Because the code signing tool requires interaction with the desktop, it requires that you must be logged in (or at least that is my theory). There are techniques to configure processes to run without being logged in, but they all tend to leave the process with no access to the desktop or limited access to the desktop.
You'll need to leave the agent connected to the master from a running desktop session. On Thu, Sep 5, 2019 at 12:53 AM *佳諭* <mycookie...@gmail.com> wrote: > Hi Mark, > Thanks for your reply. > I have follow your suggestion, and add a slave node on the same computer. > Because I can't find the "Jave web start" option in the Launch method, I > create a slave node with "Launch agent by connecting it to the master " > I download the agent.jar then execute the following command in the console > with administrator privilege. > "java -jar agent.jar -jnlpUrl > http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/slave-agent.jnlp -screct > xxxxxxx -workDir c:\xxxxx" > Finally, my slave node online. > But if I log out this computer (because this computer is a VM), my slave > node offline (disconnect). > > I hope my code can submit from svn or git then automatically build through > MSBuild which project have post-build event with the ev sign script. > But if I use master node to build , I'll get the error about "No > certificates were found that met all the given criteria". > It seems master node not have enough privilege to interact with desktop > sign application. > If I build a new slave node with "Launch agent by connecting it to the > master ", MSBuild and post-build sign event cant successfully build and > sign code, > but it need to keep the node login. > If I login the vm, the slave node will disconnect. > > Is there any way to keep the slave node online? (and also can have enough > privilege for ev usb token sign) > Thanks for your help. > > > > Mark Waite <mark.earl.wa...@gmail.com> 於 2019年9月5日 週四 上午6:14寫道: > >> >> >> On Wed, Sep 4, 2019 at 4:06 PM Chia-Yu Wu <mycookie...@gmail.com> wrote: >> >>> Hi Mark, >>> I have the same issue with ev sign (usb token) code through jenkins. >>> It work fine if i do ev sign in admin role command line. >>> But if let it auto build and sign through, the jenkins console will show >>> the following error message: >>> >>> "No certificates were found that met all the given criteria" >>> >>> I have read your suggestion, using the agent to "Launch agent via Java >>> Web Start" instead of runnig jenkins as windows service. >>> But I don't have a slave node, my jenkins only have a default master >>> node, I can't config the master node "Launch agent via Java Web Start" >>> >>> Could you help me about this issue? >>> I'll very appreciate your help. >>> >>> >> If you're running the master as a service, then you'll need to add an >> agent which is running on the desktop. The agent can be on the same >> computer where you run the Jenkins master, but the new agent will need to >> be launched from the desktop. >> >> If you're running the master from a command line, then it should work. >> >> Thanks, >> Mark Waite >> >> >>> >>> Mark Waite於 2019年5月9日星期四 UTC+8下午10時59分13秒寫道: >>>> >>>> >>>> >>>> On Thu, May 9, 2019 at 6:13 AM A M <casa...@gmail.com> wrote: >>>> >>>>> Thanks a lot Mark for your quick response! As I understand it the >>>>> goal is to create a slave/agent that will run the code signing directly on >>>>> windows, instead of a service. great idea! >>>>> >>>>> However, I am stuck at step 4, I dond't see the "Launch agent via Java >>>>> Web Start" option. I found a general solution online >>>>> <https://stackoverflow.com/questions/40340097/there-is-no-launch-agent-via-java-web-start-option-in-my-jenkins-when-i-adding>, >>>>> by specifying a concrete or random port in the Global Security TCP >>>>> settings. I tried both, and even restarted Jenkins a couple of times, and >>>>> it doesn't show up. >>>>> >>>>> >>>> I think you are on the right path. That solution is the correct >>>> solution. >>>> >>>> Here are the screen shots that I used to confirm it is working with >>>> Jenkins 2.164.2: >>>> >>>> *Jenkins -> Configure Global Security -> Agents -> Port 50000* >>>> >>>> [image: Annotation 2019-05-09 084830.jpg] >>>> >>>> *Jenkins -> Build Executor Status -> New Node* >>>> >>>> [image: Annotation 2019-05-09 084942.jpg] >>>> >>>> *Node name -> Permanent Agent -> OK* >>>> >>>> [image: Annotation 2019-05-09 085016.jpg] >>>> >>>> Name -> Description -> Remote root directory -> Launch Method "Launch >>>> agent via Java Web Start" >>>> >>>> [image: Annotation 2019-05-09 085149.jpg] >>>> >>>> Mark Waite >>>> >>>> >>>>> I only see 1) Launch agent by connecting it to the master, 2) ... via >>>>> execution of command on the master, 3) ... Let Jenkins control this >>>>> Windows >>>>> slave as a Windows service. >>>>> >>>>> >>>> That likely indicates that you installed the 'windows-slaves' or >>>> 'windows-agents' plugin. You don't need that plugin and generally don't >>>> want it. The technique it uses to start the agent is based on DCOM, is >>>> exceptionally brittle, and is very hard to use. You can (and probably >>>> should) remove the windows-slaves or windows-agents plugin. Agents run on >>>> Windows quite well without needing that plugin. >>>> >>>> >>>>> Also checked if there are any updates of Jenkins, only some unrelated >>>>> plugin-updates are available. Anything else I could check? >>>>> >>>>> Thank you! >>>>> >>>>> Am Mittwoch, 8. Mai 2019 16:05:00 UTC+2 schrieb Mark Waite: >>>>>> >>>>>> >>>>>> >>>>>> On Wednesday, May 8, 2019 at 7:18:31 AM UTC-6, A M wrote: >>>>>>> >>>>>>> hi Mark >>>>>>> >>>>>>> I am struggling with a very similar issue. What exactly do you mean >>>>>>> by your comment and how do I achieve this? >>>>>>> >>>>>>> >>>>>> I said: >>>>>> >>>>>> > Run the Windows agent from the Windows desktop rather than running >>>>>> it from a service which has been allowed to interact with the desktop. >>>>>> >>>>>> The most direct way to implement what I described is to: >>>>>> >>>>>> 1. Login to the Windows desktop machine where code signing will >>>>>> be run >>>>>> 2. Open a web browser to the Jenkins server >>>>>> 3. Create an agent (a node) to represent that Windows computer >>>>>> 4. Configure the agent to "Launch agent via Java Web Start" >>>>>> 5. Define the required agent fields (like a remote root directory >>>>>> - I prefer 'C:\J\' to reduce problems with Windows and long paths) >>>>>> and save >>>>>> the configuration of that agent >>>>>> 6. Download the 'agent.jar' file from the hyperlink on the web >>>>>> page, save it somewhere convenient (like C:\J\agent.jar) >>>>>> 7. Open a command prompt window on the Windows desktop machine >>>>>> and change to the convenient directory C:\J >>>>>> 8. Copy the 'Run from agent command line" from the web page into >>>>>> the command prompt window >>>>>> >>>>>> Thanks for asking! >>>>>> Mark Waite >>>>>> >>>>>> >>>>>>> I want to run the signtool.exe together with the certificate on a >>>>>>> USB token as an AfterPublish job in Jenkins. Jenkins is running as >>>>>>> admin. >>>>>>> Single sign-on is activated for the USB token. Running signtool.exe in >>>>>>> the >>>>>>> admin console works, running the same command through Jenkins >>>>>>> results in the "No certificates were found that met all the given >>>>>>> criteria." error. >>>>>>> >>>>>>> Any help is much appreciated. Thank you! >>>>>>>> >>>>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Jenkins Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to jenkins...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/jenkinsci-users/b92c3356-23da-4368-b6b7-a5fd2906e110%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> Thanks! >>>> Mark Waite >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-users+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/146b7e42-6bda-48e9-802f-b94c2fa63418%40googlegroups.com >>> <https://groups.google.com/d/msgid/jenkinsci-users/146b7e42-6bda-48e9-802f-b94c2fa63418%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Thanks! >> Mark Waite >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGno_CskHqrZBsXPfMm4tzKiGdFNud_k4EoZpErAcUqvA%40mail.gmail.com >> <https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGno_CskHqrZBsXPfMm4tzKiGdFNud_k4EoZpErAcUqvA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CALFTu7ds%2BBCBfOekLjU7tY%2B7DBfEP7-nx6053CCiAOdz9rVhSQ%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CALFTu7ds%2BBCBfOekLjU7tY%2B7DBfEP7-nx6053CCiAOdz9rVhSQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtFyBKwvLLDpiHKKFxwuum%3D-L5Frt1%2BiXKrHXYc%3D_5NL8Q%40mail.gmail.com.
