Reputation: 2166
Signing executables fails inside Docker container
I am trying to sign .exe and .dll files inside Gitlab Pipeline with docker-windows setup, using docker image:
mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019
I try to call these commands:
> sn.exe -R myfile.exe myKey.snk
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
When doing it locally on my machine files get succesfully signed:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Assembly 'myFile.exe' successfully re-signed
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Issued to: someone
Issued by: some-private-ca
Expires: Fri Aug 28 09:40:11 2020
SHA1 hash: hash
Done Adding Additional Store
Successfully signed: myFile.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
However, using Gitlab pipeline both Strong Name Tool (sn.exe) and signtool.exe fail:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Failed to re-sign the assembly -- Error code: 80131701
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Done Adding Additional Store
I was not find out what error code 80131701 refers to.
In some cases people got the error code on System.Runtime.InteropServices.COMException (0x80131701).
Could this be caused by some certificate missing inside docker image, that is present on my computer?
Upvotes: 0
Views: 1782
Answers (1)
Reputation: 2166
Fo fix sn comamnd, I've had to replace local sn.exe file with C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe:
> C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe -R myfile.exe myKey.snk
To fix signtool command, it was necessary to import certificate in the docker container:
> Set-Content myCert.pfx -Encoding Byte -Value ([System.Convert]::FromBase64String(myCert.p12))
> Import-PfxCertificate -FilePath myCert.pfx -Password (ConvertTo-SecureString -String myPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root
> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
> $cert.Import(myCert.pfx, myPassword, 'DefaultKeySet')
> Set-AuthenticodeSignature -Cert myCert.pfx -TimeStampServer http://sha256timestamp.ws.symantec.com/sha256/timestamp -FilePath myFile.exe -HashAlgorithm SHA256
Upvotes: 0
Related Questions
- Docker on Windows (Boot2Docker) - certificate signed by unknown authority error
- Docker SSL Cert for windows
- signtool.exe fails within Docker container
- Installing SSL CA certificates for docker container on Windows
- Docker: could not read CA certificate
- How to install .pfx certificate in windows docker image
- Docker CE for Windows - SSL connection could not be established. remote certificate is invalid according to the validation procedure
- Private Docker Registry: 'x509: certificate signed by unknown authority' only for Windows images
- Can't read certificate when running in Linux Docker container - works on Windows
- docker toolbox on windows then docker run hello-world gets x509: certificate signed by unknown authority