microsoft/AL-Go

[Question]: CodeSign not working

Marhoon opened this issue · 2 comments

Marhoon commented

Question

Hi My App with codesign not working any advice

33s
        Content-Type: application/json; charset=utf-8
        Expires: -1
        Content-Length: 779
        
        Azure.RequestFailedException: Caller is not authorized to perform action on resource.
        If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.
        Caller: appid=***;oid=47a469d1-3936-4451-a76e-3602ee4f7077;iss=https://sts.windows.net/***/
        Action: 'Microsoft.KeyVault/vaults/certificates/read'
        Resource: '/subscriptions/***/resourcegroups/dynamics-rg/providers/microsoft.keyvault/vaults/businesscentral-keys/certificates/codesign'
        Assignment: (not found)
        DenyAssignmentId: null
        DecisionReason: null 
        Vault: BusinessCentral-Keys;location=westeurope
        
        Status: 403 (Forbidden)
        ErrorCode: Forbidden
        
        Content:
        {"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=***;oid=47a469d1-3936-4451-a76e-3602ee4f7077;iss=[https://sts.windows.net/***/\r\nAction:](https://sts.windows.net/***//r/nAction:) 'Microsoft.KeyVault/vaults/certificates/read'\r\nResource: '/subscriptions/***/resourcegroups/dynamics-rg/providers/microsoft.keyvault/vaults/businesscentral-keys/certificates/codesign'\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: null \r\nVault: BusinessCentral-Keys;location=westeurope\r\n","innererror":{"code":"ForbiddenByRbac"}}}
        
        Headers:
        Cache-Control: no-cache
        Pragma: no-cache
        x-ms-keyvault-region: westeurope
        x-ms-client-request-id: 45d04324-8a11-49cd-97c2-37bc00f06ae3
        x-ms-request-id: 2185af38-58a1-4ce4-a58f-793af9fb9f43
        x-ms-keyvault-service-version: 1.9.1864.2
        x-ms-keyvault-network-info: conn_type=Ipv4;addr=74.249.7.[127](https://github.com/Dynamics-Business-Solutions/Dynamics-Library/actions/runs/12096839877/job/33732449166#step:9:130);act_addr_fam=InterNetwork;
        X-Content-Type-Options: REDACTED
        Strict-Transport-Security: REDACTED
        Date: Sat, 30 Nov 2024 14:54:19 GMT
        Content-Type: application/json; charset=utf-8
        Expires: -1
        Content-Length: 779
        
           at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
           at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
           at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
           at Sign.SignatureProviders.KeyVault.KeyVaultService.GetCertificateWithPolicyAsync(CancellationToken cancellationToken) in /_/src/Sign.SignatureProviders.KeyVault/KeyVaultService.cs:line 82
           at Sign.SignatureProviders.KeyVault.KeyVaultService.GetCertificateAsync(CancellationToken cancellationToken) in /_/src/Sign.SignatureProviders.KeyVault/KeyVaultService.cs:line 51
           at Sign.Core.Signer.SignAsync(IReadOnlyList`1 inputFiles, String outputFile, FileInfo fileList, DirectoryInfo baseDirectory, String applicationName, String publisherName, String description, Uri descriptionUrl, Uri timestampUrl, Int32 maxConcurrency, HashAlgorithmName fileHashAlgorithm, HashAlgorithmName timestampHashAlgorithm) in /_/src/Sign.Core/Signer.cs:line 77
Applying settings from D:\a\Dynamics-Library\Dynamics-Library\.github\AL-Go-Settings.json
Applying settings from D:\a\Dynamics-Library\Dynamics-Library\.AL-Go\settings.json
No settings found in D:\a\Dynamics-Library\Dynamics-Library\.github\CICD.settings.json
No settings found in D:\a\Dynamics-Library\Dynamics-Library\.AL-Go\CICD.settings.json
No settings found in D:\a\Dynamics-Library\Dynamics-Library\.AL-Go\Marhoon.settings.json
Enabling Microsoft telemetry...
Error: Process completed with exit code 1.
jonaswre commented

Hey, I think your issue is that the Application thats trying to access the keys doesn't have the proper rights assigned. Contributer permissions are not sufficient, they only allow you to "access" the keyvault but not the secrets. You have to assign the secret/certificate user/reader permissions.

  • 👍1
aholstrup1 commented

As suggested by @jonaswre it looks like your App Registration doesn't have enough permissions. Please try setting up the permissions mentioned here: https://github.com/microsoft/AL-Go/blob/main/Scenarios/Codesigning.md

If it still doesn't work, please reopen the issue :) We'd be happy to help.