⚠️

We're excited to announce that Azure Code Signing has undergone a rebranding and is now known as Trusted Signing. As part of this transition, we're deprecating the existing Task in favor of Trusted Signing. Please migrate to the new Task as soon as possible. All future bug fixes and enhancements will be exclusively released for the new Task. You will have 90 days to migrate at which point the old Task will be deleted.

• April 1st, 2024: Deprecation
• June 30th, 2024: Deletion

Azure Code Signing

The Azure Code Signing Task allows you to digitally sign your files using an Azure Code Signing certificate during an Azure Pipelines run.

Runner Requirements

This Task can only be executed on Windows runners. It is supported by the following GitHub hosted runners:

• windows-2022
• windows-2019

It is also possible to use self-hosted runners with the following requirements:

• Windows 7+
• PowerShell 5.1+
• .NET runtime 6.0+

Example

trigger:
- main

pool:
  vmImage: 'windows-latest'

steps:
- task: UseDotNet@2
  displayName: Install .NET
  inputs:
    packageType: 'sdk'
    version: '6.0.x'

- task: Bash@3
  displayName: Install MAUI
  inputs:
    targetType: 'inline'
    script: |
      dotnet nuget locals all --clear 
      dotnet workload install maui --source https://aka.ms/dotnet6/nuget/index.json --source https://api.nuget.org/v3/index.json
      dotnet workload install android ios maccatalyst tvos macos maui wasm-tools --source https://aka.ms/dotnet6/nuget/index.json --source https://api.nuget.org/v3/index.json

- task: Bash@3
  displayName: Build MAUI App
  inputs:
    targetType: 'inline'
    script: |
      cd MauiApp1/MauiApp1
      dotnet publish -f net6.0-windows10.0.19041.0 -c Release

- task: AzureCodeSigning@0
  displayName: Sign with Azure Code Signing
  inputs:
    AzureTenantID: '$(tenant-id)'
    AzureClientID: '$(client-id)'
    AzureClientSecret: '$(client-secret)'
    Endpoint: 'https://eus.codesigning.azure.net/'
    CodeSigningAccountName: 'my-codesigning-account'
    CertificateProfileName: 'my-certificate-profile'
    FilesFolder: '$(Build.SourcesDirectory)/MauiApp1/MauiApp1/bin/Release/net6.0-windows10.0.19041.0/win10-x64/AppPackages/'
    FilesFolderFilter: 'msix'
    FilesFolderRecurse: true
    FilesFolderDepth: 1
    FileDigest: 'SHA256'

Authentication

Behind the scenes, the Task uses DefaultAzureCredential as the primary method of authentication to Azure. The EnvironmentCredential variables are exposed as inputs and then set to Task-scoped environment variables. Each credential type supported by DefaultAzureCredential can be disabled using the Task inputs.

Best Practices

Server Selection

There is currently a known issue with the WUS region where ~10% of signing requests will be very slow (up to 100 seconds to sign a single file). This may cause significant slow downs and possibly timeout failures during runs. It is suggested to use the EUS region when possible:

Endpoint: 'https://eus.codesigning.azure.net/'

The Azure Code Signing team is currently working with Azure to solve this problem.

Authentication

This Task performs authentication using DefaultAzureCredential which attempts a series of authentication methods in order. If one method fails, it will attempt the next one until authentication is successful.

Each authentication method can be disabled individually so that no time is wasted attempting to authenticate with methods that will never pass.

For example, when authenticating with EnvironmentCredential specifically, disable the other credentials with the following inputs:

ExcludeEnvironmentCredential: false
ExcludeManagedIdentityCredential: true
ExcludeSharedTokenCacheCredential: true
ExcludeVisualStudioCredential: true
ExcludeVisualStudioCodeCredential: true
ExcludeAzureCliCredential: true
ExcludeAzurePowershellCredential: true
ExcludeInteractiveBrowserCredential: true

This can make the Task fail faster if for some reason the EnvironmentCredential fails. Similarly, if using for example an AzureCliCredential , then we want to skip over attempting to authenticate with the several methods that come before it in order.

Release Notes

0.2.22

• Add default value 'None' to PKCS7Options parameter to support legacy pipelines.

0.2.27

• Fix an exception that occurs when filtering files without a file extension.
• Add support for new BatchSize parameter.

0.3.1

• Remove .NET runtime installation as the 2019 and 2022 images already have the necessary .NET runtime installed.