slave node with jenkins?

Needs the windows agent special rights?

HaPe

[Hello Universe]

How to use installed certificates from win8 using signtool?

[Slide]

Are the certificates in the certificate store for just the "normal user" or are they installed in the machine store? The Jenkins service, by default, it running as LocalSystemUser. That account would need access to the certificate store. 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5c8ab94c-96ef-433d-9753-44336a67f2d5%40googlegroups.com.

[Mark Waite]

On Thu, Apr 25, 2019 at 7:10 AM Hello Universe <adita...@gmail.com> wrote:

How to use installed certificates from win8 using signtool?

Run the Windows agent from the Windows desktop rather than running it from a service which has been allowed to interact with the desktop.  There seem to be cases where programs run from services allowed to interact with the desktop don't have the exact same capabilities as programs run from the desktop.

Mark Waite

 

--

You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5c8ab94c-96ef-433d-9753-44336a67f2d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Thanks!

Mark Waite

[A M]

hi Mark

I am struggling with a very similar issue. What exactly do you mean by your comment and how do I achieve this?

I want to run the signtool.exe together with the certificate on a USB token as an AfterPublish job in Jenkins. Jenkins is running as admin. Single sign-on is activated for the USB token. Running signtool.exe in the admin console works, running the same command through Jenkins results in the "No certificates were found that met all the given criteria." error.

Any help is much appreciated. Thank you!

[Mark Waite]

On Wednesday, May 8, 2019 at 7:18:31 AM UTC-6, A M wrote:

hi Mark

I am struggling with a very similar issue. What exactly do you mean by your comment and how do I achieve this?

I said:

> Run the Windows agent from the Windows desktop rather than running it from a service which has been allowed to interact with the desktop.

The most direct way to implement what I described is to:

1. Login to the Windows desktop machine where code signing will be run
2. Open a web browser to the Jenkins server
3. Create an agent (a node) to represent that Windows computer
4. Configure the agent to "Launch agent via Java Web Start"
5. Define the required agent fields (like a remote root directory - I prefer 'C:\J\' to reduce problems with Windows and long paths) and save the configuration of that agent
6. Download the 'agent.jar' file from the hyperlink on the web page, save it somewhere convenient (like C:\J\agent.jar)
7. Open a command prompt window on the Windows desktop machine and change to the convenient directory C:\J
8. Copy the 'Run from agent command line" from the web page into the command prompt window

Thanks for asking!

Mark Waite

[A M]

Thanks a lot Mark for your quick response!   As I understand it the goal is to create a slave/agent that will run the code signing directly on windows, instead of a service. great idea!

However, I am stuck at step 4, I dond't see the "Launch agent via Java Web Start" option. I found a general solution online, by specifying a concrete or random port in the Global Security TCP settings. I tried both, and even restarted Jenkins a couple of times, and it doesn't show up. 

I only see 1) Launch agent by connecting it to the master, 2) ... via execution of command on the master, 3) ... Let Jenkins control this Windows slave as a Windows service.

Also checked if there are any updates of Jenkins, only some unrelated plugin-updates are available. Anything else I could check?

Thank you!

[Mark Waite]

On Thu, May 9, 2019 at 6:13 AM A M <casa...@gmail.com> wrote:

Thanks a lot Mark for your quick response!   As I understand it the goal is to create a slave/agent that will run the code signing directly on windows, instead of a service. great idea!

However, I am stuck at step 4, I dond't see the "Launch agent via Java Web Start" option. I found a general solution online, by specifying a concrete or random port in the Global Security TCP settings. I tried both, and even restarted Jenkins a couple of times, and it doesn't show up. 

I think you are on the right path.  That solution is the correct solution.

Here are the screen shots that I used to confirm it is working with Jenkins 2.164.2:

Jenkins -> Configure Global Security -> Agents -> Port 50000

Jenkins -> Build Executor Status -> New Node

Node name -> Permanent Agent -> OK

Name -> Description -> Remote root directory -> Launch Method "Launch agent via Java Web Start"

Mark Waite

 

I only see 1) Launch agent by connecting it to the master, 2) ... via execution of command on the master, 3) ... Let Jenkins control this Windows slave as a Windows service.

That likely indicates that you installed the 'windows-slaves' or 'windows-agents' plugin.  You don't need that plugin and generally don't want it.  The technique it uses to start the agent is based on DCOM, is exceptionally brittle, and is very hard to use.  You can (and probably should) remove the windows-slaves or windows-agents plugin.  Agents run on Windows quite well without needing that plugin.

 

Also checked if there are any updates of Jenkins, only some unrelated plugin-updates are available. Anything else I could check?

Thank you!

Am Mittwoch, 8. Mai 2019 16:05:00 UTC+2 schrieb Mark Waite:

On Wednesday, May 8, 2019 at 7:18:31 AM UTC-6, A M wrote:

hi Mark

I am struggling with a very similar issue. What exactly do you mean by your comment and how do I achieve this?

I said:

> Run the Windows agent from the Windows desktop rather than running it from a service which has been allowed to interact with the desktop.

The most direct way to implement what I described is to:

1. Login to the Windows desktop machine where code signing will be run
2. Open a web browser to the Jenkins server
3. Create an agent (a node) to represent that Windows computer
4. Configure the agent to "Launch agent via Java Web Start"
5. Define the required agent fields (like a remote root directory - I prefer 'C:\J\' to reduce problems with Windows and long paths) and save the configuration of that agent
6. Download the 'agent.jar' file from the hyperlink on the web page, save it somewhere convenient (like C:\J\agent.jar)
7. Open a command prompt window on the Windows desktop machine and change to the convenient directory C:\J
8. Copy the 'Run from agent command line" from the web page into the command prompt window

Thanks for asking!

Mark Waite

 

I want to run the signtool.exe together with the certificate on a USB token as an AfterPublish job in Jenkins. Jenkins is running as admin. Single sign-on is activated for the USB token. Running signtool.exe in the admin console works, running the same command through Jenkins results in the "No certificates were found that met all the given criteria." error.

Any help is much appreciated. Thank you!

--

You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Thanks!

Mark Waite

[A M]

Thanks, Mark! That's exactly how/where I specified the Global Security TCP Settings. Also, I've just updated Jenkins to the latest update 2.177. Still, the "Launch agent via Java Web Start" option is not showing up.

Per your suggestion, I've tried to remove the "WMI Windows Agents" plugin. However, it has multiple dependencies, such as "jQuery plugin", "build timeout plugin", etc. (see Screenshot) that I'd need to uninstall as well. Since I have not initially setup our Jenkins, I am not sure what other issues I'll create when I start to uninstall multiple plugins...

 

So it seems that as long as the "WMI Windows Agents" plugin is installed, I cannot use "Java Web Start"? Why can I not use both?

I've also checked again, "javaws" is indeed installed and can be run.

Is there a way to create a slave/agent with "WMI Windows Agent" that does the same?

Thanks for your help!

To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Thanks!

Mark Waite

[Chia-Yu Wu]

Hi Mark, 

I have the same issue with ev sign (usb token) code through jenkins.

It work fine if i do ev sign in admin role command line.
But if let it auto build and sign through, the jenkins console will show the following error message:

"No certificates were found that met all the given criteria"

I have read your suggestion, using the agent to "Launch agent via Java Web Start" instead of runnig jenkins as windows service.

But I don't have a slave node, my jenkins only have a default master node, I can't config the master node "Launch agent via Java Web Start"

Could you help me about this issue?

I'll very appreciate your help.

Mark Waite於 2019年5月9日星期四 UTC+8下午10時59分13秒寫道：

To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Thanks!

Mark Waite

[Mark Waite]

On Wed, Sep 4, 2019 at 4:06 PM Chia-Yu Wu <mycoo...@gmail.com> wrote:

Hi Mark, 

I have the same issue with ev sign (usb token) code through jenkins.

It work fine if i do ev sign in admin role command line.
But if let it auto build and sign through, the jenkins console will show the following error message:

"No certificates were found that met all the given criteria"

I have read your suggestion, using the agent to "Launch agent via Java Web Start" instead of runnig jenkins as windows service.

But I don't have a slave node, my jenkins only have a default master node, I can't config the master node "Launch agent via Java Web Start"

Could you help me about this issue?

I'll very appreciate your help.

If you're running the master as a service, then you'll need to add an agent which is running on the desktop.  The agent can be on the same computer where you run the Jenkins master, but the new agent will need to be launched from the desktop.

If you're running the master from a command line, then it should work.

Thanks,
Mark Waite

 

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/146b7e42-6bda-48e9-802f-b94c2fa63418%40googlegroups.com.

--

Thanks!

Mark Waite

[＊佳諭＊]

Hi Mark,

Thanks for your reply.

I have follow your suggestion, and add a slave node on the same computer.

Because I can't find the "Jave web start" option in the Launch method, I create a slave node with "Launch agent by connecting it to the master "

I download the agent.jar then execute the following command in the console with administrator privilege.

"java -jar agent.jar -jnlpUrl http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/slave-agent.jnlp -screct xxxxxxx -workDir c:\xxxxx"

Finally, my slave node online.

But if I log out this computer (because this computer is a VM), my slave node offline (disconnect).

I hope my code can submit from svn or git then automatically build through MSBuild which project have post-build event with the ev sign script.

But if I use master node to build , I'll get the error about "No certificates were found that met all the given criteria". 

It seems master node not have enough privilege to interact with desktop sign application.

If I build a new slave node with "Launch agent by connecting it to the master ", MSBuild and post-build sign event cant successfully build and sign code,

but it need to keep the node login.

If I login the vm, the slave node will disconnect.

Is there any way to keep the slave node online? (and also can have enough privilege for ev usb token sign)   

Thanks for your help.

 

Mark Waite <mark.ea...@gmail.com> 於 2019年9月5日 週四 上午6:14寫道：

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGno_CskHqrZBsXPfMm4tzKiGdFNud_k4EoZpErAcUqvA%40mail.gmail.com.

[Mark Waite]

Because the code signing tool requires interaction with the desktop, it requires that you must be logged in (or at least that is my theory).  There are techniques to configure processes to run without being logged in, but they all tend to leave the process with no access to the desktop or limited access to the desktop.

You'll need to leave the agent connected to the master from a running desktop session.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CALFTu7ds%2BBCBfOekLjU7tY%2B7DBfEP7-nx6053CCiAOdz9rVhSQ%40mail.gmail.com.

--

Thanks!

Mark Waite

[Chia-Yu Wu]

OK , I understand now.

Mark , thanks for your help.

Mark Waite於 2019年9月5日星期四 UTC+8下午6時01分40秒寫道：

Because the code signing tool requires interaction with the desktop, it requires that you must be logged in (or at least that is my theory).  There are techniques to configure processes to run without being logged in, but they all tend to leave the process with no access to the desktop or limited access to the desktop.

You'll need to leave the agent connected to the master from a running desktop session.

On Thu, Sep 5, 2019 at 12:53 AM ＊佳諭＊ <mycoo...@gmail.com> wrote:

Hi Mark,

Thanks for your reply.

I have follow your suggestion, and add a slave node on the same computer.

Because I can't find the "Jave web start" option in the Launch method, I create a slave node with "Launch agent by connecting it to the master "

I download the agent.jar then execute the following command in the console with administrator privilege.

"java -jar agent.jar -jnlpUrl http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/slave-agent.jnlp -screct xxxxxxx -workDir c:\xxxxx"

Finally, my slave node online.

But if I log out this computer (because this computer is a VM), my slave node offline (disconnect).

I hope my code can submit from svn or git then automatically build through MSBuild which project have post-build event with the ev sign script.

But if I use master node to build , I'll get the error about "No certificates were found that met all the given criteria". 

It seems master node not have enough privilege to interact with desktop sign application.

If I build a new slave node with "Launch agent by connecting it to the master ", MSBuild and post-build sign event cant successfully build and sign code,

but it need to keep the node login.

If I login the vm, the slave node will disconnect.

Is there any way to keep the slave node online? (and also can have enough privilege for ev usb token sign)   

Thanks for your help.

 

Mark Waite <mark.e...@gmail.com> 於 2019年9月5日 週四 上午6:14寫道：

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/146b7e42-6bda-48e9-802f-b94c2fa63418%40googlegroups.com.

--

Thanks!

Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGno_CskHqrZBsXPfMm4tzKiGdFNud_k4EoZpErAcUqvA%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CALFTu7ds%2BBCBfOekLjU7tY%2B7DBfEP7-nx6053CCiAOdz9rVhSQ%40mail.gmail.com.

--

Thanks!

Mark Waite

[Simon Richter]

Hi,

> > Because the code signing tool requires interaction with the desktop, it
> > requires that you must be logged in (or at least that is my theory). There
> > are techniques to configure processes to run without being logged in, but
> > they all tend to leave the process with no access to the desktop or limited
> > access to the desktop.

Sorry I'm late to the party. We use signtool just fine without a Desktop
login.

The important bit is that the Jenkins service needs to run as the user that
installed the certificate to the certificate store. Code signing
certificates are personal certificates, so they are attached to the user
account.

I've created a separate user for Jenkins, logged in as that user, installed
the certificate to the user's certificate store and then configured to run
the Jenkins service as that user.

The service does not need Desktop access (in fact that is suboptimal, as
some errors during build are then reported through inaccessible dialogs,
causing the build to hang.

Simon