Failed signing still returns a zero error code, causing Actions to believe signing was successful

[bradwilson]

I have a signing failure in my GitHub Actions code, but the signing failure still returns a 0 error code so Actions continues on despite the failure.

The specific failure I'm seeing (though it shouldn't matter; any signing failure should return a non-0 error code):

warn: Azure.Core[8]
      Error response [fc5043e2-7fc4-4a3c-bf10-1d770ee45318] 401 Unauthorized (00.3s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:fc5043e2-7fc4-4a3c-bf10-1d770ee45318
      x-ms-request-id:37f52321-1911-4912-8d54-edf010d72194
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.55.46.88;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      WWW-Authenticate:***"https://login.microsoftonline.com/***", resource="https://vault.azure.net"
      Date:Fri, 23 May 2025 18:05:39 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:97
      
warn: Azure.Core[8]
      Error response [7e2472ad-fd5e-4b53-a084-e64266a7a685] 400 Bad Request (00.0s)
      Server:IMDS/150.870.65.1544
      x-ms-request-id:1e1f3560-a91d-4530-b574-ecef8576fa18
      Date:Fri, 23 May 2025 18:05:39 GMT
      Content-Type:application/json; charset=utf-8
      Content-Length:88
      
warn: Azure.Identity[9]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-23 18:05:39Z - 3864d584-0d4f-4c57-8adf-a7c7e11d92da] [Managed Identity] Azure Arc managed identity cannot be configured on a platform other than Windows and Linux.
warn: Azure.Core[8]
      Error response [d9d6770e-8dd8-4cc6-b59b-71[504](https://github.com/xunit/xunit/actions/runs/15216295071/job/42802486246#step:8:505)346d22a] 400 Bad Request (00.0s)
      Server:IMDS/150.870.65.1544
      x-ms-request-id:41337379-ed4d-4f14-bc3b-578a001ac10d
      Date:Fri, 23 May 2025 18:05:39 GMT
      Content-Type:application/json; charset=utf-8
      Content-Length:68
      
warn: Azure.Identity[9]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-23 18:05:39Z - 3864d584-0d4f-4c57-8adf-a7c7e11d92da] Request retry failed.
fail: Azure.Identity[10]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-23 18:05:40Z - 3864d584-0d4f-4c57-8adf-a7c7e11d92da] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1544
      x-ms-request-id: 41337379-ed4d-4f14-bc3b-578a001ac10d
      Date: Fri, 23 May 2025 18:05:39 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
fail: Azure.Identity[10]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-23 18:05:40Z - 3864d584-0d4f-4c57-8adf-a7c7e11d92da] Exception type: Microsoft.Identity.Client.MsalServiceException
      , ErrorCode: managed_identity_request_failed
      HTTP StatusCode 0
      CorrelationId 3864d584-0d4f-4c57-8adf-a7c7e11d92da
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
      
warn: Azure.Core[8]
      Error response [7328993c-ea63-4e17-b600-91f60f909c7f] 401 Unauthorized (00.1s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:7328993c-ea63-4e17-b600-91f60f909c7f
      x-ms-request-id:cbfd4f48-24bb-4c6e-8240-c93438656573
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.55.46.88;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      WWW-Authenticate:***"https://login.microsoftonline.com/***", resource="https://vault.azure.net/"
      Date:Fri, 23 May 2025 18:05:41 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:97

[bradwilson]

This is when using dotnet sign code azure-key-vault, in case the context isn't clear.

dotnet sign version 0.9.1-beta.25264.1+2652a878ee13b4d892b776cb59d5930a33a5cb37.

[dlemstra]

I suspect this has to do with us using DefaultAzureCredentials and these are the warning that you get when one the credentials fails. Do you see that the signing is failing when you add --verbosity information to the options?

[bradwilson]

To verify before opening this bug, I downloaded the resulting packages and they aren't signed, so the signing is definitely failing.

[dlemstra]

The command should fail with a non zero exit code when the signing fails. But maybe you are hitting a path that is not doing this properly. Can you please share the logs of the output with --verbosity information (or trace) added to the command line so we can get more information?

[bradwilson]

Sorry for the delay, I've been out of town.

Here is the full log of a single failed sign:

info: Azure.Core[1]
      Request [9b0881c3-6a72-40b9-bf0e-24374aabc2e7] GET ***certificates/***?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:9b0881c3-6a72-40b9-bf0e-24374aabc2e7
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Certificates/4.7.0 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      client assembly: Azure.Security.KeyVault.Certificates
warn: Azure.Core[8]
      Error response [9b0881c3-6a72-40b9-bf0e-24374aabc2e7] 401 Unauthorized (00.2s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:9b0881c3-6a72-40b9-bf0e-24374aabc2e7
      x-ms-request-id:820dc25c-72dd-4713-9c25-ef0012aaa182
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.172.26.233;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      WWW-Authenticate:***"https://login.microsoftonline.com/***", resource="https://vault.azure.net"
      Date:Fri, 30 May 2025 01:30:38 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:97
      
info: Azure.Identity[1]
      DefaultAzureCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7
info: Azure.Identity[1]
      EnvironmentCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7
info: Azure.Identity[3]
      EnvironmentCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
info: Azure.Identity[1]
      WorkloadIdentityCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7
info: Azure.Identity[3]
      WorkloadIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
info: Azure.Identity[1]
      ManagedIdentityCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7
info: Azure.Identity[25]
      ManagedIdentitySource TokenExchangeManagedIdentitySource was attempted. IsSelected=False.
info: Azure.Core[1]
      Request [cb752598-bc48-4dd7-88bb-8ece6f07ad6d] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
      x-ms-client-request-id:cb752598-bc48-4dd7-88bb-8ece6f07ad6d
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Identity/1.13.2 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      client assembly: Azure.Identity
warn: Azure.Core[8]
      Error response [cb752598-bc48-4dd7-88bb-8ece6f07ad6d] 400 Bad Request (00.0s)
      Server:IMDS/150.870.65.1544
      x-ms-request-id:c9892f0f-9a91-[483](https://github.com/xunit/xunit/actions/runs/15337019301/job/43156118057#step:8:484)2-8751-fb6bbb77c9c9
      Date:Fri, 30 May 2025 01:30:39 GMT
      Content-Type:application/json; charset=utf-8
      Content-Length:88
      
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] MSAL MSAL.NetCore with assembly version '4.67.2.0'. CorrelationId(f5e4e3b1-e28e-41a4-aeb9-d6713286456c)
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] === AcquireTokenForManagedIdentityParameters ===
      ForceRefresh: False
      Resource: https://vault.azure.net
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] 
      === Request Data ===
      Authority Provided? - True
      Scopes - https://vault.azure.net
      Extra Query Params Keys (space separated) - 
      ApiId - AcquireTokenForSystemAssignedManagedIdentity
      IsConfidentialClient - False
      SendX5C - False
      LoginHint ? False
      IsBrokerConfigured - False
      HomeAccountId - False
      CorrelationId - f5e4e3b1-e28e-41a4-aeb9-d6713286456c
      UserAssertion set: False
      LongRunningOboCacheKey set: False
      Region configured: 
      
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] === Token Acquisition (ManagedIdentityAuthRequest) started:
	 Scopes: https://vault.azure.net
	Authority Host: login.microsoftonline.com
info: Azure.Identity[24]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Internal cache] Total number of cache partitions found while getting access tokens: 0
info: Azure.Identity[24]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: system_assigned_managed_identity_managed_identity_AppTokenCache
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [ManagedIdentityRequest] No cached access token. Getting a token from the managed identity endpoint.
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [ManagedIdentityRequest] Checking for a cached access token.
info: Azure.Identity[24]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Internal cache] Total number of cache partitions found while getting access tokens: 0
info: Azure.Identity[24]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [FindAccessTokenAsync] Discovered 0 access tokens in cache using partition key: system_assigned_managed_identity_managed_identity_AppTokenCache
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [ManagedIdentityRequest] Acquiring a token from the managed identity endpoint.
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Region discovery] Not using a regional authority. 
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Instance Discovery] Skipping Instance discovery because it is disabled. 
warn: Azure.Identity[9]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Managed Identity] Azure Arc managed identity cannot be configured on a platform other than Windows and Linux.
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Managed Identity] Defaulting to IMDS endpoint for managed identity.
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] [Managed Identity] Sending request to managed identity endpoints.
info: Azure.Core[1]
      Request [db6c09ab-aa0e-48ae-b7c4-21f98f9b9cc0] GET http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=REDACTED
      Metadata:REDACTED
      x-ms-client-request-id:db6c09ab-aa0e-48ae-b7c4-21f98f9b9cc0
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Identity/1.13.2 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      client assembly: Azure.Identity
warn: Azure.Core[8]
      Error response [db6c09ab-aa0e-48ae-b7c4-21f98f9b9cc0] 400 Bad Request (00.0s)
      Server:IMDS/150.870.65.1544
      x-ms-request-id:555ab9cd-52be-4869-8b44-e6ff2ff286d3
      Date:Fri, 30 May 2025 01:30:39 GMT
      Content-Type:application/json; charset=utf-8
      Content-Length:68
      
info: Azure.Identity[8]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] Response status code does not indicate success: 400 (BadRequest). 
warn: Azure.Identity[9]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] Request retry failed.
fail: Azure.Identity[10]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1544
      x-ms-request-id: 555ab9cd-52be-4869-8b44-e6ff2ff286d3
      Date: Fri, 30 May 2025 01:30:39 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
fail: Azure.Identity[10]
      False MSAL 4.67.2.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-05-30 01:30:39Z - f5e4e3b1-e28e-41a4-aeb9-d6713286456c] Exception type: Microsoft.Identity.Client.MsalServiceException
      , ErrorCode: managed_identity_request_failed
      HTTP StatusCode 0
      CorrelationId f5e4e3b1-e28e-41a4-aeb9-d6713286456c
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
      
info: Azure.Identity[3]
      ManagedIdentityCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
       ---> Microsoft.Identity.Client.MsalServiceException (0x80131500): [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1544
      x-ms-request-id: 555ab9cd-52be-4869-8b44-e6ff2ff286d3
      Date: Fri, 30 May 2025 01:30:39 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found 
info: Azure.Identity[1]
      VisualStudioCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7
info: Azure.Identity[3]
      VisualStudioCredential.GetToken was unable to retrieve an access token. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7 Exception: Azure.Identity.CredentialUnavailableException (0x80131500): VisualStudioCredential authentication failed: Visual Studio Token provider can't be accessed at C:\Users\runneradmin\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json
       ---> Azure.Identity.CredentialUnavailableException (0x80131500): Visual Studio Token provider can't be accessed at C:\Users\runneradmin\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json
       ---> System.IO.DirectoryNotFoundException (0x80070003): Could not find a part of the path 'C:\Users\runneradmin\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json'.
info: Azure.Identity[1]
      AzureCliCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7
info: Azure.Identity[2]
      AzureCliCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7 ExpiresOn: 2025-05-30T02:30:39.0000000+00:00
info: Azure.Identity[13]
      DefaultAzureCredential credential selected: Azure.Identity.AzureCliCredential
info: Azure.Identity[2]
      DefaultAzureCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 9b0881c3-6a72-40b9-bf0e-24374aabc2e7 ExpiresOn: 2025-05-30T02:30:39.0000000+00:00
info: Azure.Core[1]
      Request [9b0881c3-6a72-40b9-bf0e-24374aabc2e7] GET ***certificates/***?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:9b0881c3-6a72-40b9-bf0e-24374aabc2e7
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Certificates/4.7.0 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      Authorization:REDACTED
      client assembly: Azure.Security.KeyVault.Certificates
info: Azure.Core[5]
      Response [9b0881c3-6a72-40b9-bf0e-24374aabc2e7] 200 OK (00.1s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:9b0881c3-6a72-40b9-bf0e-24374aabc2e7
      x-ms-request-id:521450ab-a278-49d4-8315-b9d3b5d302a7
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.172.26.233;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      Date:Fri, 30 May 2025 01:30:39 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:3829
      
info: Sign.Core.ISigner[0]
      Submitting D:\a\xunit\xunit\src\xunit.v3.assert\bin\Release\netstandard2.0\signed\xunit.v3.assert.dll for signing.
info: Sign.Core.ISigner[0]
      SignAsync called for D:\a\xunit\xunit\src\xunit.v3.assert\bin\Release\netstandard2.0\signed\xunit.v3.assert.dll. Using C:\Users\runneradmin\AppData\Local\Temp\0urebr0c.44o\4ib2zyea.dll locally.
info: Sign.Core.IDataFormatSigner[0]
      Signing SignTool job with 1 files.
info: Azure.Core[1]
      Request [99775ab1-1ad4-4e00-a6d3-da029364241b] GET ***keys/***?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:99775ab1-1ad4-4e00-a6d3-da029364241b
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Keys/4.7.0 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      client assembly: Azure.Security.KeyVault.Keys
warn: Azure.Core[8]
      Error response [99775ab1-1ad4-4e00-a6d3-da029364241b] 401 Unauthorized (00.0s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:99775ab1-1ad4-4e00-a6d3-da029364241b
      x-ms-request-id:717f023b-9714-4f98-a900-31bd5330084a
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.172.26.233;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      WWW-Authenticate:***"https://login.microsoftonline.com/***", resource="https://vault.azure.net"
      Date:Fri, 30 May 2025 01:30:39 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:97
      
info: Azure.Identity[1]
      DefaultAzureCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 99775ab1-1ad4-4e00-a6d3-da029364241b
info: Azure.Identity[1]
      AzureCliCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 99775ab1-1ad4-4e00-a6d3-da029364241b
info: Azure.Identity[2]
      AzureCliCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 99775ab1-1ad4-4e00-a6d3-da029364241b ExpiresOn: 2025-05-30T02:30:38.0000000+00:00
info: Azure.Identity[2]
      DefaultAzureCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 99775ab1-1ad4-4e00-a6d3-da029364241b ExpiresOn: 2025-05-30T02:30:38.0000000+00:00
info: Azure.Core[1]
      Request [99775ab1-1ad4-4e00-a6d3-da029364241b] GET ***keys/***?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:99775ab1-1ad4-4e00-a6d3-da029364241b
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Keys/4.7.0 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      Authorization:REDACTED
      client assembly: Azure.Security.KeyVault.Keys
info: Azure.Core[5]
      Response [99775ab1-1ad4-4e00-a6d3-da029364241b] 200 OK (00.0s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:99775ab1-1ad4-4e00-a6d3-da029364241b
      x-ms-request-id:ebc090a3-08e6-4035-bea0-561d45ded004
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.172.26.233;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      Date:Fri, 30 May 2025 01:30:40 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:1045
      
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\runneradmin\AppData\Local\Temp\0urebr0c.44o\4ib2zyea.dll.
info: Azure.Core[1]
      Request [76ea9f64-b2c7-438a-ba80-0a63bcb7581d] POST ***keys/***/sign?api-version=7.5
      Content-Type:application/json
      Accept:application/json
      x-ms-client-request-id:76ea9f64-b2c7-438a-ba80-0a63bcb7581d
      x-ms-return-client-request-id:true
      User-Agent:azsdk-net-Security.KeyVault.Keys/4.7.0 (.NET 8.0.16; Microsoft Windows 10.0.20348)
      Authorization:REDACTED
      client assembly: Azure.Security.KeyVault.Keys
info: Azure.Core[5]
      Response [76ea9f64-b2c7-438a-ba80-0a63bcb7581d] 200 OK (00.1s)
      Cache-Control:no-cache
      Pragma:no-cache
      x-ms-keyvault-region:westus
      x-ms-client-request-id:76ea9f64-b2c7-438a-ba80-0a63bcb7581d
      x-ms-request-id:9feb12b0-189a-[484](https://github.com/xunit/xunit/actions/runs/15337019301/job/43156118057#step:8:485)d-9719-e21718b972d0
      x-ms-keyvault-service-version:1.9.2421.1
      x-ms-keyvault-network-info:conn_type=Ipv4;addr=20.172.26.233;act_addr_fam=InterNetwork;
      X-Content-Type-Options:REDACTED
      Strict-Transport-Security:REDACTED
      Date:Fri, 30 May 2025 01:30:40 GMT
      Content-Type:application/json; charset=utf-8
      Expires:-1
      Content-Length:799
      
info: Sign.Core.IDataFormatSigner[0]
      Signing C:\Users\runneradmin\AppData\Local\Temp\0urebr0c.44o\4ib2zyea.dll succeeded.
info: Sign.Core.ISigner[0]
      Completed in 1089 ms.

[bradwilson]

I am now getting things signed. It's likely that they were previously getting signed and not packaged correctly.

I am still confused why they're emitting error messages during success:

EXEC: & dotnet sign code azure-key-vault "D:\a\xunit\xunit\src\xunit.v3.assert\bin\Release\netstandard2.0\signed\xunit.v3.assert.dll" --verbosity error --base-directory "D:\a\xunit\xunit" --description "xUnit.net" --description-url https://github.com/xunit --timestamp-url *** --azure-key-vault-url [redacted] --azure-key-vault-certificate [redacted] --managed-identity-client-id [redacted]

fail: Azure.Identity[10]
      False MSAL 4.71.1.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-06-03 18:37:34Z - fd96b718-f2d6-4603-af95-8551aacf0b93] Error message: [Managed Identity] Authentication unavailable. Either the requested identity has not been assigned to this resource, or other errors could be present. Ensure the identity is correctly assigned and check the inner exception for more details. For more information, visit https://aka.ms/msal-managed-identity.
      Status: BadRequest
      Content:
      {"error":"invalid_request","error_description":"Identity not found"}
      
      Headers:
      Server: IMDS/150.870.65.1544
      x-ms-request-id: 3eae47c2-5b77-46a3-b6d4-cbc277845c4c
      Date: Tue, 03 Jun 2025 18:37:33 GMT
      
      [Managed Identity] Error Code: invalid_request Error Description: Identity not found  Http status code: BadRequest
fail: Azure.Identity[10]
      False MSAL 4.71.1.0 MSAL.NetCore .NET 8.0.16 Microsoft Windows 10.0.20348 [2025-06-03 18:37:34Z - fd96b718-f2d6-4603-af95-8551aacf0b93] Exception type: Microsoft.Identity.Client.MsalServiceException
      , ErrorCode: managed_identity_request_failed
      HTTP StatusCode 0
      CorrelationId fd96b718-f2d6-4603-af95-8551aacf0b93
      To see full exception details, enable PII Logging. See https://aka.ms/msal-net-logging
         at Microsoft.Identity.Client.ManagedIdentity.ImdsManagedIdentitySource.HandleResponseAsync(AcquireTokenForManagedIdentityParameters parameters, HttpResponse response, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.ManagedIdentity.AbstractManagedIdentity.AuthenticateAsync(AcquireTokenForManagedIdentityParameters parameters, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.SendTokenRequestForManagedIdentityAsync(ILoggerAdapter logger, CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.GetAccessTokenAsync(CancellationToken cancellationToken, ILoggerAdapter logger)
         at Microsoft.Identity.Client.Internal.Requests.ManagedIdentityAuthRequest.ExecuteAsync(CancellationToken cancellationToken)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.<>c__DisplayClass11_1.<<RunAsync>b__1>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.Identity.Client.Utils.StopwatchService.MeasureCodeBlockAsync(Func`1 codeBlock)
         at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)

I'll let it up to you to decide if that's something worth fixing (and thus converting this issue over to address that) or just close it, since the original issue (exit codes) now appear to have been an unrelated issue.

[dtivel]

Noisy logging is resolved by #888.

Those fail errors are real and not noise. You're ultimately authenticating using Azure CLI authentication, since you previously and successfully called az login.