MS Azure Trusted Signing Accounts...

[Mark -]

Hello,

Using version: 6.2.2

I have setup to sign programs via MS Azure "Trusted Signing Accounts". The setup is complete and tested with success.

I am now trying to take the batch file text and add it to the "Configure Sign Tools" so "SignTool=" can be used.

The text is :

"<...\x64\signtool.exe>" sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib %ACS_DLIB% /dmdf %ACS_JSON% $f

It instantly  fails with :   Sign Tool command failed (Sign Tool command failed with exit code 0x1). Will retry (2 tries left).

Perhaps the failure has to do with the fields that refer to enviroment properties, just a guess. ( %ACS_DLIB% /dmdf %ACS_JSON%)

Or is it "signtool.exe" is an x64 program? Guess #2.

Any suggestions/ideas/etc.?

Thanks,

Mark

[Mark -]

Here is the output of the batch file (redacted for names) that works, if it helps. (removing /debug did not change error code)

C:\Users\Admin>"C:\Signtool\x64\signtool.exe" sign /debug /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Azure\microsoft.trusted.signing.client.1.0.59\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Signtool\metadata.json" "C:\Installers\TestInstaller.exe"

Trusted Signing

Version: 1.0.59

"Metadata": {
  "Endpoint": "https://eus.codesigning.azure.net/",
  "CodeSigningAccountName": "<name>",
  "CertificateProfileName": "<profile name>",
  "ExcludeCredentials": []
}

Submitting digest for signing...

OperationId <id codes>: InProgress

Signing completed with status 'Succeeded' in 2.5003159s

Successfully signed: C:\Installers\TestInstaller.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

[Gavin Lambert]

On Saturday, June 1, 2024 at 3:49:08 AM UTC+12 Mark - wrote:

Here is the output of the batch file (redacted for names) that works, if it helps. (removing /debug did not change error code)

What do you have in your Configure Sign Tools and in your SignTool= in the script?  Did you escape the quotes properly?

You can't use environment variables directly from those settings; if needed you'll need to run a batch script instead, which in turn requires running through cmd /c.

[Mark -]

Thanks for the response.

> What do you have in your Configure Sign Tools...?

The text is :

"<...\x64\signtool.exe>" sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib %ACS_DLIB% /dmdf %ACS_JSON% $f

> ...and in your SignTool= in the script?

SignTool=SignToolAzure

> You can't use environment variables directly from those settings;

I need the environment variable names %ACS_DLIB%, %ACS_JSON%, passed to SignTool.. SignTool uses them.

At least that is what I guess is the cause of the failure.

[Gavin Lambert]

On Wednesday, June 5, 2024 at 2:55:47 PM UTC+12 Mark - wrote:

The text is :

"<...\x64\signtool.exe>" sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib %ACS_DLIB% /dmdf %ACS_JSON% $f

That's an invalid path to the executable, then.  (But I'm assuming that you're just eliding this in the post, despite my asking for the full command.)

 

I need the environment variable names %ACS_DLIB%, %ACS_JSON%, passed to SignTool.. SignTool uses them.

The %VAR% syntax is not supported -- that's a cmd.exe syntax, not anything inherent to Windows as a whole.  As previously stated, you'll either need to specify the actual values directly, or you'll have to put this into a batch file, and then execute the batch file as your signtool via something like cmd /c path\to\your\signtool.cmd $f

[Mark -]

> That's an invalid path to the executable, then.

Yes the path has names in it that can not be shared. It is a valid path. It is the exact text of the batch file used, minus the first part of the path, with success.

OK thanks.

Any way to format the string in the script using "GetEnv" and pass it using...?

[Gavin Lambert]

On Wednesday, June 5, 2024 at 4:16:45 PM UTC+12 Mark - wrote:

Any way to format the string in the script using "GetEnv" and pass it using...?

Yes, you could use the ISPP GetEnv function in combination with $p to pass it as additional parameters from the script (see the "mycustom" example in the help file).

[Mark -]

Thanks

[Mark -]

> Yes, you could use the ISPP GetEnv function in combination with $p to pass it as additional parameters from the script (see the "mycustom" example in the help file).

I tried a bunch of stuff, no joy. The example (mycustom) does not show how to add/use GetEnv with SignTool=.

[Gavin Lambert]

On Friday, June 7, 2024 at 10:48:59 AM UTC+12 Mark - wrote:

I tried a bunch of stuff, no joy. The example (mycustom) does not show how to add/use GetEnv with SignTool=.

When asking this sort of thing, it's helpful to include an example of what you were expecting to work, even if it didn't.

Still, something like this ought to work (I did not test it):

SignToolAzure="<...\x64\signtool.exe>" sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 $p $f

SignTool=SignToolAzure /dlib {#GetEnv("ACS_DLIB")} /dmdf {#GetEnv("ACS_JSON")}

[Mark -]

Thanks for the help.

Yes I worked on it more, after the last post and got it to work a few minutes ago.

SignToolAzure= "<full path to signtool... \Signtool\x64\signtool.exe" sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 $p $f

#define ACS_DLIB = '/dlib ' + GetEnv('ACS_DLIB')
#define ACS_JSON = '/dmdf ' + GetEnv('ACS_JSON')
SignTool=SignToolAzure {#ACS_DLIB} {#ACS_JSON}

Looks effectively, the same as your example.