Trusted Signing
The Trusted Signing Task allows you to digitally sign your files using a Trusted Signing certificate during an Azure Pipelines run.
Runner Requirements
This Task can only be executed on Windows runners. It is supported by the following GitHub hosted runners:
It is also possible to use self-hosted runners with the following requirements:
- Windows 7+
- PowerShell 5.1+
- .NET runtime 6.0+
Example
trigger:
- main
pool:
vmImage: 'windows-latest'
steps:
- task: UseDotNet@2
displayName: Install .NET
inputs:
packageType: 'sdk'
version: '6.0.x'
- task: Bash@3
displayName: Install MAUI
inputs:
targetType: 'inline'
script: |
dotnet nuget locals all --clear
dotnet workload install maui --source https://aka.ms/dotnet6/nuget/index.json --source https://api.nuget.org/v3/index.json
dotnet workload install android ios maccatalyst tvos macos maui wasm-tools --source https://aka.ms/dotnet6/nuget/index.json --source https://api.nuget.org/v3/index.json
- task: Bash@3
displayName: Build MAUI App
inputs:
targetType: 'inline'
script: |
cd MauiApp1/MauiApp1
dotnet publish -f net6.0-windows10.0.19041.0 -c Release
- task: TrustedSigning@0
displayName: Sign with Trusted Signing
inputs:
AzureTenantID: '$(tenant-id)'
AzureClientID: '$(client-id)'
AzureClientSecret: '$(client-secret)'
Endpoint: 'https://eus.codesigning.azure.net/'
CodeSigningAccountName: 'my-codesigning-account'
CertificateProfileName: 'my-certificate-profile'
FilesFolder: '$(Build.SourcesDirectory)/MauiApp1/MauiApp1/bin/Release/net6.0-windows10.0.19041.0/win10-x64/AppPackages/'
FilesFolderFilter: 'msix'
FilesFolderRecurse: true
FilesFolderDepth: 1
FileDigest: 'SHA256'
TimestampRfc3161: 'http://timestamp.acs.microsoft.com'
TimestampDigest: 'SHA256'
Authentication
Behind the scenes, the Task uses DefaultAzureCredential as the primary method of authentication to Azure. The EnvironmentCredential variables are exposed as inputs and then set to Task-scoped environment variables. Each credential type supported by DefaultAzureCredential
can be disabled using the Task inputs.
Best Practices
Timestamping
The files must be signed with timestamping enabled in order for the signatures to be valid for longer than 3 days. It is recommended to use the Trusted Signing timestamp server:
TimestampRfc3161: 'http://timestamp.acs.microsoft.com'
TimestampDigest: 'SHA256'
Server Selection
There is currently a known issue with the WUS region where ~10% of signing requests will be very slow (up to 100 seconds to sign a single file). This may cause significant slow downs and possibly timeout failures during runs. It is suggested to use the EUS region when possible:
Endpoint: 'https://eus.codesigning.azure.net/'
The Trusted Signing team is currently working with Azure to solve this problem.
Authentication
This Task performs authentication using DefaultAzureCredential which attempts a series of authentication methods in order. If one method fails, it will attempt the next one until authentication is successful.
Each authentication method can be disabled individually so that no time is wasted attempting to authenticate with methods that will never pass.
For example, when authenticating with EnvironmentCredential specifically, disable the other credentials with the following inputs:
ExcludeEnvironmentCredential: false
ExcludeManagedIdentityCredential: true
ExcludeSharedTokenCacheCredential: true
ExcludeVisualStudioCredential: true
ExcludeVisualStudioCodeCredential: true
ExcludeAzureCliCredential: true
ExcludeAzurePowershellCredential: true
ExcludeInteractiveBrowserCredential: true
This can make the Task fail faster if for some reason the EnvironmentCredential fails. Similarly, if using for example an AzureCliCredential , then we want to skip over attempting to authenticate with the several methods that come before it in order.
Support
For support, head over to Q & A.
Release Notes
0.3.16
- Update to latest version of Trusted Signing dlib and Windows SDK build tools.
0.3.1
- Remove .NET runtime installation as the 2019 and 2022 images already have the necessary .NET runtime installed.
0.2.27
- Fix an exception that occurs when filtering files without a file extension.
- Add support for new BatchSize parameter.
0.2.22
- Add default value 'None' to PKCS7Options parameter to support legacy pipelines.