NuGet Issue on GitHub Actions With Azure Trusted Signing

[nathanlesage]

Hi,

I've spent the past days trying to get Azure Trusted Code Signing to work using a GH Actions pipeline and the appropriate settings. I've set everything up and run into errors. So, first, I've updated to Electron Builder 26.0.1 to enable Azure signing, and I have set the appropriate environment variables.

Here's the config:

// GitHub Build Environment variables set (this uses an App Registration with the correct signer role):
env:
  AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
  AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}

// Electron Builder config (yml file):
win:
  target:
  - nsis
  artifactName: "Zettlr-${version}-${arch}.${ext}"
  icon: "./resources/icons/icon.ico"
  # New signing options for use with Azure Trusted Signing
  azureSignOptions:
    publisherName: "Hendrik Erz" // Corresponds with cert's CN
    endpoint: "https://neu.codesigning.azure.net/" // Corresponds with cert settings
    certificateProfileName: "zettlr-code-sign-cert"
    codeSigningAccountName: "zettlr-code-sign-app" // This is the app registration displayName

And here's the two (!) errors I observe. First is that NuGet apparently can't install the required TrustedSigning module in Powershell. And the second is a 403 error. Due to the first error, I cannot be sure whether this causes the second one, or whether both are independent.

Unfortunately, I don't have a Windows computer to test this out. I'm not sure whether this is really an issue with Electron Builder, or whether the documentation needs some updating…? Sorry for bothering you guys again, I really tried hard to get this to work by researching and reading documentation.

Here's the logs:

• exited          command=app-builder.exe code=0 pid=4952 out=C:\Users\runneradmin\AppData\Local\electron-builder\Cache\nsis\nsis-3.0.4.1
  • signing with Azure Trusted Signing (beta)  path=out\Zettlr-win32-x64\resources\elevate.exe
  • executing       file=powershell.exe args=-NoProfile -NonInteractive -Command Get-Command pwsh.exe
  • executed        file=powershell.exe stdout=
CommandType     Name                                               Version    Source                                   
-----------     ----                                               -------    ------                                   
Application     pwsh.exe                                           7.4.7.0    C:\Program Files\PowerShell\7\pwsh.exe   
                      
  • identified pwsh.exe
  • installing required module (TrustedSigning) with scope CurrentUser
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser
  • unable to install PackageProvider Nuget. Might be a false alarm though as some systems already have it installed  message=Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser
Install-PackageProvider: No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
                                                                                                                        Install-PackageProvider: No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser
  • executed        file=pwsh.exe
  • verifying env vars for authenticating to Microsoft Entra ID
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Invoke-TrustedSigning -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName zettlr-code-sign-cert -CodeSigningAccountName zettlr-code-sign-app -TimestampRfc3161 http://timestamp.acs.microsoft.com/ -TimestampDigest SHA256 -FileDigest SHA256 -Files "D:\a\Zettlr\Zettlr\out\Zettlr-win32-x64\resources\elevate.exe"
  • Above command failed, retrying 3 more times
  ⨯ Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Invoke-TrustedSigning -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName zettlr-code-sign-cert -CodeSigningAccountName zettlr-code-sign-app -TimestampRfc3161 http://timestamp.acs.microsoft.com/ -TimestampDigest SHA256 -FileDigest SHA256 -Files "D:\a\Zettlr\Zettlr\out\Zettlr-win32-x64\resources\elevate.exe"
SignTool Error: An unexpected internal error has occurred.
Exception: SignTool failed with exit code 1
Checking for required dependencies.
	Build tools package installed: False
	Trusted signing package installed: False
	Installing required dependencies.
		Found existing package source: https://www.nuget.org/api/v2/
		Installing package: Microsoft.Windows.SDK.BuildTools 10.0.22621.3233
		Installing package: Microsoft.Trusted.Signing.Client 1.0.53
Creating metadata file: C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\metadata.json
Getting the list of files to be signed.
	Getting files from list.
	Listed files: 1
		D:\a\Zettlr\Zettlr\out\Zettlr-win32-x64\resources\elevate.exe
	No files folder was provided.
	Filtered files: 0
	No catalog file was provided.
	Catalog files: 0
Formatting the list of files to be signed.
Batching the list of files to be signed.
Signing file batch 1 of 1.
	Executing signtool.exe: C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Windows.SDK.BuildTools\Microsoft.Windows.SDK.BuildTools.10.0.22621.3233\bin\10.0.22621.0\x64\signtool.exe sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com/ /td SHA256 /dlib "C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\metadata.json" "D:\a\Zettlr\Zettlr\out\Zettlr-win32-x64\resources\elevate.exe"
Trusted Signing
Version: 1.0.53
"Metadata": {
  "Endpoint": "https://neu.codesigning.azure.net/",
  "CodeSigningAccountName": "zettlr-code-sign-app",
  "CertificateProfileName": "zettlr-code-sign-cert",
  "ExcludeCredentials": []
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)

[mmaietta]

So, here are a few notes, but the TLDR is the 403 error blocking your signing. Not sure if there's a way to add a verbosity to Invoke-TrustedSigning command

---

First is that NuGet apparently can't install the required TrustedSigning module

  • unable to install PackageProvider Nuget. Might be a false alarm though as some systems already have it installed

It's installed already.

TrustedSigning module successfully installed (past tense executed, albeit I can add another log line saying setup complete). If NuGet wasn't installed, this command would fail.

  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser
  • executed        file=pwsh.exe

Azure Trusted Signing set up successfully if it's gotten to this point: (note the Invoke-TrustedSigning)

  ⨯ Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Invoke-TrustedSigning -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName zettlr-code-sign-cert -CodeSigningAccountName zettlr-code-sign-app -TimestampRfc3161 http://timestamp.acs.microsoft.com/ -TimestampDigest SHA256 -FileDigest SHA256 -Files "D:\a\Zettlr\Zettlr\out\Zettlr-win32-x64\resources\elevate.exe"

[nathanlesage]

First of all, thank you so much for responding so swiftly to this issue & clarifying the error messages. The reason I was a bit worried was that the text was in big red letters:

If this log is produced by Electron Builder, it may help making the log non-red (nota bene: I have debug='*' set because of other issues, it can be that this will go away once I remove the debugging).

Then, the 403 seems to mean that my authentication method isn't proper in this context. It was a bit hard to decide, because Microsoft is very often telling one to use a managed user and creating a client secret for that, but in other places they recommend other things. I have used both a managed user and an app registration, both of which failed with a 403 despite having the correct role (the Signer one).

That being said, if I understood the issue correctly, you were building this entire flow based off the Azure Action, so is it correct that I should just follow their guide and ignore whatever else…? I know it's not your fault or task, but since you've experimented a bit with it, maybe you have the right pointer? I'm really exhausted after having had 200 open tabs with various tutorials for the past days… the tutorial others have linked didn't work.

[mmaietta]

I'm really exhausted after having had 200 open tabs with various tutorials

That's what I had to do when I was implementing the feature 😅

Re: error message. I understand what you're saying. From a quick look at the code, that red logging should only be there with DEBUG env var set, as it's being rendered from one of the monorepo's util/exec of builder-util package. Tbh, I'm not in favor of adding a boolean flag to hide/uncolor output just due to this one error flow.