When I try to code sign in my Jenkins job I receive a SignTool error:
c:\jenkins\workspace\codesign-windows>
signtool sign /t http://timestamp.digicert.com /n "Acme Inc." code.exe
SignTool Error: No certificates were found that met all the given criteria.
I am using a DigiCert Extend Validation ( EV ) USB token that requires the USB token be connected to the build machine. This works fine when logged on as normal user.
- I am running Jenkins as a Windows service.
- Service Log On is set to Local System account.
- Service is allowed to interact with desktop.
When I logon as a normal user to the build machine, it works fine.
1 - signtool sign /t http://timestamp.digicert.com /n "Acme Inc." code.exe2 - This triggers a pop-up "Token Logon" dialog that requires user interaction3 - I have a separate "Token Logon" watcher that finds the WIndows ID and enters password.4 - Code is signed automaticallyC:\jenkins\workspace\codesign-windows>signtool sign /t http://timestamp.digicert .com /n "The Charles Machine Works, Inc." token-logon.exe Done Adding Additional Store Successfully signed: token-logon.exe
Any suggestions to try are much appreciated,-Ed
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Diagnostics; using System.Threading; // System.Windows.Automation needs add reference to: // C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll // C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll using System.Windows.Automation; namespace token_logon { class Program { static int SatisfyEverySafeNetTokenPasswordRequest(string password) { int errorCode = 1; bool exitLoop = false; int count = 0; Automation.AddAutomationEventHandler(WindowPattern.WindowOpenedEvent, AutomationElement.RootElement, TreeScope.Children, (sender, e) => { var element = sender as AutomationElement; if (element.Current.Name == "Token Logon") { WindowPattern pattern = (WindowPattern)element.GetCurrentPattern(WindowPattern.Pattern); pattern.WaitForInputIdle(10000); var edit = element.FindFirst(TreeScope.Descendants, new AndCondition( new PropertyCondition(AutomationElement.ControlTypeProperty, ControlType.Edit), new PropertyCondition(AutomationElement.NameProperty, "Token Password:"))); var ok = element.FindFirst(TreeScope.Descendants, new AndCondition( new PropertyCondition(AutomationElement.ControlTypeProperty, ControlType.Button), new PropertyCondition(AutomationElement.NameProperty, "OK"))); if (edit != null && ok != null) { count++; ValuePattern vp = (ValuePattern)edit.GetCurrentPattern(ValuePattern.Pattern); vp.SetValue(password); Console.WriteLine("SafeNet window (count: " + count + " window(s)) detected. Setting password..."); InvokePattern ip = (InvokePattern)ok.GetCurrentPattern(InvokePattern.Pattern); ip.Invoke(); // Signal do loop to exit // If wanted to get fancey, we could look for a password failed window // and wait 1 second to see if "Token Logon" closes exitLoop = true; errorCode = 0; } else { Console.WriteLine("SafeNet window detected but not with edit and button..."); } } }); Stopwatch stopwatch = new Stopwatch(); stopwatch.Start(); while (false == exitLoop) { Thread.Sleep(100); if (10 < stopwatch.Elapsed.TotalSeconds) { exitLoop = true; } } // Throws exception when console is hidden //while (false == exitLoop) //{ // if (Console.KeyAvailable) // { // ConsoleKeyInfo key = Console.ReadKey(true); // switch (key.Key) // { // case ConsoleKey.Q: // Console.WriteLine("Quit..."); // exitLoop = true; // break; // default: // break; // } // } // // Do something more useful //} Automation.RemoveAllEventHandlers(); return errorCode; } static void DisplayUsage() { Console.WriteLine("Usage: You must start token-logon.exe in it's own process *before* calling signtool\n"); Console.WriteLine("Batch Example:"); Console.WriteLine("--------------"); Console.WriteLine("start token-logon.exe myPaswd"); Console.WriteLine("echo Use ping as delay to make sure token-logon.exe is started"); Console.WriteLine("ping 127.0.0.1 -n 2 > nul"); Console.WriteLine("signtool sign /t http://timestamp.digicert.com /n \"Acme, Inc.\" \"my-win-app-3.0.1234.exe\""); } static int Main(string[] args) { if (null == args) { DisplayUsage(); return 1; } if (0 >= args.Length) { Console.WriteLine("*** Missing arguments"); DisplayUsage(); return 1; } string word = args[0]; return SatisfyEverySafeNetTokenPasswordRequest(word); } } }
SignTool Error: No certificates were found that met all the given criteria.
What is slave-agent.jnlp you think that could be the problem?
or I must have windows 8.1 on a real computer?
Thanks
-Quentin
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/RQyUWZilrRE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/91f3155f-6b7c-4b39-b8c0-db31a0f7d008%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CADE%2BD%2BVq8CepSpWLmYpqM05q6aOFFc-cZFfj0NwZUcYT%2B%2BRteg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/571A8B92.7040702%40citystateentertainment.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5c8ab94c-96ef-433d-9753-44336a67f2d5%40googlegroups.com.
How to use installed certificates from win8 using signtool?
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5c8ab94c-96ef-433d-9753-44336a67f2d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
hi MarkI am struggling with a very similar issue. What exactly do you mean by your comment and how do I achieve this?
Thanks a lot Mark for your quick response! As I understand it the goal is to create a slave/agent that will run the code signing directly on windows, instead of a service. great idea!However, I am stuck at step 4, I dond't see the "Launch agent via Java Web Start" option. I found a general solution online, by specifying a concrete or random port in the Global Security TCP settings. I tried both, and even restarted Jenkins a couple of times, and it doesn't show up.
I only see 1) Launch agent by connecting it to the master, 2) ... via execution of command on the master, 3) ... Let Jenkins control this Windows slave as a Windows service.
Also checked if there are any updates of Jenkins, only some unrelated plugin-updates are available. Anything else I could check?Thank you!
Am Mittwoch, 8. Mai 2019 16:05:00 UTC+2 schrieb Mark Waite:
On Wednesday, May 8, 2019 at 7:18:31 AM UTC-6, A M wrote:hi MarkI am struggling with a very similar issue. What exactly do you mean by your comment and how do I achieve this?I said:> Run the Windows agent from the Windows desktop rather than running it from a service which has been allowed to interact with the desktop.The most direct way to implement what I described is to:
- Login to the Windows desktop machine where code signing will be run
- Open a web browser to the Jenkins server
- Create an agent (a node) to represent that Windows computer
- Configure the agent to "Launch agent via Java Web Start"
- Define the required agent fields (like a remote root directory - I prefer 'C:\J\' to reduce problems with Windows and long paths) and save the configuration of that agent
- Download the 'agent.jar' file from the hyperlink on the web page, save it somewhere convenient (like C:\J\agent.jar)
- Open a command prompt window on the Windows desktop machine and change to the convenient directory C:\J
- Copy the 'Run from agent command line" from the web page into the command prompt window
Thanks for asking!Mark WaiteI want to run the signtool.exe together with the certificate on a USB token as an AfterPublish job in Jenkins. Jenkins is running as admin. Single sign-on is activated for the USB token. Running signtool.exe in the admin console works, running the same command through Jenkins results in the "No certificates were found that met all the given criteria." error.Any help is much appreciated. Thank you!
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Thanks!Mark Waite
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Thanks!Mark Waite
Hi Mark,I have the same issue with ev sign (usb token) code through jenkins.It work fine if i do ev sign in admin role command line.
But if let it auto build and sign through, the jenkins console will show the following error message:"No certificates were found that met all the given criteria"
I have read your suggestion, using the agent to "Launch agent via Java Web Start" instead of runnig jenkins as windows service.But I don't have a slave node, my jenkins only have a default master node, I can't config the master node "Launch agent via Java Web Start"Could you help me about this issue?I'll very appreciate your help.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/146b7e42-6bda-48e9-802f-b94c2fa63418%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGno_CskHqrZBsXPfMm4tzKiGdFNud_k4EoZpErAcUqvA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CALFTu7ds%2BBCBfOekLjU7tY%2B7DBfEP7-nx6053CCiAOdz9rVhSQ%40mail.gmail.com.
Because the code signing tool requires interaction with the desktop, it requires that you must be logged in (or at least that is my theory). There are techniques to configure processes to run without being logged in, but they all tend to leave the process with no access to the desktop or limited access to the desktop.You'll need to leave the agent connected to the master from a running desktop session.
On Thu, Sep 5, 2019 at 12:53 AM *佳諭* <mycoo...@gmail.com> wrote:
Hi Mark,Thanks for your reply.I have follow your suggestion, and add a slave node on the same computer.Because I can't find the "Jave web start" option in the Launch method, I create a slave node with "Launch agent by connecting it to the master "I download the agent.jar then execute the following command in the console with administrator privilege."java -jar agent.jar -jnlpUrl http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/slave-agent.jnlp -screct xxxxxxx -workDir c:\xxxxx"Finally, my slave node online.But if I log out this computer (because this computer is a VM), my slave node offline (disconnect).I hope my code can submit from svn or git then automatically build through MSBuild which project have post-build event with the ev sign script.But if I use master node to build , I'll get the error about "No certificates were found that met all the given criteria".It seems master node not have enough privilege to interact with desktop sign application.If I build a new slave node with "Launch agent by connecting it to the master ", MSBuild and post-build sign event cant successfully build and sign code,but it need to keep the node login.If I login the vm, the slave node will disconnect.Is there any way to keep the slave node online? (and also can have enough privilege for ev usb token sign)Thanks for your help.
Mark Waite <mark.e...@gmail.com> 於 2019年9月5日 週四 上午6:14寫道:
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/146b7e42-6bda-48e9-802f-b94c2fa63418%40googlegroups.com.
--Thanks!Mark Waite
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGno_CskHqrZBsXPfMm4tzKiGdFNud_k4EoZpErAcUqvA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CALFTu7ds%2BBCBfOekLjU7tY%2B7DBfEP7-nx6053CCiAOdz9rVhSQ%40mail.gmail.com.
--Thanks!Mark Waite