Skip to content

Latest commit

 

History

History
169 lines (136 loc) · 6.55 KB

WALKTHROUGH.md

File metadata and controls

169 lines (136 loc) · 6.55 KB

Walkthroughs

The following basic preparations are required for all guides:

  • Obtain a certificate.
  • Within your Azure subscription, create an Azure KeyVault. Note the URL of the KeyVault; this will be your input to -kvu later.
  • Upload your certificate into the KeyVault, giving it a name.

Using AzureSignTool to sign files with Azure DevOps

Note: Sean Killeen has an expanded version of this on his blog, How to: Use AzureSignTool to sign files with Azure DevOps using a certificate in Azure Key Vault .

  • Do you have service connection with service principal authentication(or ready to create one)?

A) Using existing service connection with service principal authentication

  • Go to KeyVault's the Access Policies section.

  • Create an access policy that applies to your connection service principal.

  • For the access policy, set the below permissions:

    Area Permissions
    Key Verify, Sign, Get, List
    Secret Get, List
    Certificate Get, List
  • In your Azure DevOps build configuration, add a step to install the global tool:

- task: DotNetCoreCLI@2
  inputs:
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global azuresigntool'
  displayName: Install AzureSignTool
  • In your Azure DevOps build configuration, add a step to use the tool, with the values we captured earlier in the bracketed placeholders:
- task: AzureCLI@2
  displayName: 'Sign outputted .exe with global AzureSignTool'
  inputs:
    scriptType: ps
    scriptLocation: inlineScript
    azureSubscription: '[YOUR_CONNECTION_NAME]'
    addSpnToEnvironment: true
    inlineScript: |
      AzureSignTool sign -du "[YOUR_URL]" -kvu "https://[VAULT_ID].vault.azure.net -kvi $Env:servicePrincipalId -kvt $Env:tenantId -kvs $Env:servicePrincipalKey -kvc "[REDACTED_CERT_NAME]" -v [FILES_YOU_WANT_TO_SIGN]

B) Using custom Application Principal

  • Within your Azure AD, register an application with a name (no need to worry about the redirect URL).

  • In the overview screen for the application, note the Application ID -- this will be the client ID input into the -kvi parameter later.

  • Also note the Directory ID -- this will be the tenant ID input into the -kvt parameter later.

  • Create a client secret for the application and give it a description (e.g. "Access to KeyVault certificate for signing"). Be sure to copy the secret somewhere temporarily, as you won't be able to see it after initially creating it. This secret will be passed into the -kvs parameter later.

  • Return to your KeyVault's settings, and go to the Access Policies section.

  • Create an access policy that applies to your registered application, e.g. if the app you registered in AD was called MyApp, this policy should apply to the MyApp user.

  • For the access policy, set the below permissions:

    Area Permissions
    Key Verify, Sign, Get, List
    Secret Get, List
    Certificate Get, List
  • In your Azure DevOps build configuration, add a step to install the global tool:

- task: DotNetCoreCLI@2
  inputs:
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global azuresigntool'
  displayName: Install AzureSignTool
  • In your Azure DevOps build configuration, add a step to use the tool, with the values we captured earlier in the bracketed placeholders:
- task: CmdLine@2
  displayName: 'Sign outputted .exe with global AzureSignTool'
  inputs:
    script: AzureSignTool sign -du "[YOUR_URL]" -kvu "https://[VAULT_ID].vault.azure.net" -kvi "[REDACTED_APPLICATION_ID]" -kvt "[REDACTED_DIRECTORY_ID]" -kvs "[REDACTED_APPLICATION_CLIENT_SECRET]" -kvc "[REDACTED_CERT_NAME]" -v [FILES_YOU_WANT_TO_SIGN]

Using AzureSignTool to sign files with GitLab CI

A) Using service principal authentication

  • Go to KeyVault's the Access Policies section.

  • Create an access policy that applies to your service principal.

  • For the access policy, set the below permissions:

    Area Permissions
    Key Verify, Sign, Get, List
    Secret Get, List
    Certificate Get, List
  • In your GitLab build configuration, add a job to install and execute the AzureSignTool:

sign:
  stage: deploy
  image: mcr.microsoft.com/dotnet/sdk:8.0-windowsservercore-ltsc2019 # If docker on windows is used.
  before_script:
    - Invoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/latest/download/AzureSignTool-x64.exe -OutFile AzureSignTool.exe
  script:
    - >
        .\AzureSignTool.exe sign 
        --azure-key-vault-url https://example.vault.azure.net/
        --azure-key-vault-client-id $AZURE_CLIENT_ID
        --azure-key-vault-client-secret $AZURE_CLIENT_SECRET
        --azure-key-vault-tenant-id $AZURE_TENANT_ID
        --azure-key-vault-certificate example-certificate
        --verbose 
        example.exe
  artifacts:
    paths:
      - example.exe

B) Using JWT Tokens authentication (OIDC)

  • Configure a federated identity for GitLab in your service principal.

  • Go to KeyVault's the Access Policies section.

  • Create an access policy that applies to your service principal.

  • For the access policy, set the below permissions:

    Area Permissions
    Key Verify, Sign, Get, List
    Secret Get, List
    Certificate Get, List
  • In your GitLab build configuration, add a step to install and execute the AzureSignTool:

sign:
  stage: deploy
  image: mcr.microsoft.com/dotnet/sdk:8.0-windowsservercore-ltsc2019 # If docker on windows is used.
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: 'https://gitlab.com'
  before_script:
    - az login --service-principal -u $AZURE_CLIENT_ID --tenant $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
    - Invoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/latest/download/AzureSignTool-x64.exe -OutFile AzureSignTool.exe
  script:
    - >
      .\\AzureSignTool.exe sign 
      --azure-key-vault-url https://example.vault.azure.net/
      --azure-key-vault-managed-identity
      --azure-key-vault-certificate example-certificate
      --verbose 
      example.exe
  artifacts:
    paths:
      - example.exe

Happy signing!