12

I am trying to build a ClickOnce Windows Forms project (.NET 3.5 / Visual Studio 2010) on a Windows Server computer. (In an effort to automate the build process with Hudson CI.)

For signing the ClickOnce manifest I created a temporary key in Visual Studio, temp.pfx. I can successfully build and deploy the project from Visual Studio on my workstation. But when running MSBuild on the server I get the following error messages:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets(1970,9): error MSB3326: Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user's personal certificate store. [C:.hudson\jobs[...].csproj]

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets(1970,9): error MSB3321: Importing key file "temp.pfx" was canceled. [C:.hudson\jobs[...].csproj]

I tried all of the following questions and answers without luck:

  • Stack Overflow question Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'

    => In my case, the error message does not indicate a name of a certificate store but says "the current user's personal certificate store" instead.

    => Even when trying the accepted answer with "Personal" as the container name (sn -i temp.pfx personal), it fails to parse the key:

    Failed to parse the PKCS#12 blob in ALiS_TemporaryKey.pfx -- An internal error o ccurred.

  • Stack Overflow question Using MSBuild to sign ClickOnce or assembly results in error MSB3321

    => I tried the accepted answer, but the key file cannot be imported because "Either the user profile is not accessible or the private key that you are importing might require a cryptographic service provider that is not installed on your system"

    => The same happens if I try to import the file by double-clicking it in Windows Explorer (RobinDotNet's suggestion)

  • Stack Overflow question Signing assemblies with PFX files in MSBuild, Team Build, and TFS

    => The OP of that question was unsuccessful with the above two answers, too, but unfortunately not even the answers that he got would help me:

    Log in as the user that runs MSBuild on the build machine, manually invoke MSBuild, and then type in the password when prompted.

    => I logged in and ran msbuild myproject.sln but it would not even prompt me for the password.

    What finally fixed it for me was making the account under which TFS Build service runs an administrator on the local machine.

    => The account that runs Hudson (more precisely: Tomcat) already is a local administrator. I tried to run MSBuild from a "Run As Administrator" command line even and would get the same error messages still.

Update: I tried to open the solution in Visual Studio on the same server and build it. I get the same error. When I try to re-import the PFX file in the project properties' Signing tab, it tells me "invalid password". If I try to import the very same file in the very same solution in Visual Studio on my workstation and provide the very same password, it is accepted.

Update 2: If I take an old temporary key which I had generated with Visual Studio 2008, it can be successfully imported in the certificate store of our server; any temporary keys I newly create with Visual Studio 2010 cannot be imported.

Update 3: I was able to create a new "temporary key" in Visual Studio on the server and use it both on the server as well as on my workstation for signing the ClickOnce manifest. I only cannot make up a reasonable explanation for it - both computers are 64-bit, and I am using Visual Studio 2010 on both. Both have the v3.5 and v4 (4.0.30319) .NET framework installed. My workstation is a Windows 7 Professional, and the server is a Windows Server 2008 R2 Standard.

Community
  • 1
  • 1
chiccodoro
  • 14,407
  • 19
  • 87
  • 130

4 Answers4

8

Copy the PFX file over to the machine you are doing the builds on. Double-click on it, and install it in the certificate manager on the machine. Be sure you are logged into the account used to do the builds.

Other suggestions/questions: Do you have the right version of .NET installed on the machine? Do you have privileges to write to the certificate store on that machine?

If you open the Visual Studio project, go to the project properties and try to create a new certificate, does it work? It should create a PFX file and add it to the project. And can you see it in the certificate store (menu Start/certmgr.msc)?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
RobinDotNet
  • 11,723
  • 3
  • 30
  • 33
  • That results in the same as the second approach I mentioned :-( – chiccodoro Jul 05 '12 at 07:30
  • To be honest, I don't know what "Hudson" is. Do you have the right version of .NET installed on the machine? Also, do you have privileges to write to the certificate store on that machine? If you open visual studio project and go to the project properties and try to create a new certificate, does it work? It should create a pfx file and add it to the project. And can you see it in the cert store? (start/certmgr.msc) – RobinDotNet Jul 09 '12 at 04:40
  • I have rephrased the question such as to make Hudson only a detail in a side-note. – chiccodoro Jul 10 '12 at 13:42
  • As for your suggestion: **I tried that, and it worked!** Then I copied it over to my own workstation, and was able to use it for signing there, too. Would just be interesting to know what the significant difference is - both are 64bit machines with VS 2010. One is Windows Server... Have updated my question accordingly. – chiccodoro Jul 10 '12 at 13:44
  • 2
    Well, this is what I know. We have several ClickOnce projects signed with a code signing certificate. Every year when the certificate expires, our autobuilds in TFS fail. We have to log into the server under the account that does the autobuilds and import the PFX file. It has to be in the user's cert store. Otherwise, when it does the build, it tries to prompt for the password, which doesn't work for obvious reasons. I've never tried putting it in the machine store, but you could try that. Post back and I'll provide instructions if you need them. – RobinDotNet Jul 12 '12 at 17:12
  • BTW - while your speaking of "autobuilds in TFS" - you were asking what Hudson is. It is basically something similar. A server application that automatically builds your code when you commit changes. – chiccodoro Jul 13 '12 at 14:16
  • BTW II: You may want to incorporate your suggestion from the comment in your answer to make it more visible. – chiccodoro Jul 13 '12 at 14:17
  • What if you dont have access to the machine, my case its a TFS online hosted service. Any way to sign it then? – Poul K. Sørensen Dec 15 '13 at 01:26
  • What if you are using VisualStudioOnline? You can't log into the build server as it's a hosted solution. – The Muffin Man May 24 '14 at 23:59
0

I found that if you create a temporary.pfx file and leave the password EMPTY then it will work fine on the build machine. I didn't realize that you could leave it empty and the first time it failed as for OP. Created a second temp.pfx with no password and it built on the build server for me.

clee2005
  • 127
  • 1
  • 5
0

I had totally the same issue. And fixed it by installing Windows SDK 7.1 for .net 4.0 on the build machine. PS At first we've installed SDK 8.0A, and build was working fine except for singing. It seems, 7.1 updates some components in the system, so pfx begins to work.

Vladimir Perevalov
  • 4,059
  • 18
  • 22
-1

I had same Problem, couldn't import on TFS machine. Turns out I had to export it on developer machine (project properties, signing page, click on more details) in more detail -> tab details and then just export with a password. Copy that exported file to TFS and use same password: done

CodeDigger
  • 1