I'm having trouble signing a .NET Standard 2.0 assembly using the Set-Authenticode
powershell function as part of an Azure DevOps pipeline. I have written a little bit of powershell to go through assembles in a directory and apply signatures to each DLL in the folder:
$project = "${{ parameters.projects }}"; # todo: what about multi-line values here
$folderPath = [System.IO.Directory]::GetParent($project)
$files = Get-ChildItem -Path $folderPath -Filter "*.dll" -Recurse
$securePassword = ConvertTo-SecureString $(CertificatePassword) -AsPlainText -Force
$certificate = Get-PfxCertificate -FilePath $(CodeSignCertificate.secureFilePath) -NoPromptForPassword -Password $securePassword
foreach($file in $files) {
Write-Host "Setting Authenticode Signature for $file"
$result = Set-AuthenticodeSignature -FilePath $file -Certificate $certificate -Force -HashAlgorithm SHA256 -IncludeChain All -TimestampServer "http://tsa.starfieldtech.com"
if ($result.Status.ToString().Contains("Error")) { Write-Error $result.StatusMessage }
else {
Write-Host $result.Status.ToString()
Write-Host $result.StatusMessage.ToString()
}
}
The process appears to complete successfully, each DLL that is signed outputs the following message, as per the three Write-Host
lines in my script:
Setting Authenticode Signature for D:\a\1\s\...\SomeAssembly.dll
Valid
Signature verified.
Now, the problem becomes apparent when inspecting the DLL that is produced at the end of the build using the Nuget Package Explorer. I see the following error: "The file is signed, however the signed hash does not match the computed hash". This is seen here in this screenshot (the error appears as a tooltip when hovering over the red error icon).
I have also tried:
Running this locally with a self-signed certificate, which appears to work fine.
Running the build on an older build agent- in this case the signing process fails during the build with the error "Get-PfxCertificate : The specified network password is not correct".
Using signtool.exe. This produces the same error.
I've certainly run out of ideas now. What could I be missing?