Add PFX to strong name CSP on VSTS - azure-devops

I have created VSTO Addin project which is signed using a Password protected PFX certificate and added the project to VSTS,
Now while building I get an error as failed to import certificate, to fix that I need to import PFX certificate, so as suggested on different SO posts and microsoft support, I am trying to import certificate using sn tool as follows,
I had created an .cmd(bat) file which has following commands,
C:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\
sn -i "%1\Sixmod5PFX\Sixmod5Certificate.pfx" VS_KEY_BD774ABB8BB29878
and added Run batch script task to build definition before MSBuild step,
but as we know when we run this command on local machine, it prompts for a password which user can enter,
Same thing happens on VSTS and fails, as it don't get password.
Is there any way to solve this.

You need to setup a private build agent (e.g. Deploy an agent on Windows), then install PFX certificate manually on that agent machine (as run the command on local machine and specify password in prompt window)

Related

Permission issue while executing an ssh task in azure pipeline

What I am trying to do is to run a few lines of shell script in a remote machine via an azure pipeline. I used the ssh Deployment Task to accomplish this. I have used the script path argument to point the .sh file that contains the script that should be ran. The ssh task was able to connect to the remote host, but the following permission error pops up.
Can someone tell me what's going wrong here. The .sh file that i am using was created in the Linux box itself and has got the permission level set to 777 before moving to the repo.
There is an another CopyFilesOverSSH#0 task in the pipeline in the same stage which works perfectly without any permission issues for the same user.
2021-12-31T12:41:42.1763039Z ##[section]Starting: SSH
2021-12-31T12:41:42.1894277Z ==============================================================================
2021-12-31T12:41:42.1894676Z Task : SSH
2021-12-31T12:41:42.1895010Z Description : Run shell commands or a script on a remote machine using SSH
2021-12-31T12:41:42.1895347Z Version : 0.189.0
2021-12-31T12:41:42.1895637Z Author : Microsoft Corporation
2021-12-31T12:41:42.1896023Z Help : https://learn.microsoft.com/azure/devops/pipelines/tasks/deploy/ssh
2021-12-31T12:41:42.1896437Z ==============================================================================
2021-12-31T12:41:42.8200834Z Trying to establish an SSH connection to ***#80.xxx.xxx.xxx:22
2021-12-31T12:41:43.1333018Z Successfully connected.
2021-12-31T12:41:43.5698433Z ##[error]Failed to copy script to remote machine. Error: Error: put: Permission denied //checkFileAvailability.sh.
2021-12-31T12:41:43.6050230Z ##[section]Finishing: SSH
Firstly, if you want to copy files to the remote machine, then it's recommend to use Copy Files Over SSH task. This task allows you to connect to a remote machine using SSH and copy files matching a set of minimatch patterns from specified source folder to target folder on the remote machine. Supported protocols for file transfer are SFTP and SCP via SFTP.
For the SSH Deployment task. This task enables you to connect to a remote machine using SSH and run commands or a script.
According to your error message, the SSH is successfully connected, but failed to copy script to the remote machine. It appears that the service account doesn't have the permission to copy the specified file to the specific path on the remote machine. Please check your source file path permission settings. Please also try to using inline script instead of the Script File to check if it works.
I had the same issue when run SSH script task under a user which was not a root. So for inline script to run under different user, that user should have:
Read/Write/Execute access to root folder, as TFS put all commands into generated bash script file and copy it to target machine root folder (below is another command, which is executed on already copied script file)
tr -d '\015' <./sshscript_099d4e8c-44ac-482d-b1bf-84a52c7ab810> ./sshscript_099d4e8c-44ac-482d-b1bf-84a52c7ab810._unix
User should have home directory as TFS switch to it
So to fix this issue I have granted rwx permissions to everyone for the root folder
chmod 777 /
ls -ld /
drwxrwxrwx 20 root root 4096 Feb 10 14:54 /
And make sure that home folder for my user exists

Copy files over SSH failed "Error: Cannot parse privateKey: Unsupported key format."

Im trying to copy files over SSH, im using the same SSH Service Connection and it's just fine with other SSH tasks but copying files seems to run into trouble, Heres what it looks when i monitor for user logins
sshd[32240]: Accepted publickey for azurePPL1 from 13.69.175.211 port 1984 ssh2: ECDSA SHA256:0...
and this seems to be fine but it's not?
heres the error Azure Pipelines is throwing
Error: Failed to connect to remote machine. Verify the SSH service connection details. Error: Cannot parse privateKey: Unsupported key format.
Now i wouldve suspected my SSH Service Connection configuration but since other ssh work im not sure what it could be
Any help is appreciated
Using the same SSH Service Connection and it's just fine with other
SSH tasks but copying files seems to run into trouble
Since it's all work for other SSH task to use the same SSH Service Connection just Copy Files over SSH has failed, it means there's no error on your SSH key pair and connection. In fact, the issue relevant with the parser which used in Copy Files over SSH task.
See the function about the script of the copy file task which open source in github: function run in CopyFileOverSSH.ts, and the definition of class SshHelper: sshhelper.ts. In fact, the Copy Files over SSH task uses Ssh2 npm package for the SSH connection and verify, the error message you are facing is coming from there. For the copy file task itself, it does not do any key parsing.
About key parsing, see this source function: keyParser.js. Locate to line 1447, you will see that it is the error message you received in the task of Azure Devops.
As I know, from the task v0.148 is using ssh2 library v0.8, but now ssh2 library has been updated into v0.8.5.
So to solve this issue Please regenerate the key pair with the command ssh-keygen -t rsa -m PEM, to force ssh-keygen to export as PEM format. Thus the key can work in the copy file task.
Its now clear that the Azure Task is using an old version of ssh2
where Ed25519 keys are not supported which results in this issue so ill just have to use RSA for now.

How to solve SunCertPathBuilderException when trying to install Software in Eclipse via Marketplace?

I´m trying to install some software in Eclipse 2018-12 via its Marketplace.
On trying to do so, I keep getting the same error:
Unable to read repository at http://download.eclipse.org/releases/2018-12.
Unable to read repository at https://download.eclipse.org/technology/epp/packages/2018-12/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The company I am currently working with has a proxy active. If that`s what causes this issue (which I am not sure of), how would I bypass it in Eclipse? I tried a manual Network connection with a proxy bypass, but to no avail.
Any help or ideas?
I tried many solutions, but found it is available at https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html and solved my problem.
In that case, I used the KeyStore Explorer tool and generated the certificate.
Download KeyStore Explorer and Install
Open the application (Run as administrator) and in Examine => Examine SSL
On the Connection Settings screen => SSL Host: google.com / SSL Port: 443 => Click "OK"
In the certificate, click on "PEM" and "Export".
Save as "public.crt"
Click the "Open an existing KeyStore" button => C:\Program Files\Java\jdk1.8.0_261\jre\ lib\security\cacerts (JDK)
Enter the password: changeit
In Tools => Import trusted certificate => Select the public.crt file => Click "OK"
Save the "cacerts" file.
Repeat steps 6 through 9 for the JRE (C:\Program Files\Java\jre1.8.0_261\lib\security\ cacerts)
Restart your PC.
References:
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html
https://confluence.atlassian.com/kb/connecting-to-ssl-services-802171215.html
If you are using a https url, change it to http url (just remove 's') and try.
In my case 'https://dl.bintray.com/fabioz/pydev/8.0.0/' was throwing cert error, but changing it to 'http://dl.bintray.com/fabioz/pydev/8.0.0/' worked fine.
In my case, I could not open Eclipse Marketplace and got the same error reported in the question of this thread. I was able to solve this problem by getting instructions from the admin since I am connected using VPN. If I disconnect the VPN, it will work without any problem. I am using Eclipse Version: 2022-09 (4.25.0) - Build id: 20220908-1902.
Steps (Windows):
Get the certificate definition files and store them under this folder for example: <user-home>\.certificate\my-certs.pem. If you have more than one certificate, combine the definitions in this file my-cert.pem. In my case I was provided two certificates, they are XXXROOTCA and XXXCERTnn.
If you have more than one certificate, store each in a separate file in the same folder for example file1.crt and file2.crt.
From the command line with admin rights, use the Java keytool to import the certificates:
%JAVA_HOME%\bin\keytool -import -alias XXXROOTCA -file %HOME%\.certificates\file1.crt -cacerts
%JAVA_HOME%\bin\keytool -import -alias XXXCERTnn -file %HOME%\.certificates\file2.crt -cacerts
Note: Make sure to associate the certificate alias with the correct file in the above command lines.
3. You may have to pass the password for the above command lines. Add the parameter -storepass changeit if the password is still changeit and you didn't change it which is the default.
For NodeJS, execute the following command (if required):
setx NODE_EXTRA_CA_CERTS %HOME%\.certificates\my-certs.pem
Now you should be able to open Eclipse Marketplace.

Execute remote PowerShell script from VSOnline fails - Access Denied

I am facing a very strange issue trying to run a Remote PowerShell script from the new build system of Visual Studio Online.
Context:
I have a Build server that I host on my own VM. I have also created a second VM where I want the PowerShell script to be run on.
When I run a build from the Build server, I want to create a task that run a PowerShell script on a remote machine. Sounds easy.
Both machines have everything configured to run the Remote PowerShell. (I think)
Problem:
If I manually run the script from the build server, the script is properly executed on my remote machine.
But, if I run the script by starting a new build, it doesn't work, I always get an error message
New-PSSession : [xxx.cloudapp.net] Connecting to remote server xxx.cloudapp.net failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
Have you faced this issue before with VSOnline?
This can happen if there isn't a trust relationship between the remote machine and the build machine. E.g. you could look at the hosts.equiv file on the remote machine and make sure it trusts the build machine.
If that doesn't help then more info might be needed, like how you're trying to sign in, what build agent account you're running as.
Guy

Problems using teamcity command line to perform ssh remote login

I was wondering if anyone has tried using teamcity's command line builder to perform ssh remote login.
Right now, I would like to automate some testing on a QNX neutrino OS which is currently unsupported by teamcity. As a work around, I setup a ssh server on the target qnx machine so i could ssh and sftp the executables in.
Firstly, the source are compiled on Windows XP using qnx's compiler (based on g++). Followed by sftp-ing the executables into qnx neutrino.
Next, using ssh, script the login to remotely start the test apps and send the results back to the remote agent for publishing.
The batch script I created works well standalone, however, after hooking it up on the remote agent, it fails to login ssh and hangs indefinitely at the following command:
ssh -l "./.sh"
Notes:
I have added the remote agent's RSA public key in the QNX .ssh/authorized keys file, automatic login is working.
Is there a need to add the teamcity server's RSA public key in too?
Anyone has any idea on this problem?
I had a few weird problems with key-based SSH logins on QNX related to file permissions for the keys in .ssh. and permissions of parent folders (/home/username and /root).
Add
LogLevel DEBUG3
to /etc/openssh/sshd_config, make sure syslog is configured and is logging sshd output, restart sshd and try again - it will most likely complain about something.
Also, ssh -l "./.sh" makes no sense - -l is used to specify the user name, something is off there.