Azure Trusted Signing Signtool Error
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
My full error was as follows:
Submitting digest for signing...
OperationId 4e6b92b3-743c-49f1-a46a-af2bfbb6d4d9: InProgress
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 200 (OK)
Content:
{"operationId":"abcd1234-743c-49f1-a46a-af2bfbb6d4d9","status":"Failed","signature":null,"signingCertificate":null,"counterSignature":null}
Headers:
Date: Fri, 04 Oct 2024 13:25:38 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Retry-After: 1
Strict-Transport-Security: REDACTED
mise-correlation-id: REDACTED
Operation-Location: REDACTED
api-supported-versions: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Type: application/json; charset=utf-8
at Azure.Core.OperationInternals.UpdateStatusAsync(Boolean async, CancellationToken cancellationToken)
at Azure.Core.OperationInternals.UpdateStatusAsync(CancellationToken cancellationToken)
at Azure.Core.OperationInternals`1.WaitForCompletionAsync(TimeSpan pollingInterval, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
According to the common error codes this means the environment variables for authentication are incorrect. I've found that this is only sometimes true, search your error for the exception name that shows after "Unhandled managed exception":
(-2147467259/0x80004005) Azure.RequestFailedException
If your error includes the words "Azure.RequestFailedException: Service request failed" then there might be something wrong with your Azure subscription. Log into the azure portal and check that your subscription is still active.
Once the subscription status is restored Trusted Signing will work again.
My subscription has run out of credits and become disabled |
(-2147467259/0x80004005) CredentialUnavailableException error
If your error includes the words "Azure.Identity.CredentialUnavailableException" then you're probably either not setting all the required environment variables or they are being set to the incorrect values. The error messages are pretty good for these exceptions so I encourage you to read them carefully.
There are three ways of using the environment variable authentication method:
- Client Secret
- Certificate
- User login details (not reccomended, might be deprecated)
I'm using the client secret method in powershell so all I need to do before running signtool is set my three environment variables like this:
$env:AZURE_TENANT_ID = "fa27fb5b-dae6-96af-3717-91c06e52fake"
$env:AZURE_CLIENT_ID = "e58fd5c7-1a2d-3220-c6c1-6c3c4d9phony"
$env:AZURE_CLIENT_SECRET = "sdfoubsdkjbsdfkhbdsfkhbabcdefg1234123"
The values can be found in your "App Registration" overview in the azure portal.
AZURE_TENANT_ID is the "Directory (tenant) ID"
AZURE_CLIENT_ID is the "Application (client) ID"
AZURE_CLIENT_SECRET is in the "Client credentials" (If there are no secrets, you can click the client credentials link and then "New client secret". Be sure to copy the Value not the Secret ID)
For help with the other methods see troubleshooting the environment credential authentication here.
For help with another other trusted signing steps see this wonderfully detailed blog post by melatonin
No comments:
Post a Comment