Trouble building VS2012 project with signed ClickOnce manifest on Jenkins

Question

I'm having trouble building a VS2012 project with a signed ClickOnce deployment manifest. The .pfx certificate used to sign the project is password-protected with a paid-for key. I'm using Jenkins with the MSBuild plugin.

The error that shows up right after BUILD FAILED is:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets(2455,5): error MSB3325: Cannot import the following key file: xxxx.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_11234A3322194 [C:\Program Files (x86)\Jenkins\jobs\xxxx\workspace\xxxx\xxxx.csproj]

I've tried installing the certificate as a Trusted Root Certificate on my local machine (using certlm.msc) and also tried installing it to the specific container mentioned with sn.exe, but this makes no difference. I've made sure that the Jenkins service is running as a specific user rather than the Local System account.

If I open the project in VS2012, I can build it but only once I've selected the certificate under the Signing tab of the project properties and entered the password. This is even though the .csproj is set to use that specific file to sign the ClickOnce manifest.

I can successfully build the project using MSBuild from the command line as an admin user, but it fails when Jenkins runs the build. I've also tried passing the certificate to Jenkins' MSBuild as the /property:AssemblyOriginatorKeyFile parameter.

Any ideas on what could be causing this?

Answer 1

I have no idea what "Jenkins" is, but I know this about certificates and ClickOnce. The certificate must be installed under the user account that is doing the build. Try importing it and use the defaults, which will import it into the user store, rather than importing it into Trusted Publishers or one of the older folders. You can see it after you import it by running certmgr.msc.

We hit this when doing automated builds on our TFS server. Every year, we have to log into the account that does the builds and import the new signing certificate.