具有受密码保护的代码签名的Team Foundation Server Build失败 [英] Team Foundation Server Build with password protected codesigning fails

问题描述

我想在TFS 2008上设置一个持续集成构建。在项目中，我想要构建一个用于签名的密钥。此密钥使用密码。我不能得到它构建，因为在构建期间TFS想显示一个对话框，不能显示。我想我需要在服务器上手动构建项目，但只有TFS explorer和构建部件安装在服务器上。关于如何让我的项目正确建立的任何建议？

这是TFS给出的错误：

C：\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Common.targets（1805,7）：
错误MSB4018：ResolveKeySource
任务意外失败。
System.InvalidOperationException：
当应用程序未在
中运行时，显示模态对话框或
形式UserInteractive模式不是有效的
操作。指定
ServiceNotification或
DefaultDesktopOnly样式以显示来自服务
应用程序的
通知。
System.Windows.Forms.Form.ShowDialog（IWin32Window
owner）at
System.Windows.Forms.Form.ShowDialog（）
at
Microsoft.Build .Tasks.ResolveKeySource.ResolveAssemblyKey（）
at
Microsoft.Build.Tasks.ResolveKeySource.Execute（）

解决方案

此博客以下详细确切步骤

设置密钥文件 >

使用Visual Studio的签名选项卡在项目属性中创建受密码保护的私钥/公钥对（KeyPair.pfx）
从密钥中提取公钥并将其复制到单独的文件（Key.snk）
sn.exe -p KeyPair.pfx Key.snk

将KeyPair.pfx复制到您的构建服务器。我使用C：\Program Files \MSBuild\KeyFile.pfx，因为它可以通过$（MSBuildExtensionsPath）MSBuild属性访问。
将KeyPair.pfx文件移到安全的位置。安全位置。保持密码也是秘密。
将Key.snk复制到共享位置，您的开发人员可以访问它。
设置项目签名

对于您要签名的每个程序集：

1. 打开项目属性|签署页


2. 选择[X]签署装配体复选框。


3. 选择[X] $ b
4. 从密钥文件下拉列表中选择


5. 浏览到共享位置并选择Key.snk文件


6. snk文件将


7. 将您的项目中的密钥文件复制到解决方案项目，以便您可以将其用于测试运行配置

设置测试运行配置重新签名

打开LocalTestRun.testrunco​​nfig文件$ b。打开LocalTestRun.testrun配置文件。 $ b在代码覆盖率选项卡上，选择密钥作为重新签名密钥文件

禁用Developer Workstations的强名称验证 p>

由于您只使用公钥进行延迟签名，因此.NET CLR程序集验证将在本地构建的程序集中失败。当验证失败时，您将无法运行或调试程序集。

为了克服这个问题，您需要禁用程序集的强名称验证使用您的公开密钥构建本地和延迟签名。

打开Visual Studio命令提示符
类型：
exe -tp Key.snk

这将输出一些数据，包括令牌。

类型：
sn -Vr *，YOUR_KEY_TOKEN

示例： sn -Vr *，0123456789abcdef

这将禁用使用您的公钥签名的所有程序集的强名称验证。
您可以使用以下方式列出强名称验证的当前设置：
sn -V1

安装Team Build的私钥

由于私钥（Key.pfx）受密码保护 - Team Build无法访问它。感谢 Nagaraju Palla的博客：在Team Build中使用密码保护的签名密钥，我们有一个解决方案。

以Build服务帐户登录Team Build服务器
在Visual Studio中打开项目
在Visual Studio中构建项目
将提示您输入私钥文件的密码。
输入密码
关闭Visual Studio&注销
私钥文件现在安装在构建服务帐户的本地证书存储中，Team Build可以访问它，而不再提示输入密码。此证书存储与构建服务帐户的密码一样安全。 （提示：使其与密钥文件的密码一样强）

更新TFSBuild.proj构建脚本

Team Build可以访问私钥文件和密码。

要覆盖项目设置并指示Team Build使用私钥文件并禁用部分签名，我们需要设置TFSBuild.proj中的CustomPropertiesForBuild属性

签出您的TFSBuild.proj构建脚本
搜索占位符属性（默认情况下靠近第130行）
将它替换为以下：

SignAssembly = true; DelaySign = false; AssemblyOriginatorKeyFile = $（MSBuildExtensionsPath）\Key.pfx

签入您的更改
Queue a build
验证Team Build输出

要检查Team Build是否正确强烈命名了程序集，您可以使用sn.exe实用程序验证强名称签名。

打开Visual Studio命令提示符
类型：
sn.exe -vf assemblyname.dll

您还可以同时验证所有程序集：

打开Visual Studio命令提示符
类型：
FOR％a IN（* .dll）DO sn.exe -vf％a

I'm trying to setup a continuous integration build on TFS 2008. In the project I want to build I use a key for signing. This key uses a password. I can't get it to build, because during the build TFS wants to show a dialog which can't be shown. I think I need to build the project by hand on the server, but only the TFS explorer and build parts are installed on the server. Any suggestions on how to get my project to build properly?

This is the error given by TFS:

C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Common.targets(1805,7): error MSB4018: The "ResolveKeySource" task failed unexpectedly. System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. at System.Windows.Forms.Form.ShowDialog(IWin32Window owner) at System.Windows.Forms.Form.ShowDialog() at Microsoft.Build.Tasks.ResolveKeySource.ResolveAssemblyKey() at Microsoft.Build.Tasks.ResolveKeySource.Execute()

解决方案

This blog post below details the exact steps

Setup Key Files

Create a password-protected private/public key pair (KeyPair.pfx) using the Visual Studio "Signing" tab within a project’s properties Extract the public key from the key pair and copy it to a separate file (Key.snk) sn.exe -p KeyPair.pfx Key.snk

Copy the KeyPair.pfx to your build server. I use C:\Program Files\MSBuild\KeyFile.pfx, because it can then be accessed by the $(MSBuildExtensionsPath) MSBuild property. Move the KeyPair.pfx file to a safe & secure location. Keep the password secret as well. Copy the Key.snk to a shared location where your developers can access it. Setup Projects for Signing

For each assembly that you want to sign:

1. Open the Project Properties | Signing page
2. Select the [X] Sign the assembly checkbox.
3. Select the [X] Delay sign only checkbox.
4. Select from the key file dropdown.
5. Browse to the shared location and select the Key.snk file
6. The snk file will be copied to each project directory that you assign it to
7. Copy the key file from one of your projects into Solution Items so that you can use it for the test run configuration

Setup Test Run Configuration for Re-Signing

If you want to instrument your assemblies and enable Code Coverage for your unit tests, then you need to specify a key file for re-signing.

Open the LocalTestRun.testrunconfig file On the Code Coverage tab, select the key as the Re-Signing key file

Disable Strong-Name Verification on Developer Workstations

Since you are delay-signing with only the public key, .NET CLR assembly verification will fail with assemblies built locally. When the verification fails you won’t be able to run or debug the assemblies.

To overcome this in development, you need to disable strong-name verification for assemblies that you build locally and delay-sign with your public key.

Open a Visual Studio Command Prompt Type: sn.exe -tp Key.snk

This will output some data including the token.

Type: sn -Vr *,YOUR_KEY_TOKEN

example: sn -Vr *,0123456789abcdef

This will disable strong name verification for all assemblies signed with your public key. You can list current settings for strong name verification with: sn -Vl

Installing the Private Key for Team Build

Since the private key (Key.pfx) is password protected – Team Build cannot access it. Thanks to Nagaraju Palla’s Blog: Using Password Protected Signing Keys in Team Build, we have a solution.

Logon to the Team Build server as the build service account Open the project in Visual Studio Build the project in Visual Studio You will be prompted for the password to the private key file. Enter the password Close Visual Studio & Log off The private key file is now installed in the build service account’s local certificate store and Team Build can access it without prompting for the password again. This certificate store is as secure as the build service account’s password. (Hint: Make it just as strong as your keyfile’s password)

Updating TFSBuild.proj Build Script

Team Build has access to the private keyfile and password. This allows it to fully-sign the assemblies.

To override the project settings and instruct Team Build to use the private keyfile and disable partial-signing, we need to set the CustomPropertiesForBuild property in TFSBuild.proj

Check-out your TFSBuild.proj build script Search for the placeholder property (near line 130 by default) Replace it with the following: SignAssembly=true;DelaySign=false;AssemblyOriginatorKeyFile=$(MSBuildExtensionsPath)\Key.pfx Check-in your changes Queue a build Verifying Team Build output

To check that Team Build has correctly strongly named your assemblies, you can use the sn.exe utility to verify the strong name signature.

Open a Visual Studio Command Prompt Type: sn.exe -vf assemblyname.dll

You can also verify all your assemblies at the same time:

Open a Visual Studio Command Prompt Type: FOR %a IN (*.dll) DO sn.exe -vf %a

这篇关于具有受密码保护的代码签名的Team Foundation Server Build失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！