TFS Certificate - ou cannot call a method on a null-valued expression

This is a on-prem TFS question. Yesterday I put a certificate in place to handle signing ClickOnce deployments. However, it fails to apply the certificate. They guy who wrote these release scripts before me, the former TFS administrator, was a PowerShell guru. I am not a PowerShell guru. However, I can muddle my way into trying to figure out what is going on, up to a point. The errors occur in the Release, not in the build. The first error that appears is, “You cannot call a method on a null-valued expression”. I believe I’ve found the line where that error occurs, from the PowerShell++ script he uses. It is here:

> $cert = ls cert:\ -Recurse -CodeSigningCert | ? {$_.Verify()} | Select -First 1
I’ve broken this line down into its parts. Ignoring the assignment to the variable $cert, this part of the PowerShell script works: $cert = ls cert:\ -Recurse -CodeSigningCert. However, the rest of the line, ? {$_.Verify()} | Select -First 1 results in assigning a null to $cert. This same script has worked fine, for two years, with no problems. Why has importing a new certificate into the TFS build server made this assignment fail?

Sounds like no cert is found?

Could you elaborate on the Verify-function? Seems like it could be the failing component in the pipeline

no, I cannot elaborate on the Verify() function. I didn’t write the PowerShell script. The former TFS administrator did. He was a PS guru - I am, at best, just a casual user of PS. Like you, I’m convinced that Verify() function is at the root of my problem. The first part of the PS script ls cert:\ -Recurse -CodeSigningCert does produce results. 4 lines of results. What really bothers me is that why should this PS script, which has worked for years, suddenly stop working? What conditions are now in place that the Verify() method no longer likes, but did as recently as last week?

Wasn’t the code signing certificate going to expire? Perhaps Verify checks the validity? Has the code signing certificate already expired? Also, is any of those 4 results your new code signing certificate?

The previous code signing certificate did expire. The new code signing certificate is already in the certificate store. It is valid for a year

Yes but is it one of the results of the ls cert:\ -Recurse -CodeSigningCert?

If it’s not, then that search might only list all of the previously expired certificates, which might fail a Verify() check

I’m fairly sure that the $._Verify() is simply the Verify method being called on a dotnet certificate object: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.verify?view=net-6.0

Rouke, The short answer to your question is I don’t know if the new cert is in the list or not. When I run the ls command it gives me 4 lines, but the Subject line is truncated. All of them have the same text, as far as it allows me to see. I know there’s some command I can issue to a PS script to have it display the results in a window, but I don’t remember that parameter I need to provide

You could try passing the result of ls to Format-Table -AutoSize -Wrap

That does give me the full text, thank you. I’ve run it, but it doesn’t show me the expiration dates. So I got back into MMC, added the Certificates add-in, then ran it as the user the former guy used. I see the new cert there, with an expiration date of June 28, 2023

Did you try deleting any expired certificates

No. Mainly because the previous guy didn’t and I just followed suit.

After adding the cert again and seeing it show up in the ls it’s still not working?

However, with others help I’ve now gotten past that problem. Here’s the updated PS line:

$cert = ls cert:\ -Recurse -CodeSigningCert | Sort-Object -Property NotAfter -Descending | Select -First 1