How to manually set password for MSBuild sign target?

Question

We are building an Outlook plugin in C#. It is built without problems in VS and signed with a temporary pfx certificate. We want to put the build process in Jenkins and have it run automatically.

We tried to run the VS solution with MSBuild. It works great on the development machine but in Jenkins there is an error:

Cannot import the following key file: OutlookPlugin_TemporaryKey.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_A688DC31A30F3EF1

We don't know how to specify the pfx password for the automated build. Or otherwise automate the sign process.

One solution we found was to open the project in VS on the same machine and as the same user as for the automated process and type the password. This doesn't work, probably because Jenkins wipes out the workspace every time. If we try to compile without signing and then sign it afterwards, it complains that a ClickOnce assembly must be signed. It seems that Office plugins must use ClickOnce.

So, how to specify the pfx password somewhere in the build file ?

We use VS 2010 with Office Tools.

Answer 1

Create a file (either local or on a well known network share) containing the password as a property and reference that from the MSBuild script. Set permissions on the file such that only the build account can read that file. Note that anyone with admin access to the build machine or that knows the build account password will be able to read the password. Ultimately, there is no silver bullet here. If MSBuild can find/decrypt/whatever the password, a human will be able to, too.

If you are concerned about the security of the private key, consider separating the signing to a separate step and store the private key on a smartcard. It may be overkill but it is one of the best, commonly available protections available.

Otherwise, just add the password as a property. As you know the project files are just MSBuild scripts. For example:

<PropertyGroup>
    <PfxPassword>password</PfxPassword>
</PropertyGroup>

<!-- Sample sign task -->
<SignTask>
    <File>MyOutlookPlugin.dll</File>
    <KeyFile>OutlookPlugin_TemporaryKey.pfx</KeyFile>
    <Password>$(PfxPassword)</Password>
</SignTask>

See http://msdn.microsoft.com/en-us/library/ms171458(v=vs.80).aspx for more information about MSBuild properties.

Answer 2

We were having issues building the project with MSBuild and Bamboo. The fix for us was to remove the following line from the .csproj file.

<AssemblyOriginatorKeyFile>applicationcert.pfx</AssemblyOriginatorKeyFile>