Skip to content

Signing randomly fails with "AKV10046: Unable to resolve the key used for signature validation." - but not always! #330

New issue
New issue
Open
Open
Signing randomly fails with "AKV10046: Unable to resolve the key used for signature validation." - but not always!#330
@rathboma

Description

@rathboma
rathboma
opened on Oct 17, 2025

I make Beekeeper Studio, it's an open source SQL GUI desktop app.

I've been having problems recently with keyvault and azuresigntool. Sometimes getting the cert fails, but not always.

Check this build for example:
https://github.com/beekeeper-studio/beekeeper-studio/actions/runs/18598329558/job/53030497402#step:23:712

It successfully signed one file, then goes to get the certificate again to sign the next file, and fails!

trce: AzureSignTool.SignCommand[0]
      Retrieving current version of certificate ***.
trce: AzureSignTool.SignCommand[0]
      Retrieved certificate with Id https://bks-code-signing.vault.azure.net/certificates/***/d3577c9597204e6e910d4b677c7870a4.
trce: AzureSignTool.SignCommand[0]
      Creating context
info: AzureSignTool.SignCommand[0]
      => File: D:\a\beekeeper-studio\beekeeper-studio\apps\studio\dist_electron\win-unpacked\resources\vendor\pagent.exe
      Signing file.
trce: AzureSignTool.SignCommand[0]
      => File: D:\a\beekeeper-studio\beekeeper-studio\apps\studio\dist_electron\win-unpacked\resources\vendor\pagent.exe
      Getting SIP Data
trce: AzureSignTool.SignCommand[0]
      => File: D:\a\beekeeper-studio\beekeeper-studio\apps\studio\dist_electron\win-unpacked\resources\vendor\pagent.exe
      Calling SignerSignEx3 with flags: SIGN_CALLBACK_UNDOCUMENTED
info: AzureSignTool.SignCommand[0]
      => File: D:\a\beekeeper-studio\beekeeper-studio\apps\studio\dist_electron\win-unpacked\resources\vendor\pagent.exe
      Signing completed successfully.
info: AzureSignTool.SignCommand[0]
      Successful operations: 1
info: AzureSignTool.SignCommand[0]
      Failed operations: 0

# (matthew) ^ It signed this file just fine! 

trce: AzureSignTool.SignCommand[0]
      Retrieving current version of certificate ***.
fail: AzureSignTool.SignCommand[0]
      Failed to retrieve certificate *** from Azure Key Vault. Please verify the name of the certificate and the permissions to the certificate. Error message: AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '***'.
      Status: 401 (Unauthorized)
      ErrorCode: Unauthorized
      
      Content:
      {"error":{"code":"Unauthorized","message":"AKV10046: Unable to resolve the key used for signature validation. EncodedJwtHeader: '***'."}}

This tells me that:

  1. My auth is correct
  2. It can reach keyvault
  3. Something else is going wrong

I'm sort of at a loss here, hoping someone else who uses this tool has some ideas!

Thanks,

Matthew

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions