1

We have a Docker image that we use to build our Visual Studio solutions. This works great. Now we have some solutions that require a key. To install the key you use sn.exe, but Microsoft has gone through great lengths to make sure human input is needed, namely the password..

The image is based off FROM microsoft/dotnet-framework:3.5

I tried several tricks, especially from this Stack Overflow thread: Auto-entering Password In Sn.exe

The last answer is mine (Thomas Rijsewijk). At least I have a working way to install the key automatically, but somehow SendWait doesn't work in Docker, or Docker for Windows, or microsoft/dotnet-framework:3.5 docker image.

# ---------
# Import all certificates in C:\keys
# ---------
[void][System.Reflection.Assembly]::LoadWithPartialName("'System.Windows.Forms")
[System.Windows.Forms.SendKeys]::SendWait("hello")

When I run this I get "Access Denied":

Exception calling "SendWait" with "1" argument(s): "Access is denied"
At K:\install-certificates.ps1:51 char:1
+ [System.Windows.Forms.SendKeys]::SendWait("hello")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : Win32Exception

As an alternative I tried SendKeys() from WScript.Shell:

$wshell = New-Object -com wscript.shell;
Sleep 5;
$wshell.sendkeys("test");

Again, this works perfectly on my machine (Windows 10 up to date) and an up to date Windows 2016 server. But NOT inside the docker image: nothing happens, no error but it's not entering "test" either.

Lot of talks about automating powershell, but basically I don't really care HOW I install the certificate when building my docker image, I just want it installed. I install the certificate locally using

Start-Process "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\sn.exe" -ArgumentList "-i `"D:\key.pfx`" VS_KEY_XXXXXXXX" -NoNewWindow;

At this point, it asks for a password which makes it impossible to use with docker build.

I did a whole lot of searching on Google and SO, I'm surprised to see that nobody else tried to install a key using sn.exe.

PS: Yes, I know VS_KEY_XXXXXXXX is not a valid VS_KEY. I already have a working mechanism for extracting the right VS_KEY, but that's out of scope of this question.

PPS: Yes, I know I could manually running the docker, install the certificate and manually commit and push the changes. But naturally, I want it to originate from my Dockerfile

Thomas Rijsewijk
  • 31
  • 4
  • `Access Denied` sounds like you aren't running with proper privileges. – Maximilian Burszley Jan 02 '18 at 13:59
  • 1
    All you are trying to do is to import PFX into certificate store or SN.exe doing more then that? There is multiple proper ways to deal with this issue unless SN.exe is somehow uniquely required – Gregory Suvalian Jan 02 '18 at 14:07
  • @TheIncorrigible1 The user within the docker container is the so-called `containeradministrator`. Docker does not have UAC. Do you have a suggestion for me how to check for the proper privileges? – Thomas Rijsewijk Jan 03 '18 at 13:42
  • @GregorySuvalian Basically, yes. AFAIK SN.exe is uniquely required because it accepts a VS_KEY, which is a unique container Id for MSBuild/Visual Studio. But if you know another way, please! – Thomas Rijsewijk Jan 03 '18 at 13:44
  • Try `Import-PfxCertificate –FilePath "D:\key.pfx" -Password (ConvertTo-SecureString -String "VS_KEY_XXXXXXXX" -Force –AsPlainText) – Gregory Suvalian Jan 03 '18 at 14:29
  • @GregorySuvalian sorry to warm up this old thread... I'm at the point where I want to run this exact command in my Dockerfile, but how do I get the password into the container at build time? It seems ENV is not secure since the values are persisted. – Thomas Kappler Feb 26 '18 at 04:01
  • You usually don't bake Certificates into image. Instead you import them at runtime – Gregory Suvalian Feb 26 '18 at 12:56

0 Answers0