Cannot sign file in 0.9.1-beta.25157.1

[adamashton]

Describe the bug
When using version 0.9.1-beta.25157.1 I cannot sign my .dll files anymore.

I have been using 0.9.1-beta.24529.1 just fine to sign DLLs but when upgrading to the latest it now fails with various 403 and 404 errors.

Expected behavior
Sign files.

Actual behavior
Failure.
The trace output from attempting to sign a file

trce: Sign.SignatureProviders.KeyVault.KeyVaultService[0]
      Fetching certificate from Azure Key Vault.
info: Azure.Core[1]
      Request [87839bb1-0909-4c11-a891-270fc37d522a] GET https://redacted.vault.azure.net/certificates/redacted?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:87839bb1-0909-4c11-a891-270fc37d522a
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Certificates/4.7.0 (.NET 8.0.14; Microsoft Windows 10.0.26100)
      client assembly: Azure.Security.KeyVault.Certificates
warn: Azure.Core[8]
      Error response [87839bb1-0909-4c11-a891-270fc37d522a] 401 Unauthorized (00.2s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:uksouth
      x-ms-client-request-id:87839bb1-0909-4c11-a891-270fc37d522a
      x-ms-request-id:5dbc929c-a46c-46ff-bbef-c725e8106b30
      x-ms-keyvault-service-version:1.9.2203.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=213.48.232.118;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      WWW-Authenticate:Bearer authorization="https://login.microsoftonline.com/000000000-bb9e-455d-9159-ab0c33587278", resource="https://vault.azure.net"
      Date:Thu, 13 Mar 2025 10:48:32 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:97

info: Azure.Identity[1]
      DefaultAzureCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a
info: Azure.Identity[1]
      EnvironmentCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a
info: Azure.Identity[3]
      EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
info: Azure.Identity[1]
      WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a
info: Azure.Identity[3]
      WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a Exception: Azure.Identity.CredentialUnavailableException (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
info: Azure.Identity[1]
      ManagedIdentityCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a
info: Azure.Identity[25]
      ManagedIdentitySource TokenExchangeManagedIdentitySource was attempted. IsSelected=False.
info: Azure.Core[1]
      Request [e91846c8-a997-462b-a1dd-4a5ef27002e5] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
      x-ms-client-request-id:e91846c8-a997-462b-a1dd-4a5ef27002e5
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Identity/1.13.2 (.NET 8.0.14; Microsoft Windows 10.0.26100)
      client assembly: Azure.Identity
info: Azure.Core[18]
      Request [e91846c8-a997-462b-a1dd-4a5ef27002e5] exception System.Threading.Tasks.TaskCanceledException: The operation was cancelled because it exceeded the configured timeout of 0:00:01. Network timeout can be adjusted in ClientOptions.Retry.NetworkTimeout.
       ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
       ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
         at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
         at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
         at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
         --- End of inner exception stack trace ---
         at System.Net.Http.HttpClient.HandleFailure(Exception e, Boolean telemetryStarted, HttpResponseMessage response, CancellationTokenSource cts, CancellationToken cancellationToken, CancellationTokenSource pendingRequestsCts)
         at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
         at Azure.Core.Pipeline.HttpClientTransport.ProcessSyncOrAsync(HttpMessage message, Boolean async)
         at Azure.Core.Pipeline.HttpPipelineTransportPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline)
         at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
         --- End of inner exception stack trace ---
         at Azure.Core.Pipeline.ResponseBodyPolicy.ThrowIfCancellationRequestedOrTimeout(CancellationToken originalToken, CancellationToken timeoutToken, Exception inner, TimeSpan timeout)
         at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
         at Azure.Core.Pipeline.LoggingPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
info: Azure.Identity[3]
      ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a Exception: Azure.Identity.CredentialUnavailableException (0x80131500): ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint.
       ---> System.Threading.Tasks.TaskCanceledException (0x8013153b): The operation was cancelled because it exceeded the configured timeout of 0:00:01. Network timeout can be adjusted in ClientOptions.Retry.NetworkTimeout.
       ---> System.Threading.Tasks.TaskCanceledException (0x8013153b): A task was canceled.
       ---> System.Threading.Tasks.TaskCanceledException (0x8013153b): A task was canceled.
info: Azure.Identity[1]
      VisualStudioCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a
info: Azure.Identity[2]
      VisualStudioCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a ExpiresOn: 2025-03-13T11:41:04.9660777+00:00
info: Azure.Identity[13]
      DefaultAzureCredential credential selected: Azure.Identity.VisualStudioCredential
info: Azure.Identity[2]
      DefaultAzureCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 87839bb1-0909-4c11-a891-270fc37d522a ExpiresOn: 2025-03-13T11:41:04.9660777+00:00
info: Azure.Core[1]
      Request [87839bb1-0909-4c11-a891-270fc37d522a] GET https://redacted.vault.azure.net/certificates/redacted?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:87839bb1-0909-4c11-a891-270fc37d522a
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Certificates/4.7.0 (.NET 8.0.14; Microsoft Windows 10.0.26100)
      Authorization:REDACTED
      client assembly: Azure.Security.KeyVault.Certificates
info: Azure.Core[5]
      Response [87839bb1-0909-4c11-a891-270fc37d522a] 200 OK (00.1s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:uksouth
      x-ms-client-request-id:87839bb1-0909-4c11-a891-270fc37d522a
      x-ms-request-id:738b535e-3d14-4893-a9c6-1e5ede24db0d
      x-ms-keyvault-service-version:1.9.2203.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=213.48.232.118;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      Date:Thu, 13 Mar 2025 10:48:38 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:4022

trce: Sign.SignatureProviders.KeyVault.KeyVaultService[0]
      Fetched certificate. [6010.5199 ms]
trce: Sign.SignatureProviders.KeyVault.KeyVaultService[0]
      Certificate details:
      [Version]
        V3

      [Subject]
        CN=redacted Ltd, O=redacted Ltd, L=London, C=GB, SERIALNUMBER=09313767, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB
        Simple Name: redacted Ltd
        DNS Name: redacted Ltd

      [Issuer]
        CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
        Simple Name: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        DNS Name: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1

      [Extensions]
      * Authority Key Identifier(2.5.29.35):
        KeyID=redacted

      * Subject Key Identifier(2.5.29.14):
        redacted

      * Certificate Policies(2.5.29.32):
        [1]Certificate Policy:
           Policy Identifier=2.23.140.1.3
           [1,1]Policy Qualifier Info:
                Policy Qualifier Id=CPS
                Qualifier:
                     http://www.digicert.com/CPS

      * Key Usage(2.5.29.15):
        Digital Signature (80)

      * Enhanced Key Usage(2.5.29.37):
        Code Signing (1.3.6.1.5.5.7.3.3)

      * CRL Distribution Points(2.5.29.31):
        [1]CRL Distribution Point
           Distribution Point Name:
                Full Name:
                     URL=http://crl3.digicert.com/redacted.crl
      [2]CRL Distribution Point
           Distribution Point Name:
                Full Name:
                     URL=http://crl4.digicert.com/redacted.crl

      * Authority Information Access(1.3.6.1.5.5.7.1.1):
        [1]Authority Info Access
           Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
           Alternative Name:
                URL=http://ocsp.digicert.com
      [2]Authority Info Access
           Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
           Alternative Name:
                URL=http://cacerts.digicert.com/redacted.crt

      * Basic Constraints(2.5.29.19):
        Subject Type=End Entity
      Path Length Constraint=None


info: Sign.Core.ISigner[0]
      Submitting D:\tmp\redacted.msi for signing.
trce: Sign.Core.IDirectoryService[0]
      Creating directory C:\Users\Adam\AppData\Local\Temp\t00rapaj.gx3.
info: Sign.Core.ISigner[0]
      SignAsync called for D:\tmp\redacted.msi. Using C:\Users\Adam\AppData\Local\Temp\t00rapaj.gx3\1cwlevnb.msi locally.
info: Sign.Core.IDataFormatSigner[0]
      Signing SignTool job with 1 files.
info: Azure.Core[1]
      Request [4e4a5276-e500-4656-9ae1-a9d6b9502347] GET https://redacted.vault.azure.net/?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:4e4a5276-e500-4656-9ae1-a9d6b9502347
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Keys/4.7.0 (.NET 8.0.14; Microsoft Windows 10.0.26100)
      client assembly: Azure.Security.KeyVault.Keys
warn: Azure.Core[8]
      Error response [4e4a5276-e500-4656-9ae1-a9d6b9502347] 403 Forbidden (00.0s)
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      Date:Thu, 13 Mar 2025 10:48:38 GMT
      Content-Type:text/html
      Content-Length:1233

dbug: Azure.Security.KeyVault.Keys[5]
      Permission denied to get key https://redacted.vault.azure.net/. Cannot perform the get operation locally.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\Adam\AppData\Local\Temp\t00rapaj.gx3\1cwlevnb.msi.
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
info: Azure.Core[1]
      Request [9479c27e-3a54-4279-bdd1-7a8d59cfe966] POST https://redacted.vault.azure.net/sign?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:9479c27e-3a54-4279-bdd1-7a8d59cfe966
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Keys/4.7.0 (.NET 8.0.14; Microsoft Windows 10.0.26100)
      client assembly: Azure.Security.KeyVault.Keys
warn: Azure.Core[8]
      Error response [9479c27e-3a54-4279-bdd1-7a8d59cfe966] 404 Not Found (00.0s)
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      Date:Thu, 13 Mar 2025 10:48:38 GMT
      Content-Type:text/html
      Content-Length:1245

fail: Sign.Core.IDataFormatSigner[0]
      Service request failed.
      Status: 404 (Not Found)

      Content:
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
      <title>404 - File or directory not found.</title>
      <style type="text/css">
      <!--
      body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
      fieldset{padding:0 15px 10px 15px;}
      h1{font-size:2.4em;margin:0;color:#FFF;}
      h2{font-size:1.7em;margin:0;color:#CC0000;}
      h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
      #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
      background-color:#555555;}
      #content{margin:0 0 0 2%;position:relative;}
      .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
      -->
      </style>
      </head>
      <body>
      <div id="header"><h1>Server Error</h1></div>
      <div id="content">
       <div class="content-container"><fieldset>
        <h2>404 - File or directory not found.</h2>
        <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
       </fieldset></div>
      </div>
      </body>
      </html>


      Headers:
      X-Content-Type-Options: REDACTED
      Strict-Transport-Security: REDACTED
      Date: Thu, 13 Mar 2025 10:48:38 GMT
      Content-Type: text/html
      Content-Length: 1245

      Azure.RequestFailedException: Service request failed.
      Status: 404 (Not Found)

      Content:
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
      <title>404 - File or directory not found.</title>
      <style type="text/css">
      <!--
      body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
      fieldset{padding:0 15px 10px 15px;}
      h1{font-size:2.4em;margin:0;color:#FFF;}
      h2{font-size:1.7em;margin:0;color:#CC0000;}
      h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
      #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
      background-color:#555555;}
      #content{margin:0 0 0 2%;position:relative;}
      .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
      -->
      </style>
      </head>
      <body>
      <div id="header"><h1>Server Error</h1></div>
      <div id="content">
       <div class="content-container"><fieldset>
        <h2>404 - File or directory not found.</h2>
        <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
       </fieldset></div>
      </div>
      </body>
      </html>


      Headers:
      X-Content-Type-Options: REDACTED
      Strict-Transport-Security: REDACTED
      Date: Thu, 13 Mar 2025 10:48:38 GMT
      Content-Type: text/html
      Content-Length: 1245

         at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest[TContent,TResult](RequestMethod method, TContent content, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
         at Azure.Security.KeyVault.Keys.Cryptography.RemoteCryptographyClient.Sign(SignatureAlgorithm algorithm, Byte[] digest, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.Keys.Cryptography.RemoteCryptographyClient.Azure.Security.KeyVault.Keys.Cryptography.ICryptographyProvider.Sign(SignatureAlgorithm algorithm, Byte[] digest, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient.Sign(SignatureAlgorithm algorithm, Byte[] digest, CancellationToken cancellationToken)
         at Azure.Security.KeyVault.Keys.Cryptography.RSAKeyVault.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
         at AzureSign.Core.AuthenticodeKeyVaultSigner.SignCallback(IntPtr pCertContext, IntPtr pvExtra, UInt32 algId, Byte[] pDigestToSign, UInt32 dwDigestToSign, CRYPTOAPI_BLOB& blob)
         at AzureSign.Core.Interop.mssign32.SignerSignEx3(SignerSignEx3Flags dwFlags, SIGNER_SUBJECT_INFO* pSubjectInfo, SIGNER_CERT* pSignerCert, SIGNER_SIGNATURE_INFO* pSignatureInfo, IntPtr pProviderInfo, SignerSignTimeStampFlags dwTimestampFlags, Byte* pszTimestampAlgorithmOid, Char* pwszHttpTimeStamp, IntPtr psRequest, Void* pSipData, IntPtr* ppSignerContext, IntPtr pCryptoPolicy, SIGN_INFO* pSignInfo, IntPtr pReserved)
         at AzureSign.Core.AuthenticodeKeyVaultSigner.SignFile(ReadOnlySpan`1 path, ReadOnlySpan`1 description, ReadOnlySpan`1 descriptionUrl, Nullable`1 pageHashing, ILogger logger)
         at Sign.Core.AzureSignToolSigner.RunSignTool(AuthenticodeKeyVaultSigner signer, FileInfo file, SignOptions options) in /_/src/Sign.Core/DataFormatSigners/AzureSignToolSigner.cs:line 167
fail: Sign.Core.IDataFormatSigner[0]
      Signing failed with error 0.
info: Sign.Core.IDataFormatSigner[0]
     

Additional context
When using version 0.9.1-beta.24529.1

dotnet tool install --global --allow-downgrade --version 0.9.1-beta.24529.1 sign

I can sign fine. Here is the trace output:

trce: Sign.SignatureProviders.KeyVault.KeyVaultService[0]
      Fetching certificate from Azure Key Vault.
trce: Sign.SignatureProviders.KeyVault.KeyVaultService[0]
      Fetched certificate. [5685.4041 ms]
info: Sign.Core.ISigner[0]
      Submitting D:\tmp\redacted.msi for signing.
trce: Sign.Core.IDirectoryService[0]
      Creating directory C:\Users\Adam\AppData\Local\Temp\reph2b41.cdk.
info: Sign.Core.ISigner[0]
      SignAsync called for D:\tmp\redacted.msi. Using C:\Users\Adam\AppData\Local\Temp\reph2b41.cdk\ndzc3php.msi locally.
info: Sign.Core.IDataFormatSigner[0]
      Signing SignTool job with 1 files.
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\Adam\AppData\Local\Temp\reph2b41.cdk\ndzc3php.msi.
trce: Sign.Core.IDataFormatSigner[0]
      Getting SIP Data
trce: Sign.Core.IDataFormatSigner[0]
      Calling SignerSignEx3
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\Adam\AppData\Local\Temp\reph2b41.cdk\ndzc3php.msi succeeded.
trce: Sign.Core.IDirectoryService[0]
      Deleting directory C:\Users\Adam\AppData\Local\Temp\reph2b41.cdk.
trce: Sign.Core.IDirectoryService[0]
      Directory C:\Users\Adam\AppData\Local\Temp\reph2b41.cdk deleted.
info: Sign.Core.ISigner[0]
      Completed in 5679 ms.

[dtivel]

@dlemstra, any ideas here? https://www.nuget.org/packages/sign/0.9.1-beta.25157.1 has your fix #822.

[martincostello]

Looks like we're having the same issue in Polly: failed sign attempt.

[dlemstra]

@dtivel I only fixed the DI registration of patches that were made earlier. I haven't had time to investigate this in more detail.

[dtivel]

@clairernovotny, any ideas?

[MichielOda]

Hi all

I also have the same issue after updating back to using --prerelease (after the fix of #822 which was the previous issue I had):
Test repo run

[dtivel]

I reproduced this, have a fix, and will release an update today.