microsoft · freddydk · Oct 28, 2024 · Oct 28, 2024 · Oct 28, 2024 · Oct 28, 2024
@@ -658,6 +658,11 @@ function ReadSettings {
             "defaultReleaseMD"                          = "## Release reference documentation\n\nThis is the generated reference documentation for [{REPOSITORY}](https://github.com/{REPOSITORY}).\n\nYou can use the navigation bar at the top and the table of contents to the left to navigate your documentation.\n\nYou can change this content by creating/editing the **{INDEXTEMPLATERELATIVEPATH}** file in your repository or use the alDoc:defaultReleaseMD setting in your repository settings file (.github/AL-Go-Settings.json)\n\n{RELEASENOTES}"
         }
         "trustMicrosoftNuGetFeeds"                      = $true
+        "trustedSigning"                                = [ordered]@{
+            "SigningEndpoint"                           = "https://weu.codesigning.azure.net"
+            "SigningAccount"                            = ""
+            "SigningCertificateProfile"                 = ""
+        }
     }
 
     # Read settings from files and merge them into the settings object

@@ -28,23 +28,35 @@
 # Get parameters for signing
 $AzureCredentials = ConvertFrom-Json ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($AzureCredentialsJson)))
 $settings = $env:Settings | ConvertFrom-Json
-if ($settings.keyVaultName) {
-    $AzureKeyVaultName = $settings.keyVaultName
-}
-elseif ($AzureCredentials.PSobject.Properties.name -eq "keyVaultName") {
-    $AzureKeyVaultName = $AzureCredentials.keyVaultName
-}
-else {
-    throw "KeyVaultName is not specified in AzureCredentials nor in settings. Please specify it in one of them."
-}
 
-$AzureCredentialParams = @{
-    "ClientId" = $AzureCredentials.clientId
-    "TenantId" = $AzureCredentials.tenantId
+if ($settings.TrustedSigning.SigningEndpoint -and $settings.TrustedSigning.SigningAccount -and $settings.TrustedSigning.SigningCertificateProfile) {
+    $SigningParams = @{
+        "SigningEndpoint" = $settings.TrustedSigning.Endpoint
+        "SigningAccount" = $settings.TrustedSigning.Account
+        "SigningCertificateProfile" = $settings.TrustedSigning.CertificateProfile
+    }
 }
-if ($AzureCredentials.PSobject.Properties.name -eq "clientSecret") {
-    $AzureCredentialParams += @{
-        "ClientSecret" = $AzureCredentials.clientSecret
+else {
+    if ($settings.keyVaultName) {
+        $AzureKeyVaultName = $settings.keyVaultName
+    }
+    elseif ($AzureCredentials.PSobject.Properties.name -eq "keyVaultName") {
+        $AzureKeyVaultName = $AzureCredentials.keyVaultName
+    }
+    else {
+        throw "KeyVaultName is not specified in AzureCredentials nor in settings. Please specify it in one of them."
+    }
+
+    $SigningParams = @{
+        "ClientId" = $AzureCredentials.clientId
+        "TenantId" = $AzureCredentials.tenantId
+        "KeyVaultName" = $AzureKeyVaultName
+        "CertificateName" = $settings.keyVaultCodesignCertificateName
+    }
+    if ($AzureCredentials.PSobject.Properties.name -eq "clientSecret") {
+        $SigningParams += @{
+            "ClientSecret" = $AzureCredentials.clientSecret
+        }
     }
 }
 InstallAzModuleIfNeeded -name 'Az.Accounts'
@@ -54,8 +66,7 @@
 $descriptionUrl = "$ENV:GITHUB_SERVER_URL/$ENV:GITHUB_REPOSITORY"
 
 Write-Host "::group::Signing files"
-Invoke-SigningTool @AzureCredentialParams -KeyVaultName $AzureKeyVaultName `
-    -CertificateName $settings.keyVaultCodesignCertificateName `
+Invoke-SigningTool @SigningParams  `
     -FilesToSign $PathToFiles `
     -Description $description `
     -DescriptionUrl $descriptionUrl `

@@ -78,16 +78,22 @@
 #>
 function Invoke-SigningTool() {
     param(
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $true, ParameterSetName="KeyVaultSigning")]
         [string] $KeyVaultName,
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $true, ParameterSetName="KeyVaultSigning")]
         [string] $CertificateName,
-        [Parameter(Mandatory = $false)]
+        [Parameter(Mandatory = $false, ParameterSetName="KeyVaultSigning")]
         [string] $ClientId,
-        [Parameter(Mandatory = $false)]
+        [Parameter(Mandatory = $false, ParameterSetName="KeyVaultSigning")]
         [string] $ClientSecret,
-        [Parameter(Mandatory = $false)]
+        [Parameter(Mandatory = $false, ParameterSetName="KeyVaultSigning")]
         [string] $TenantId,
+        [Parameter(Mandatory = $true, ParameterSetName="TrustedSigning")]
+        [string] $SigningEndpoint,
+        [Parameter(Mandatory = $true, ParameterSetName="TrustedSigning")]
+        [string] $SigningAccount,
+        [Parameter(Mandatory = $true, ParameterSetName="TrustedSigning")]
+        [string] $SigningCertificateProfile,
         [Parameter(Mandatory = $true)]
         [string] $FilesToSign,
         [Parameter(Mandatory = $true)]
@@ -105,14 +111,12 @@
     $signingToolExe = Install-SigningTool
 
     # Sign files
-    if ($ClientId -and $ClientSecret -and $TenantId) {
-        Write-Host "Invoking signing tool using clientId/clientSecret"
-        . $signingToolExe code azure-key-vault `
-            --azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
-            --azure-key-vault-certificate $CertificateName `
-            --azure-key-vault-client-id $ClientId `
-            --azure-key-vault-client-secret $ClientSecret `
-            --azure-key-vault-tenant-id $TenantId `
+    if ($PsCmdlet.ParameterSetName -eq "TrustedSigning") {
+        Write-Host "Invoking signing tool using trusted signing"
+        . $signingToolExe code trusted-signing `
+            --trusted-signing-endpoint $SigningEndpoint `
+            --trusted-signing-account $SigningAccount `
+            --trusted-signing-certificate-profile $SigningCertificateProfile `
             --description $Description `
             --description-url $DescriptionUrl `
             --file-digest $DigestAlgorithm `
@@ -122,19 +126,45 @@
             $FilesToSign
     }
     else {
-        Write-Host "Invoking signing tool using managed identity"
-        . $signingToolExe code azure-key-vault `
-            --azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
-            --azure-key-vault-certificate $CertificateName `
-            --azure-key-vault-managed-identity $true `
-            --description $Description `
-            --description-url $DescriptionUrl `
-            --file-digest $DigestAlgorithm `
-            --timestamp-digest $DigestAlgorithm `
-            --timestamp-url $TimestampService `
-            --verbosity $Verbosity `
-            $FilesToSign
+        if ($ClientId -and $ClientSecret -and $TenantId) {
+            Write-Host "Invoking signing tool using clientId/clientSecret"
+            . $signingToolExe code azure-key-vault `
+                --azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
+                --azure-key-vault-certificate $CertificateName `
+                --azure-key-vault-client-id $ClientId `
+                --azure-key-vault-client-secret $ClientSecret `
+                --azure-key-vault-tenant-id $TenantId `
+                --description $Description `
+                --description-url $DescriptionUrl `
+                --file-digest $DigestAlgorithm `
+                --timestamp-digest $DigestAlgorithm `
+                --timestamp-url $TimestampService `
+                --verbosity $Verbosity `
+                $FilesToSign
+        }
+        else {
+            Write-Host "Invoking signing tool using managed identity"
+            . $signingToolExe code azure-key-vault `
+                --azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
+                --azure-key-vault-certificate $CertificateName `
+                --azure-key-vault-managed-identity $true `
+                --description $Description `
+                --description-url $DescriptionUrl `
+                --file-digest $DigestAlgorithm `
+                --timestamp-digest $DigestAlgorithm `
+                --timestamp-url $TimestampService `
+                --verbosity $Verbosity `
+                $FilesToSign
+        }
     }
 }
 
+
+sign code trusted-signing
+ --trusted-signing-endpoint https://weu.codesigning.azure.net 
+ --trusted-signing-account <signing-account-name> 
+ --trusted-signing-certificate-profile <profile-name>
+ 'c:/fullpath/to/my.app'
+
+
 Export-ModuleMember -Function Invoke-SigningTool