Tool cannot sign wildcard paths

[timheuer]

For some reason when run within an Azure DevOps release task it is not working, erroring out on saying KeyVault URL not specified.

As you can see from the log it is specified (also tried -kvu) but still erroring on that step:

2019-05-02T18:02:54.3830516Z nugetkeyvaultsigntool sign D:\a\r1\a\_Alexa.NET-master\drop\*.nupkg -file-digest sha256 -timestamp-rfc3161 "http://timestamp.digicert.com" --timestamp-digest sha256 --azure-key-vault-url "REMOVED_FOR_THIS_ISSUE_POST" --azure-key-vault-client-id "***" --azure-key-vault-client-secret "***" --azure-key-vault-certificate "***"
2019-05-02T18:03:00.1332781Z fail: NuGetKeyVaultSignTool.Program[0]
2019-05-02T18:03:00.1333613Z       Key Vault URL not specified

[clairernovotny]

Looks like -file-digest is missing a dash up front --file-digest. Same with -timestamp-rfc3161, needs two dashes to use the long version. If you fix that, does it help?

[timheuer]

Weird, that same failure of leading '-' wasn't a problem locally...but I changed it and still failing in the task, but now the log shows me nothing...just runs with
Waiting for console output from an agent...
for about 1.5 minutes and then fails:

2019-05-02T20:14:50.1505601Z Unhandled Exception: System.AggregateException: One or more errors occurred. (Operation returned an invalid status code 'InternalServerError') ---> Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'InternalServerError'
2019-05-02T20:14:50.1507204Z    at Microsoft.Azure.KeyVault.KeyVaultClient.GetCertificateWithHttpMessagesAsync(String vaultBaseUrl, String certificateName, String certificateVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
2019-05-02T20:14:50.1507285Z    at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetCertificateAsync(IKeyVaultClient operations, String vaultBaseUrl, String certificateName, CancellationToken cancellationToken)
2019-05-02T20:14:50.1507397Z    at NuGetKeyVaultSignTool.SignCommand.SignAsync(String packagePath, String outputPath, String timestampUrl, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, SignatureType signatureType, Boolean overwrite, String keyVaultCertificateName, String keyVaultUrl, String keyVaultClientId, String keyVaultClientSecret, String keyVaultAccessToken) in D:\a\1\s\NuGetKeyVaultSignTool.Core\SignCommand.cs:line 66
2019-05-02T20:14:50.1507500Z    at NuGetKeyVaultSignTool.Program.<>c__DisplayClass0_1.<<Main>b__3>d.MoveNext() in D:\a\1\s\NuGetKeyVaultSignTool\Program.cs:line 91
2019-05-02T20:14:50.1507722Z    --- End of inner exception stack trace ---
2019-05-02T20:14:50.1507784Z    at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
2019-05-02T20:14:50.1507855Z    at Microsoft.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args)
2019-05-02T20:14:50.1507912Z    at NuGetKeyVaultSignTool.Program.Main(String[] args) in D:\a\1\s\NuGetKeyVaultSignTool\Program.cs:line 155
2019-05-02T20:14:55.5888013Z ##[debug]Exit code: -532462766
2019-05-02T20:14:55.5929338Z ##[debug]Leaving Invoke-VstsTool.
2019-05-02T20:14:55.6456593Z ##[error]Cmd.exe exited with code '-532462766'.

[clairernovotny]

It could definitely use a better error message, but does the service principal have the right ACL in Key Vault?

It needs certificate get and key get & sign.

[timheuer]

Yes, when run locally:

info: NuGetKeyVaultSignTool.Program[0]
      SignAsync [Alexa.NET.1.6.1.nupkg]: Begin Signing Alexa.NET\bin\Debug\Alexa.NET.1.6.1.nupkg
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Creating Primary signature
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Primary signature completed
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Timestamp primary signature
info: NuGetKeyVaultSignTool.Program[0]
      NuGet [Alexa.NET.1.6.1.nupkg]: CreatePrimarySignatureAsync: Timestamp completed
info: NuGetKeyVaultSignTool.Program[0]
      SignAsync [Alexa.NET.1.6.1.nupkg]: End Signing Alexa.NET\bin\Debug\Alexa.NET.1.6.1.nupkg

[clairernovotny]

That's very odd.... could it be a long shot that something underlying the current azure outage is interfering?

[timheuer]

I've been trying for all morning, but I'll wait to make sure :-)

[clairernovotny]

I'm a bit at a loss why it'd work locally and not via a pipeline. Might need to rope in an expert or two :)

[timheuer]

Hmm, looks like the core issue is that your tool cannot execute a sign command on *.pkg path (like the nuget sign command can)

[clairernovotny]

Ah, that'd do it. I was avoiding the "hard work" of path expansion. If you know of an easy way to handle those expansions, I can incorporate that.

[timheuer]

@onovotny here is the code that NuGet uses to resolve wildcards:
https://github.com/NuGet/NuGet.Client/blob/524ec33d792d0972b8999cda0c1e297b6e23e9b4/src/NuGet.Core/NuGet.Protocol/Utility/LocalFolderUtility.cs

ex: https://github.com/NuGet/NuGet.Client/blob/524ec33d79/src/NuGet.Core/NuGet.Commands/SignCommand/SignCommandRunner.cs#L25