Release not signed

[buzzwick]

We created a release in order to generate an .app file for submission as part of our initial AppSource offering. But we get an error that the application is not signed. I can run our CI/CD workflow, which successfully, My understanding is that the CI/CD workflow signs the resulting artifact, so I am assuming that our CODESIGNCERTIFICATEURL and password secrets are working properly.

Is it the case that the artifact created for a release is not similarly signed?

If I need only a signed artifact, should I get it not from the Create Release action but from the CI/CD action?

[freddydk]

Create Release doesn't build the app, it promotes an existing CI/CD build to a release.
So, it looks like your CI/CD workflow doesn't sign the app.
You can look in the workflow output whether it signs the app - or add me and I can have a look.

[buzzwick]

Here is the relevant (I think) portion of the CI/CD log. It looks to me that it is signing, but I could be wrong. I will add you as a user.

Run microsoft/AL-Go-Actions/ReadSettings@v3.1
Run try { D:\a\_actions\microsoft\AL-Go-Actions\v3.1\ReadSettings/ReadSettings.ps1 -actor $ENV:_actor -token $ENV:_token -parentTelemetryScopeJson $ENV:_parentTelemetryScopeJson -project $ENV:_project -getenvironments $ENV:_getenvironments -includeProduction ($ENV:_includeProduction -eq 'Y') -release ($ENV:_release -eq 'Y') -get $ENV:_get } catch { Write-Host "::Error::Unexpected error when running action ($($_.Exception.Message.Replace("`r",'').Replace("`n",' ')))"; exit 1 }
Downloading BcContainerHelper latest version from CDN
BcContainerHelper version 5.0.3
BC.HelperFunctions emits usage statistics telemetry to Microsoft
Applying settings from D:\a\CAI-Software-Precious-Metals-Solution\CAI-Software-Precious-Metals-Solution\.github\AL-Go-Settings.json
Applying settings from D:\a\CAI-Software-Precious-Metals-Solution\CAI-Software-Precious-Metals-Solution\.AL-Go\settings.json
SettingsJson={"keyVaultCertificateUrlSecretName":"","microsoftTelemetryConnectionString":"InstrumentationKey=84bd9223-67d4-4378-8590-9e4a46023be2;IngestionEndpoint=https://westeurope-1.in.applicationinsights.azure.com/","type":"AppSource App","sendExtendedTelemetryToMicrosoft":false,"appBuild":98,"installTestApps":[],"versioningStrategy":16,"installApps":[],"installTestLibraries":false,"runNumberOffset":0,"codeSignCertificatePasswordSecretName":"codeSignCertificatePassword","vsixFile":"","country":"us","partnerTelemetryConnectionString":"","insiderSasTokenSecretName":"insiderSasToken","doNotRunTests":false,"runs-on":"windows-latest","generateDependencyArtifact":false,"templateUrl":"https://github.com/microsoft/AL-Go-AppSource@main","keyVaultCertificatePasswordSecretName":"","rulesetFile":"","shell":"powershell","memoryLimit":"","keyVaultClientIdSecretName":"","testFolders":[],"githubRunner":"windows-latest","doNotBuildTests":false,"environments":["FAT","QA"],"companyName":"","assignPremiumPlan":false,"artifact":"https://bcartifacts.azureedge.net/sandbox/22.0.54[15](https://github.com/CAI-Software-Inc/CAI-Software-Precious-Metals-Solution/actions/runs/5192796321/jobs/9362458189#step:4:16)7.55210/us","ghTokenWorkflowSecretName":"ghTokenWorkflow","enableTaskScheduler":false,"enableCodeCop":false,"repoVersion":"21.9","doNotPublishApps":true,"unusedALGoSystemFiles":[],"githubRunnerShell":"powershell","appFolders":[],"cacheKeepDays":3,"bcptTestFolders":[],"updateDependencies":false,"cacheImageName":"my","treatTestFailuresAsWarnings":false,"additionalCountries":[],"licenseFileUrlSecretName":"licenseFileUrl","enableUICop":false,"customCodeCops":[],"appDependencies":[],"doNotRunBcptTests":false,"appDependencyProbingPaths":[],"useCompilerFolder":true,"installTestFramework":false,"keyVaultName":"","installOnlyReferencedApps":true,"obsoleteTagMinAllowedMajorMinor":"","applicationDependency":"18.0.0.0","applicationInsightsConnectionStringSecretName":"applicationInsightsConnectionString","failOn":"error","projects":[],"testDependencies":[],"appRevision":0,"codeSignCertificateUrlSecretName":"codeSignCertificateUrl","configPackages":[],"useProjectDependencies":false,"appSourceCopMandatoryAffixes":["CAI"],"buildModes":[],"templateBranch":"","installPerformanceToolkit":false,"doNotSignApps":false,"repoName":"CAI-Software-Precious-Metals-Solution","alwaysBuildAllProjects":false,"skipUpgrade":false,"installTestRunner":false,"adminCenterApiCredentialsSecretName":"adminCenterApiCredentials"}
GitHubRunnerJson="windows-latest"
GitHubRunnerShell=powershell
Requesting environments: *
Trying to get environments from GitHub API
Environments found: FAT, QA
Environment: FAT
- branches: *
- include: True
Environment: QA
- branches: *
- include: True
EnvironmentsJson={"matrix":{"include":[{"environment":"FAT","os":"\"windows-latest\""},{"environment":"QA","os":"\"windows-latest\""}]},"fail-fast":false}
EnvironmentCount=2
UnknownEnvironment=0
Removing BcContainerHelper

[freddydk]

ReadSettings doesn't show you any interesting info.
ReadSecrets does:

and then in runpipeline:

The above is from one of my repos

[buzzwick]

Okay. I can't find any of those outputs in my CI/CD log. The secrets are definitely there, but there does not appear to be any "Signing apps" segment. Search finds nothing for "Signing apps" or "pfx"--nothing. Now what are we missing?

[freddydk]

This one is on me.
Your secrets are setup - and in ReadSecrets I can see them being read, but...
The reason for this is that the containerless compilation (useCompilerFolder) still doesn't support signing apps, sorry for this.

[freddydk]

There is a new mechanism for signing apps, which will be used when you have HSM secured certificates, but this obviously doesn't work with the old certificates.
I will make an update to ContainerHelper to sign apps when using compilerfolder.

[buzzwick]

Ah. Wonderful. We will wait to hear from you. Is the containerless compilation an opt-in feature?

We can afford to wait, because we are having to straighten out another issue with Microsoft regarding our ID range registration.

I see a Workbook section on Signing in the future...

[freddydk]

Yes - the "useCompilerFolder" = true causes containerless compilation. /Freddy

[buzzwick]

Okay. Does that go in the repo's AL-Go Settings? I wasn't aware that we had turned that on.

[freddydk]

If you followed the workshop - it is in the Organization settings variable.

[buzzwick]

Indeed it is. How quickly we forget. Thank you.

[janlehmkuhl]

There is a new mechanism for signing apps, which will be used when you have HSM secured certificates, but this obviously doesn't work with the old certificates. I will make an update to ContainerHelper to sign apps when using compilerfolder.

@freddydk
Does AL-Go Support HSM Secured Certificates? We are currently in the situation that our certificate has expired and we now have a new certificate secured with HSM.

[larswestman]

Has there been an update so signing should work using the old certificates in combination with "useCompilerFolder" = true? I have that setting in settings.json and my CI/CD doesn't try to sign the app

[freddydk]

@larswestman - nope, when using useCompilerFolder, you should upload your certificate to an Azure KeyVault and use the new signing mechanism. I will add that to the documentation.

[freddydk]

https://github.com/microsoft/AL-Go/blob/main/Scenarios/Codesigning.md