使用受密码保护的代码设计进行 Team Foundation Server 构建失败
我正在尝试在 TFS 2008 上设置持续集成构建。在我想要构建的项目中,我使用密钥进行签名。 该密钥使用密码。 我无法构建它,因为在构建过程中 TFS 希望显示一个无法显示的对话框。 我想我需要在服务器上手动构建项目,但服务器上只安装了TFS资源管理器和构建部分。 关于如何正确构建我的项目有什么建议吗?
这是TFS给出的错误:
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Common.targets(1805,7): 错误 MSB4018:“ResolveKeySource” 任务意外失败。 系统.InvalidOperationException: 显示模式对话框或表单 当应用程序未运行时 用户交互模式无效 手术。 指定 服务通知或 DefaultDesktopOnly 样式显示 来自服务的通知 应用。 在 System.Windows.Forms.Form.ShowDialog(IWin32Window 所有者)在 System.Windows.Forms.Form.ShowDialog() 在 Microsoft.Build.Tasks.ResolveKeySource.ResolveAssemblyKey() 在 Microsoft.Build.Tasks.ResolveKeySource.Execute()
I'm trying to setup a continuous integration build on TFS 2008. In the project I want to build I use a key for signing. This key uses a password. I can't get it to build, because during the build TFS wants to show a dialog which can't be shown. I think I need to build the project by hand on the server, but only the TFS explorer and build parts are installed on the server. Any suggestions on how to get my project to build properly?
This is the error given by TFS:
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft.Common.targets(1805,7):
error MSB4018: The "ResolveKeySource"
task failed unexpectedly.
System.InvalidOperationException:
Showing a modal dialog box or form
when the application is not running in
UserInteractive mode is not a valid
operation. Specify the
ServiceNotification or
DefaultDesktopOnly style to display a
notification from a service
application. at
System.Windows.Forms.Form.ShowDialog(IWin32Window
owner) at
System.Windows.Forms.Form.ShowDialog()
at
Microsoft.Build.Tasks.ResolveKeySource.ResolveAssemblyKey()
at
Microsoft.Build.Tasks.ResolveKeySource.Execute()
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
此博客下面的帖子详细介绍了具体步骤
设置密钥文件
使用项目属性中的 Visual Studio“签名”选项卡创建受密码保护的私钥/公钥对 (KeyPair.pfx)
从密钥对中提取公钥并将其复制到单独的文件(Key.snk)
sn.exe -p KeyPair.pfx Key.snk
将 KeyPair.pfx 复制到您的构建服务器。 我使用 C:\Program Files\MSBuild\KeyFile.pfx,因为随后可以通过 $(MSBuildExtensionsPath) MSBuild 属性访问它。
将 KeyPair.pfx 文件移动到安全的地方 安全的位置。 密码也要保密。
将 Key.snk 复制到开发人员可以访问的共享位置。
设置用于签名的项目
对于要签名的每个程序集:
设置用于重新签名的测试运行配置
如果您想要检测程序集并为单元测试启用代码覆盖率,则需要指定用于重新签名的密钥文件。
打开 LocalTestRun.testrunconfig 文件
在“代码覆盖率”选项卡上,选择密钥作为重新签名密钥文件
在开发人员工作站上禁用强名称验证
由于您仅使用公钥进行延迟签名,.NET CLR 程序集验证将失败与本地构建的程序集。 当验证失败时,您将无法运行或调试程序集。
为了在开发中克服这个问题,您需要对本地构建的程序集禁用强名称验证,并使用公钥进行延迟签名。
打开 Visual Studio 命令提示符
类型:
sn.exe -tp Key.snk这将输出一些数据,包括令牌。
类型:
sn -Vr *,YOUR_KEY_TOKEN示例:
sn -Vr *,0123456789abcdef这将为使用您的公钥签名的所有程序集禁用强名称验证。
您可以通过以下方式列出强名称验证的当前设置:
sn -Vl
为 Team Build 安装私钥
由于私钥 (Key.pfx) 受密码保护 - Team Build 无法访问它。 感谢 Nagaraju Palla 的博客:在 Team Build 中使用受密码保护的签名密钥< /a>,我们有一个解决方案。
以构建服务帐户登录 Team Build 服务器
在 Visual Studio 中打开项目
在 Visual Studio 中构建项目
系统将提示您输入私钥文件的密码。
输入密码
关闭 Visual Studio & 注销
私钥文件现已安装在生成服务帐户的本地证书存储中,Team Build 可以访问它,而无需再次提示输入密码。 此证书存储与生成服务帐户的密码一样安全。 (提示:使其与密钥文件的密码一样强)
更新 TFSBuild.proj 构建脚本
Team Build 可以访问私有密钥文件和密码。 这允许它对程序集进行完全签名。
要覆盖项目设置并指示 Team Build 使用私钥文件并禁用部分签名,我们需要在 TFSBuild.proj 中设置 CustomPropertiesForBuild 属性
查看您的 TFSBuild.proj 构建脚本
搜索占位符属性(默认在第 130 行附近)
将其替换为以下内容:
SignAssembly=true;DelaySign=false;AssemblyOriginatorKeyFile=$(MSBuildExtensionsPath)\Key.pfx
签入您的更改
将构建排队
验证 Team Build 输出
要检查 Team Build 是否已正确强命名您的程序集,您可以使用 sn.exe 实用程序来验证强名称签名。
打开 Visual Studio 命令提示符
类型:
sn.exe -vf assemblyname.dll
您还可以同时验证所有程序集:
打开 Visual Studio 命令提示符
类型:
FOR %a IN (*.dll) DO sn.exe -vf %a
This blog post below details the exact steps
Setup Key Files
Create a password-protected private/public key pair (KeyPair.pfx) using the Visual Studio “Signing” tab within a project’s properties
Extract the public key from the key pair and copy it to a separate file (Key.snk)
sn.exe -p KeyPair.pfx Key.snk
Copy the KeyPair.pfx to your build server. I use C:\Program Files\MSBuild\KeyFile.pfx, because it can then be accessed by the $(MSBuildExtensionsPath) MSBuild property.
Move the KeyPair.pfx file to a safe & secure location. Keep the password secret as well.
Copy the Key.snk to a shared location where your developers can access it.
Setup Projects for Signing
For each assembly that you want to sign:
Setup Test Run Configuration for Re-Signing
If you want to instrument your assemblies and enable Code Coverage for your unit tests, then you need to specify a key file for re-signing.
Open the LocalTestRun.testrunconfig file
On the Code Coverage tab, select the key as the Re-Signing key file
Disable Strong-Name Verification on Developer Workstations
Since you are delay-signing with only the public key, .NET CLR assembly verification will fail with assemblies built locally. When the verification fails you won’t be able to run or debug the assemblies.
To overcome this in development, you need to disable strong-name verification for assemblies that you build locally and delay-sign with your public key.
Open a Visual Studio Command Prompt
Type:
sn.exe -tp Key.snkThis will output some data including the token.
Type:
sn -Vr *,YOUR_KEY_TOKENexample:
sn -Vr *,0123456789abcdefThis will disable strong name verification for all assemblies signed with your public key.
You can list current settings for strong name verification with:
sn -Vl
Installing the Private Key for Team Build
Since the private key (Key.pfx) is password protected – Team Build cannot access it. Thanks to Nagaraju Palla’s Blog: Using Password Protected Signing Keys in Team Build, we have a solution.
Logon to the Team Build server as the build service account
Open the project in Visual Studio
Build the project in Visual Studio
You will be prompted for the password to the private key file.
Enter the password
Close Visual Studio & Log off
The private key file is now installed in the build service account’s local certificate store and Team Build can access it without prompting for the password again. This certificate store is as secure as the build service account’s password. (Hint: Make it just as strong as your keyfile’s password)
Updating TFSBuild.proj Build Script
Team Build has access to the private keyfile and password. This allows it to fully-sign the assemblies.
To override the project settings and instruct Team Build to use the private keyfile and disable partial-signing, we need to set the CustomPropertiesForBuild property in TFSBuild.proj
Check-out your TFSBuild.proj build script
Search for the placeholder property (near line 130 by default)
Replace it with the following:
SignAssembly=true;DelaySign=false;AssemblyOriginatorKeyFile=$(MSBuildExtensionsPath)\Key.pfx
Check-in your changes
Queue a build
Verifying Team Build output
To check that Team Build has correctly strongly named your assemblies, you can use the sn.exe utility to verify the strong name signature.
Open a Visual Studio Command Prompt
Type:
sn.exe -vf assemblyname.dll
You can also verify all your assemblies at the same time:
Open a Visual Studio Command Prompt
Type:
FOR %a IN (*.dll) DO sn.exe -vf %a