VSTS build fails with MSB3325, Cannot import PFX key file

5
votes

I had created a build definition to build a desktop application online on visualstudio.com which fail at task Build Solution (Visual Studio build) with following error,

[error]C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(3156,5): Error MSB3325: Cannot import the following key file: Sixmod5Certificate.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_3B2BCC84AE4E26F1

I followed solution specified at, https://developercommunity.visualstudio.com/content/problem/156086/vsts-build-msb3325-cannot-import-the-following-key.html

then as specified at, https://stackoverflow.com/a/48698229/3531672 I had added a powershell script task before build task, as follows,

[CmdletBinding()]
param(  
    [Parameter(Mandatory)][string] $pfxpath,
    [Parameter(Mandatory)][string] $password
)

Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()

but no luck yet,

There are different SO post similar to this specifying solution to build from Admin user, or installing pfx certificate manually, but as they are related to personal computer and I am trying to configure Continuous integration on visualstudio.com, they don't seem useful to me.

Please note I am able to successfully build on my local machine.

If you wish to regenerate this problem at your end, follow these steps,

STEP 1: Create a new VSTO Addin Project (Any Excel/Word/Powerpoint).

STEP 2: Attach this to VSTS.

STEP 3: In signing tab of Application properties, instead of using temperory certificate, create a new password protected certificate (PFX - Personal Information Exchange in my case) and use this to sign ClickOnce Manifest

STEP 4: Try to build on local machine, it will succeed.

STEP 5: Push it over and try to build on VSTS, you will get the same error as above.

2
msbuildazure-devopsazure-pipelinesazure-pipelines-build-task
What's the build detail build logs if you use the way as starain mentions (stackoverflow.com/questions/48692240/…)? And what's the agent machine did you use, hosted or private? - Marina Liu
I am using Hosted machine and I had created Powershell script for Starain's script and added a task to execute before Build task, but getting same error, Is it something to do with Account permissions or such configurations if any? cz I am new to VSTS. - Aniket Bhansali
The script can be execute on Hosted agent. Can you show the detail build log and the powershell script? - Marina Liu
Here is the link for debug logs, drive.google.com/drive/folders/… and I had updated question with powershell script. - Aniket Bhansali
The PFX file need to be installed to the Strong Name CSP, I am afraid that you need to setup a private build agent with that PFX file installed (sn -i). - starian chen-MSFT

2 Answers

1
votes

I unchecked the "Sign the assembly" checkbox from the "project properties -> Signing" page and everything worked like a charm. The build was signed successfully through VSTS. Somehow I missed this solution provided in many SO threads related to the problem.

0
votes

I unchecked the "Sign the assembly" checkbox from the "project properties -> Signing" page and everything worked like a charm. The build was signed successfully through VSTS. Somehow I missed this solution provided in many SO threads related to the problem.

This worked for me. Thank you.