VisualStudio.com can't load the temporary UWP certificate during builds

Question

I set up my Visual Studio Team Service account to clone my private GitHub repo and build the Windows UWP application anytime I queue a build. The cloning works without any issue

Answer 1

I solved this with the "secure files" feature: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=vsts

1. In the build pipeline, there's a "library" tab. I added the pfx (that's excluded from source control) as a file there.
2. I then added "download secure file" as a build task (https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/download-secure-file?view=vsts). Note the environment variable in the documentation (currently $env:DOWNLOADSECUREFILE_SECUREFILEPATH)
3. I then added a command line task to move the file to where it was expected. So the command was move %DOWNLOADSECUREFILE_SECUREFILEPATH% FolderOfMyProject

Now it behaves as though the certificate were checked in.

Answer 2

Same issue I met these days, And I finally successfully solved with the help of this post.

Actually we must ensure we had create a test-used .pfx as the developer of UWP ,and followed words shared some helpful solutions I thought:

• Create a test certificate with VS:

  1. In Visual Studio, from Solution Explorer, open Package.appxmanifest
  2. In the App Manifest Designer, choose the Packaging tab, and then choose the Choose Certificate button.
  3. In the Choose Certificate dialog box, expand the Configure Certificate list, and then choose Create test certificate.
  4. In the Create test certificate dialog box, input your info and click the OK button.(Above step description are coming from this ↓)

• Create a certificate with MakeCert,Pvk2Pfx and Certutil tools

  1. MDSN : How to create an app package signing certificate

Hope it can help u!

Answer 3

By default .gitignore ignores any *.pfx file. Therefore it is not added to git. I had the same issue, that the build machine does not has the *_StoreKey.pfx file and therefore the build did not succeed.

For me the solution was to install the *_StoreKey.pfx on the build server. Then building the solution on the build server succeeds.

Answer 4

Had the same issue (error APPX0107: The certificate specified is not valid for signing) and tryed every solution but nothing worked for me. In fact their was a new line after the key name in the .csproj:

<PackageCertificateKeyFile>myCert.pfx
</PackageCertificateKeyFile>

Removed it and it worked.

Answer 5

You can generate a certificate without password assigned.

Or add a PowerShell step in your build definition to import the password protected certificate. Following is the powershell script you can use:

$pfxpath = 'myapp_TemporaryKey.pfx'
$password = 'yourpassword'

Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()

Remember to set the "Working Folder" to the path where your pfx file placed.

Answer 6

I too was getting the error:

"Cannot import the key file 'blah.pfx'. The key file may be password protected. To correct this, try to import the certificate manually into the current user’s personal certificate store".

You can double click a .pfx file to import it into your store, the trick is that when it brings up the wizard, you have to choose "Current User", instead of "Local Machine" on the first screen, then instead of "Automatic", I specifically chose "Personal".

I was able to build the package after that. Didn't work when I chose "Local Machine" + Personal.