OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Why does my Azure Trusted Signing GitHub Action fail with "Azure.RequestFailedException: Service request failed."

  • Thread starter Thread starter Jonas
  • Start date Start date
J

Jonas

Guest
I've signed up for a Azure Trusted Signing account and created a validated identity and a certificate profile. I have registered an app in Azure Entra ID, and given this the role of Trusted Signing Certificate Profile Signer on the account.

I've also created a GitHub Action that downloads a file from Azure Blob Storage, and then attempts to sign it. But the signing process fails with the error Unhandled managed exception Azure.RequestFailedException: Service request failed. Status: 403 (Forbidden).

And I can't see where my error is.

This is the GitHub action (it also check if the file is actually there):

Code:
jobs:
  download-and-sign:
    runs-on: windows-latest
    name: Download file and sign it
    steps:
      - name: Setup .NET Core SDK
        uses: actions/setup-dotnet@v2
        with:
          dotnet-version: 6.0.x
          
      - name: Download the file
        run: |
          Invoke-WebRequest -Uri 'https://mystorageaccount.blob.core.windows.net/my-file.msi' -OutFile 'my-file.msi'

      - name: 'Check File Existence'
        id: check_files
        uses: andstor/file-existence-action@v3
        with:
          files: 'my-file.msi'

      - name: Files exist
        if: steps.check_files.outputs.exists == 'true'
        run: echo "All files exist!"

      - name: Sign files with Trusted Signing
        uses: azure/[email protected]
        with:
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
          endpoint: https://eus.codesigning.azure.net/
          code-signing-account-name: my-code-signing-account
          certificate-profile-name: my-certificate-profile
          files-folder: ${{ github.workspace }}
          files-folder-recurse: true
          files-folder-filter: msi
          # files-catalog: ${{ github.workspace }}\my-file.msi
          file-digest: SHA256
          timestamp-rfc3161: http://timestamp.acs.microsoft.com
          timestamp-digest: SHA256
          exclude-interactive-browser-credential: false
          timeout: 1200

This is the output:

Code:
Invoke-TrustedSigning @params
  shell: C:\Program Files\PowerShell\7\pwsh.EXE -command ". '{0}'"
  env:
    DOTNET_ROOT: C:\Users\runneradmin\AppData\Local\Microsoft\dotnet
    AZURE_TENANT_ID: ***
    AZURE_CLIENT_ID: ***
    AZURE_CLIENT_SECRET: ***
    AZURE_CLIENT_CERTIFICATE_PATH: 
    AZURE_CLIENT_SEND_CERTIFICATE_CHAIN: 
    AZURE_USERNAME: 
    AZURE_PASSWORD: 
  
Azure Code Signing
Version: 1.0.52
"Metadata": {
  "Endpoint": "https://eus.codesigning.azure.net/",
  "CodeSigningAccountName": "my-code-signing-account",
  "CertificateProfileName": "my-certificate-profile",
  "ExcludeCredentials": []
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Wed, 24 Apr 2024 06:46:50 GMT
Connection: keep-alive
SignTool Error: An unexpected internal error has occurred.
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
   at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
   at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
   at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
   at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
   at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
Exception: SignTool failed with exit code 1
Error: Process completed with exit code 1.

I have AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET as secrets in my repo. These are the values of the app registered in Entra ID. The endpoint value is the same value as listed in my Trusted Signing account.

I can see that there is something with my access, but I can't see why. Any pointers are much appreciated.
<p>I've signed up for a Azure Trusted Signing account and created a validated identity and a certificate profile. I have registered an app in Azure Entra ID, and given this the role of Trusted Signing Certificate Profile Signer on the account.</p>
<p>I've also created a GitHub Action that downloads a file from Azure Blob Storage, and then attempts to sign it. But the signing process fails with the error Unhandled managed exception
Azure.RequestFailedException: Service request failed. Status: 403 (Forbidden).</p>
<p>And I can't see where my error is.</p>
<p>This is the GitHub action (it also check if the file is actually there):</p>
<pre><code>jobs:
download-and-sign:
runs-on: windows-latest
name: Download file and sign it
steps:
- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v2
with:
dotnet-version: 6.0.x

- name: Download the file
run: |
Invoke-WebRequest -Uri 'https://mystorageaccount.blob.core.windows.net/my-file.msi' -OutFile 'my-file.msi'

- name: 'Check File Existence'
id: check_files
uses: andstor/file-existence-action@v3
with:
files: 'my-file.msi'

- name: Files exist
if: steps.check_files.outputs.exists == 'true'
run: echo "All files exist!"

- name: Sign files with Trusted Signing
uses: azure/[email protected]
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: https://eus.codesigning.azure.net/
code-signing-account-name: my-code-signing-account
certificate-profile-name: my-certificate-profile
files-folder: ${{ github.workspace }}
files-folder-recurse: true
files-folder-filter: msi
# files-catalog: ${{ github.workspace }}\my-file.msi
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
exclude-interactive-browser-credential: false
timeout: 1200
</code></pre>
<p>This is the output:</p>
<pre><code>Invoke-TrustedSigning @params
shell: C:\Program Files\PowerShell\7\pwsh.EXE -command ". '{0}'"
env:
DOTNET_ROOT: C:\Users\runneradmin\AppData\Local\Microsoft\dotnet
AZURE_TENANT_ID: ***
AZURE_CLIENT_ID: ***
AZURE_CLIENT_SECRET: ***
AZURE_CLIENT_CERTIFICATE_PATH:
AZURE_CLIENT_SEND_CERTIFICATE_CHAIN:
AZURE_USERNAME:
AZURE_PASSWORD:

Azure Code Signing
Version: 1.0.52
"Metadata": {
"Endpoint": "https://eus.codesigning.azure.net/",
"CodeSigningAccountName": "my-code-signing-account",
"CertificateProfileName": "my-certificate-profile",
"ExcludeCredentials": []
}
Submitting digest for signing...
Unhandled managed exception
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
Headers:
Date: Wed, 24 Apr 2024 06:46:50 GMT
Connection: keep-alive
SignTool Error: An unexpected internal error has occurred.
Strict-Transport-Security: REDACTED
x-azure-ref: REDACTED
X-Cache: REDACTED
Content-Length: 0
at Azure.CodeSigning.CertificateProfileRestClient.SignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.CertificateProfileClient.StartSignAsync(String codeSigningAccountName, String certificateProfileName, SignRequest body, String xCorrelationId, String clientVersion, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.SignAsync(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle, CancellationToken cancellationToken)
at Azure.CodeSigning.Dlib.Core.DigestSigner.Sign(UInt32 algorithm, Byte[] digest, SafeFileHandle safeFileHandle)
at AuthenticodeDigestSignExWithFileHandleManaged(_CRYPTOAPI_BLOB* pMetadataBlob, UInt32 digestAlgId, Byte* pbToBeSignedDigest, UInt32 cbToBeSignedDigest, Void* hFile, _CRYPTOAPI_BLOB* pSignedDigest, _CERT_CONTEXT** ppSignerCert, Void* hCertChainStore)
Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
Exception: SignTool failed with exit code 1
Error: Process completed with exit code 1.
</code></pre>
<p>I have AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET as secrets in my repo. These are the values of the app registered in Entra ID. The endpoint value is the same value as listed in my Trusted Signing account.</p>
<p>I can see that there is something with my access, but I can't see why. Any pointers are much appreciated.</p>
Continue reading...
 

Latest posts

Top