azure-devopscode-signingdigicertsmctl

How to use DigiCert Signing Manager Controller (smctl) in Azure DevOps classic pipeline?


This following task, which signs a setup program using DigiCert Signing Manager Controller (smctl), works without any problem, if I use it in a Azure YAML pipeline.

- task: CmdLine@2
  displayName: 'Sign setup file'
  inputs:
    script: 
      smctl sign --verbose --keypair-alias=$(digicert-key-pair-alias) --certificate=$(Agent.TempDirectory)\KeyCert.pem  --config-file $(SSMClientToolsSetup.PKCS11_CONFIG) --input $(System.ArtifactsDirectory)
  env:
    SM_HOST: $(CodeSigningHost)
    SM_API_KEY: $(digicert-api-key)
    SM_CLIENT_CERT_PASSWORD: $(digicert-cert-pw)
    SM_CLIENT_CERT_FILE: $(caCertificate.secureFilePath)

Using the exact same task in an Azure DevOps release pipeline doesn't work: See this screenshot:

Signing task

I'm getting this error:

Command : 
 signtool sign  /tr http://timestamp.digicert.com /td SHA256  /fd  SHA256   /csp "DigiCert Signing Manager KSP" /kc "***" /f "D:\a\_temp\KeyCert.pem"  "D:\a\1\a\setup\ApplicationService_Setup_4.2.0.57.exe" 
Error : 
Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2146893779/0x8009002d)
 
 exit status 1: SignTool Error: An unexpected internal error has occurred.

I'm calling in both pipelines the same necessary tasks as described in DigiCert instructions. The DigiCert tools are downloaded and installed correctly in both pipelines. The necessary certificate and all environment variables are also there.

For my understanding the signing process should work in both types of pipelines. I'm calling the same tasks in both pipelines. Both pipelines have access to the secure file containing the certificate to sign and to the variable group, that contains the secret parameters used by the DigiCert tools.


Solution

  • I found out, that the error -2146893779/0x8009002d means, that I'm running out of signatures. Signing certificate with keyLocker provisioning method comes with a fix number of signatures. I would expect DigiCert to mention this in their docs (s. SignTool errors and solutions), which isn't the case.