MSBuild cannot sign a ClickOnce manifest using a temporary key (errors MSB3326 and MSB3321)

Question

I am trying to build a ClickOnce Windows Forms project (.NET 3.5 / Visual Studio 2010) on a Windows Server computer. (In an effort to automate the build process with Hudson CI.)

For signing the ClickOnce manifest I created a temporary key in Visual Studio, temp.pfx. I can successfully build and deploy the project from Visual Studio on my workstation. But when running MSBuild on the server I get the following error messages:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets(1970,9): error MSB3326: Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user's personal certificate store. [C:.hudson\jobs[...].csproj]

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets(1970,9): error MSB3321: Importing key file "temp.pfx" was canceled. [C:.hudson\jobs[...].csproj]

I tried all of the following questions and answers without luck:

• Stack Overflow question Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'

  => In my case, the error message does not indicate a name of a certificate store but says "the current user's personal certificate store" instead.

  => Even when trying the accepted answer with "Personal" as the container name (sn -i temp.pfx personal), it fails to parse the key:

  Failed to parse the PKCS#12 blob in ALiS_TemporaryKey.pfx -- An internal error o ccurred.

• Stack Overflow question Using MSBuild to sign ClickOnce or assembly results in error MSB3321

  => I tried the accepted answer, but the key file cannot be imported because "Either the user profile is not accessible or the private key that you are importing might require a cryptographic service provider that is not installed on your system"

  => The same happens if I try to import the file by double-clicking it in Windows Explorer (RobinDotNet's suggestion)

• Stack Overflow question Signing assemblies with PFX files in MSBuild, Team Build, and TFS

  => The OP of that question was unsuccessful with the above two answers, too, but unfortunately not even the answers that he got would help me:

  Log in as the user that runs MSBuild on the build machine, manually invoke MSBuild, and then type in the password when prompted.

  => I logged in and ran msbuild myproject.sln but it would not even prompt me for the password.

  What finally fixed it for me was making the account under which TFS Build service runs an administrator on the local machine.

  => The account that runs Hudson (more precisely: Tomcat) already is a local administrator. I tried to run MSBuild from a "Run As Administrator" command line even and would get the same error messages still.

---

Update: I tried to open the solution in Visual Studio on the same server and build it. I get the same error. When I try to re-import the PFX file in the project properties' Signing tab, it tells me "invalid password". If I try to import the very same file in the very same solution in Visual Studio on my workstation and provide the very same password, it is accepted.

Update 2: If I take an old temporary key which I had generated with Visual Studio 2008, it can be successfully imported in the certificate store of our server; any temporary keys I newly create with Visual Studio 2010 cannot be imported.

Update 3: I was able to create a new "temporary key" in Visual Studio on the server and use it both on the server as well as on my workstation for signing the ClickOnce manifest. I only cannot make up a reasonable explanation for it - both computers are 64-bit, and I am using Visual Studio 2010 on both. Both have the v3.5 and v4 (4.0.30319) .NET framework installed. My workstation is a Windows 7 Professional, and the server is a Windows Server 2008 R2 Standard.

Answer 1

What solved the issue for me is to generate the key in RSA format:

Import-Module -Name C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PKI\pki.psd1

$Certificate = New-SelfSignedCertificate -DNSName "acme.com" -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject "CN=Acme Corp, OU=TEMPORARY, O=Acme Corp, S=Gelderland, C=NL" -NotAfter (Get-Date).AddMonths(1) -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

$CertPassword = ConvertTo-SecureString -String 'secret' -Force -AsPlainText
 
$NewCertExportParameters = @{
    Cert = "Cert:\CurrentUser\My\$($Certificate.Thumbprint)"
    FilePath = "$env:USERPROFILE\Documents\name.pfx"
    Password = $CertPassword
}

Export-PfxCertificate @NewCertExportParameters | Out-Null

The -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" part is essential. Without it, an error occurs during import with sn into a container:

Failed to parse the PKCS#12 blob in sign-invantive.pfx -- Invalid provider type specified.

Answer 2

I had totally the same issue. And fixed it by installing Windows SDK 7.1 for .net 4.0 on the build machine. PS At first we've installed SDK 8.0A, and build was working fine except for singing. It seems, 7.1 updates some components in the system, so pfx begins to work.

Answer 3

I found that if you create a temporary.pfx file and leave the password EMPTY then it will work fine on the build machine. I didn't realize that you could leave it empty and the first time it failed as for OP. Created a second temp.pfx with no password and it built on the build server for me.

Answer 4

I had same Problem, couldn't import on TFS machine. Turns out I had to export it on developer machine (project properties, signing page, click on more details) in more detail -> tab details and then just export with a password. Copy that exported file to TFS and use same password: done

Answer 5

Copy the PFX file over to the machine you are doing the builds on. Double-click on it, and install it in the certificate manager on the machine. Be sure you are logged into the account used to do the builds.

Other suggestions/questions: Do you have the right version of .NET installed on the machine? Do you have privileges to write to the certificate store on that machine?

If you open the Visual Studio project, go to the project properties and try to create a new certificate, does it work? It should create a PFX file and add it to the project. And can you see it in the certificate store (menu Start/certmgr.msc)?