Strange behaviour with secure variables

Jonathan Ruckert's Avatar

Jonathan Ruckert

14 Jan, 2015 01:57 AM


I've just tried using a secure variable within a deployment to sign using a PFX File and have found that the variable is not unencrypted when we try to use it. I have followed the instructions, used the encrypted variable in the YML file, and can see that this encrypted value is set to the specific Registry Key we define during pre-build.

  - ps: New-Item -path HKCU:\SOFTWARE\Company
  - ps: New-ItemProperty -path HKCU:\SOFTWARE\Company -Name PfxPassword -Value $env:pfx_password
  - ps: .\prebuild.ps1

    secure: qMVfHlrRIYtmDMiMGKvgAA==

When it attempts to install the PFX certificate it always comes back with the "Incorrect Password" message.

I have confirmed locally and on other machines using the same powershell (but with the unencrypted password) that it works as expected.

What are we doing wrong?


  1. Support Staff 1 Posted by Feodor Fitsner on 14 Jan, 2015 02:33 AM

    Feodor Fitsner's Avatar

    Secure variables are not decrypted for pull request builds. Also make sure you don't have this environment variable defined on Environment tab of project settings.


  2. 2 Posted by Jonathan Rucker... on 14 Jan, 2015 02:39 AM

    Jonathan Ruckert's Avatar

    Thanks for the tip, that makes sense.

    Also any advice on how to get around this using your build environment? Traditionally we would login to the build server as the Build Service account and then run

    sn -I MyTestSign.pfx CONTAINER_NAME, but I cannot seem to get this to work automatically as it will prompt for a password afterwards.

    error MSB3325: Cannot import the following key file: MyTestSign.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_3F27084759A614F1

  3. Support Staff 3 Posted by Feodor Fitsner on 14 Jan, 2015 03:03 AM

    Feodor Fitsner's Avatar

    Looks like the answer:

    So, if sn accepts password from STDIN then it either:

    echo %password% | sn ...


    sn ... < file_with_a_password.txt

    Give it a try.

  4. 4 Posted by Jonathan Rucker... on 14 Jan, 2015 03:39 AM

    Jonathan Ruckert's Avatar

    Yeah, unfortunately this method does not work, the error is:

    "Console input may not be redirected for password entry."

    I'll try a couple of other methods, has anyone else had a similar issue when using strong name signing within your environment?

  5. Support Staff 5 Posted by Feodor Fitsner on 14 Jan, 2015 03:55 AM

    Feodor Fitsner's Avatar

    Haven't dealt with that yet. Maybe you can use PFX without password (you can put entire base-64 PFX body into secure environment variable). Alternatively, I think you can "reset" its password by importing it to local certificate store and then exporting again, but without password :)

  6. 6 Posted by Jonathan Rucker... on 14 Jan, 2015 05:02 AM

    Jonathan Ruckert's Avatar

    Unfortunately removing the password won't really cut the mustard in most PROD deployments, also its a function that is disabled within later versions of Powershell.

    So after 8 hrs of investigations, I've managed to find a solution that can use the password.

    1. Use Import-PFXCertificate with the password param during the before build event.
    2. Note the Thumbprint from the Certificate.
    3. Load up each of the .project files (e.g. .csproj) in notepad that need to be signed.
    4. Remove the reference to <AssemblyOriginatorKeyFile> (important)
    5. Add a reference to <ManifestCertificateThumbprint>
    6. Put the thumbprint inside of this new element (it can contain spaces)

    This will then look for a thumbprint of the current user store/personal for a certificate instead of the physical PFX file.

    I hope this helps someone.


  7. Support Staff 7 Posted by Feodor Fitsner on 14 Jan, 2015 05:49 PM

    Feodor Fitsner's Avatar

    Looks great, thanks for sharing that! Just found another proof of your method:

  8. 8 Posted by Jonathan Rucker... on 28 Jan, 2015 12:04 AM

    Jonathan Ruckert's Avatar

    Just for clarification, it looks like this method does not actually work (although it seems to be happy). (The PublicKeyToken will be null), even though it still compiles).

    After much pain, the only way of doing this properly is to convert the PFX file to a SNK file (using code), and then using this file to then sign the DLL's.

    I hope that this helps someone.

  9. 9 Posted by Ryan on 22 Sep, 2015 12:11 AM

    Ryan's Avatar

    I was running in to an issue with my PFX file (my first time actually using AppVeyor) and came across this script (Or my slightly modified version:

    Which then I can call Before Build:

    .\Build\InstallPfx.ps1 -pfx "$trunk\Shared\madb.pfx" -password ((Get-Item Env:\PFX_KEY).Value) -containerName ((Get-Item Env:\VS_PFX_KEY).Value);

    Where I set PFX_KEY as the password to the PFX and VS_PFX_KEY is the container ID that visual studio supplies in the error message.

  10. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:00 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac