Inconsistent AzureSigningTool output - Unable to sign a .exe file

Question

Hi,

I have been facing different challenges with the usage of AzureSingTool in an Azure DevOps Pipeline. After following the "WalkThrough" i still cannot sing a single file.

My configuration is following:

• I am using an existing service connection with service principal authentication
• The service principal has the next roles assignments for the Azure Resource Group (When i check the Azure Key Vault, the same permissions are inherited.

Nevertheless, i am getting two different behaviors out of AzureSingTool:

1. By changing the position of the --azure-key-vault-certificate (aka -kvc), then i got the next outputOutput: File 'http://timestamp.digicert.com' does not exist. Specify --help for a list of available options and commands.
2. By moving the --timestamp-rfc3161 (short: -tr) and the --azure-key-vault-certificate (short:-kvc) parameters, then the output error is different: Output: fail: AzureSignTool.SignCommand[0] Failed to retrieve certificate <certificateName> from Azure Key Vault. Please verify the name of the certificate and the permissions to the certificate. Error message: ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '***'. Trace ID: e5c0c519-1e52-4dbd-a76d-9f276e8d0d00 Correlation ID: 412b9a1e-20bc-4c0a-9bad-b5640860bdd3 Timestamp: 2024-09-05 10:53:20Z. fail: AzureSignTool.SignCommand[0] Failed to get configuration from Azure Key Vault.

NOTE:

When using the task "AzureKeyVault" i am able to access the different secrets i.e. Certificates available in the Key Vault.

Answer 1

Hi @Rivera Claro, Oscar Javier

Thank you for reaching Microsoft Q&A.

Based on the error (AADSTS7000215) message it indicates that the client secret provided is invalid. Which means that the client secrets you have used is incorrect or expired either in the app registration.

In order to resolve your issue, you'll have to navigate to your Azure AD App Registration, open the Certificate & Secrets menu, and ensure that you're using the correct Secret Value within your App and not the Secret ID.

Since you're using Key Vault, create a secret with a name of your choice in the Key Vault. Then, copy the client secret from the app registration and paste it into the 'value' field of the Key Vault secret.

Ensure that the client secret is not being modified or corrupted during copy-pasting. Sometimes extra spaces or characters can be added while copying the client secret. Validate that the client secret is copied correctly and without any extra characters.

Reference: https://learn.microsoft.com/en-us/windows/msix/desktop/sign-with-akv-cert
https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/app-secret-application-secret-azure-ad-azure-ad-app-secrets/m-p/3775325
Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.