Signing executables fails inside Docker container

Question

Signing executables fails inside Docker container

I am trying to sign .exe and .dll files inside Gitlab Pipeline with docker-windows setup, using docker image:
mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019

I try to call these commands:
> sn.exe -R myfile.exe myKey.snk
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe

When doing it locally on my machine files get succesfully signed:

> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Assembly 'myFile.exe' successfully re-signed
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
    Issued to: someone
    Issued by: some-private-ca
    Expires:   Fri Aug 28 09:40:11 2020
    SHA1 hash: hash

Done Adding Additional Store
Successfully signed: myFile.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

However, using Gitlab pipeline both Strong Name Tool (sn.exe) and signtool.exe fail:

> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility  Version 4.0.30319.0
Copyright (c) Microsoft Corporation.  All rights reserved.
Failed to re-sign the assembly -- Error code: 80131701
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Done Adding Additional Store

I was not find out what error code 80131701 refers to.
In some cases people got the error code on System.Runtime.InteropServices.COMException (0x80131701).

Could this be caused by some certificate missing inside docker image, that is present on my computer?

windows

docker

certificate

signtool

sn.exe

asked on Stack Overflow Apr 3, 2020 by

Šimon Kocúrek • edited Apr 3, 2020 by

Šimon Kocúrek

1 Answer

Fo fix sn comamnd, I've had to replace local sn.exe file with C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe:

> C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe -R myfile.exe myKey.snk

To fix signtool command, it was necessary to import certificate in the docker container:

> Set-Content myCert.pfx -Encoding Byte -Value ([System.Convert]::FromBase64String(myCert.p12))
> Import-PfxCertificate -FilePath myCert.pfx -Password (ConvertTo-SecureString -String myPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root
> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
> $cert.Import(myCert.pfx, myPassword, 'DefaultKeySet')
> Set-AuthenticodeSignature -Cert myCert.pfx -TimeStampServer http://sha256timestamp.ws.symantec.com/sha256/timestamp -FilePath myFile.exe -HashAlgorithm SHA256

answered on Stack Overflow Nov 26, 2020 by

Šimon Kocúrek

User contributions licensed under CC BY-SA 3.0