具有密码保护的协同设计的 Team Foundation Server Build 失败 [英] Team Foundation Server Build with password protected codesigning fails

问题描述

我正在尝试在 TFS 2008 上设置持续集成构建.在我要构建的项目中，我使用密钥进行签名.此密钥使用密码.我无法构建它，因为在构建过程中 TFS 想要显示一个无法显示的对话框.我想我需要在服务器上手动构建项目，但服务器上只安装了 TFS 资源管理器和构建部件.关于如何让我的项目正确构建的任何建议?

I'm trying to setup a continuous integration build on TFS 2008. In the project I want to build I use a key for signing. This key uses a password. I can't get it to build, because during the build TFS wants to show a dialog which can't be shown. I think I need to build the project by hand on the server, but only the TFS explorer and build parts are installed on the server. Any suggestions on how to get my project to build properly?

这是TFS给出的错误:

This is the error given by TFS:

C:WINDOWSMicrosoft.NETFrameworkv3.5Microsoft.Common.targets(1805,7):错误 MSB4018:ResolveKeySource"任务意外失败.System.InvalidOperationException:显示模式对话框或表单当应用程序未运行时UserInteractive 模式无效手术.指定服务通知或DefaultDesktopOnly 样式以显示来自服务的通知应用.在System.Windows.Forms.Form.ShowDialog(IWin32Window所有者)在System.Windows.Forms.Form.ShowDialog()在Microsoft.Build.Tasks.ResolveKeySource.ResolveAssemblyKey()在Microsoft.Build.Tasks.ResolveKeySource.Execute()

C:WINDOWSMicrosoft.NETFrameworkv3.5Microsoft.Common.targets(1805,7): error MSB4018: The "ResolveKeySource" task failed unexpectedly. System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. at System.Windows.Forms.Form.ShowDialog(IWin32Window owner) at System.Windows.Forms.Form.ShowDialog() at Microsoft.Build.Tasks.ResolveKeySource.ResolveAssemblyKey() at Microsoft.Build.Tasks.ResolveKeySource.Execute()

推荐答案

这个 博文 下面详细介绍了具体步骤

This blog post below details the exact steps

设置密钥文件

使用项目属性中的 Visual Studio签名"选项卡创建受密码保护的私钥/公钥对 (KeyPair.pfx)从密钥对中提取公钥并将其复制到单独的文件 (Key.snk)sn.exe -p KeyPair.pfx Key.snk

Create a password-protected private/public key pair (KeyPair.pfx) using the Visual Studio "Signing" tab within a project’s properties Extract the public key from the key pair and copy it to a separate file (Key.snk) sn.exe -p KeyPair.pfx Key.snk

将 KeyPair.pfx 复制到您的构建服务器.我使用 C:Program FilesMSBuildKeyFile.pfx，因为它可以通过 $(MSBuildExtensionsPath) MSBuild 属性访问.将 KeyPair.pfx 文件移动到安全的 &安全的位置.密码也要保密.将 Key.snk 复制到开发人员可以访问的共享位置.为签名设置项目

Copy the KeyPair.pfx to your build server. I use C:Program FilesMSBuildKeyFile.pfx, because it can then be accessed by the $(MSBuildExtensionsPath) MSBuild property. Move the KeyPair.pfx file to a safe & secure location. Keep the password secret as well. Copy the Key.snk to a shared location where your developers can access it. Setup Projects for Signing

对于您要签名的每个程序集:

For each assembly that you want to sign:

1. 打开项目属性 |签名页
2. 选中 [X] 对程序集签名复选框.
3. 选中 [X] 仅延迟符号复选框.
4. 从密钥文件下拉列表中选择.
5. 浏览到共享位置并选择 Key.snk 文件
6. snk 文件将被复制到您分配给它的每个项目目录中
7. 将密钥文件从您的一个项目复制到解决方案项中，以便您可以将其用于测试运行配置

为重新签名设置测试运行配置

如果您想检测您的程序集并为您的单元测试启用代码覆盖率，那么您需要指定一个密钥文件以进行重新签名.

If you want to instrument your assemblies and enable Code Coverage for your unit tests, then you need to specify a key file for re-signing.

打开 LocalTestRun.testrunco​​nfig 文件在代码覆盖率选项卡上，选择密钥作为重新签名密钥文件

Open the LocalTestRun.testrunconfig file On the Code Coverage tab, select the key as the Re-Signing key file

在开发者工作站上禁用强名称验证

由于您仅使用公钥进行延迟签名，因此 .NET CLR 程序集验证将因本地构建的程序集而失败.如果验证失败，您将无法运行或调试程序集.

Since you are delay-signing with only the public key, .NET CLR assembly verification will fail with assemblies built locally. When the verification fails you won’t be able to run or debug the assemblies.

要在开发中克服这个问题，您需要对本地构建的程序集禁用强名称验证，并使用您的公钥延迟签名.

To overcome this in development, you need to disable strong-name verification for assemblies that you build locally and delay-sign with your public key.

打开 Visual Studio 命令提示符类型:sn.exe -tp Key.snk

Open a Visual Studio Command Prompt Type: sn.exe -tp Key.snk

这将输出一些数据，包括令牌.

This will output some data including the token.

类型:sn -Vr *,YOUR_KEY_TOKEN

示例:sn -Vr *,0123456789abcdef

这将对使用您的公钥签名的所有程序集禁用强名称验证.您可以使用以下命令列出强名称验证的当前设置:sn -Vl

This will disable strong name verification for all assemblies signed with your public key. You can list current settings for strong name verification with: sn -Vl

为 Team Build 安装私钥

由于私钥 (Key.pfx) 受密码保护 - Team Build 无法访问它.感谢 Nagaraju Palla 的博客:在 Team Build 中使用受密码保护的签名密钥，我们有办法.

Since the private key (Key.pfx) is password protected – Team Build cannot access it. Thanks to Nagaraju Palla’s Blog: Using Password Protected Signing Keys in Team Build, we have a solution.

作为构建服务帐户登录到 Team Build 服务器在 Visual Studio 中打开项目在 Visual Studio 中构建项目系统将提示您输入私钥文件的密码.输入密码关闭 Visual Studio &注销私钥文件现在安装在构建服务帐户的本地证书存储中，Team Build 可以访问它而无需再次提示输入密码.此证书存储与构建服务帐户的密码一样安全.(提示:使其与密钥文件的密码一样强大)

Logon to the Team Build server as the build service account Open the project in Visual Studio Build the project in Visual Studio You will be prompted for the password to the private key file. Enter the password Close Visual Studio & Log off The private key file is now installed in the build service account’s local certificate store and Team Build can access it without prompting for the password again. This certificate store is as secure as the build service account’s password. (Hint: Make it just as strong as your keyfile’s password)

更新 TFSBuild.proj 构建脚本

Team Build 可以访问私钥文件和密码.这允许它对程序集进行完全签名.

Team Build has access to the private keyfile and password. This allows it to fully-sign the assemblies.

要覆盖项目设置并指示 Team Build 使用私钥文件并禁用部分签名，我们需要在 TFSBuild.proj 中设置 CustomPropertiesForBuild 属性

To override the project settings and instruct Team Build to use the private keyfile and disable partial-signing, we need to set the CustomPropertiesForBuild property in TFSBuild.proj

检查您的 TFSBuild.proj 构建脚本搜索占位符属性(默认在第 130 行附近)将其替换为以下内容:SignAssembly=true;DelaySign=false;AssemblyOriginatorKeyFile=$(MSBuildExtensionsPath)Key.pfx签入您的更改排队构建验证 Team Build 输出

Check-out your TFSBuild.proj build script Search for the placeholder property (near line 130 by default) Replace it with the following: SignAssembly=true;DelaySign=false;AssemblyOriginatorKeyFile=$(MSBuildExtensionsPath)Key.pfx Check-in your changes Queue a build Verifying Team Build output

要检查 Team Build 是否正确地为您的程序集强命名，您可以使用 sn.exe 实用程序来验证强名称签名.

To check that Team Build has correctly strongly named your assemblies, you can use the sn.exe utility to verify the strong name signature.

打开 Visual Studio 命令提示符类型:sn.exe -vf 程序集名称.dll

Open a Visual Studio Command Prompt Type: sn.exe -vf assemblyname.dll

您还可以同时验证所有程序集:

You can also verify all your assemblies at the same time:

打开 Visual Studio 命令提示符类型:FOR %a IN (*.dll) DO sn.exe -vf %a

Open a Visual Studio Command Prompt Type: FOR %a IN (*.dll) DO sn.exe -vf %a

这篇关于具有密码保护的协同设计的 Team Foundation Server Build 失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！