Reputation: 450
ClickOnce signing via Azure Key Vault
Got a question regarding click once signing.
I have a server with Jenkins on it, which handles building a WPF application with ClickOnce as a deployment option. I have used a set of commands for MSBuild and mage.exe to produce an application file with deployment and application manifests signed by a provided *.pfx file.
Now the decision was made that the pfx file will not be provided. Instead, all keys were moved to the Azure Key Vault.
My question is - what will be a correct flow to make manifest signing for the ClickOnce application work with Azure Key Vault? I just don't understand how to execute the mage -update correctly with no path to provide as -certfile argument.
Thank's in advance.
Upvotes: 1
Views: 1793
Answers (2)
Reputation: 450
Just to give an update on situation in 2024/2025 when it is unlikelyl that the IT will get you the EV codesign certificate on a build server in cert store.
Give:
- existing ClickOnce application signed locally
- expired local certificate
- new EV codesign certificate in azure key vault
- directory (tenant?) id provided by IT
- application id provided by IT
- client secret provided by IT
- certificate name provided by IT
- rights for user in organization to sign granted by IT
In order to sign the published clickonce application having this info:
- ensure the environment variables AZURE_CLIENT_ID AZURE_TENANT_ID AZURE_CLIENT_SECRET are set according to provided data
- ensure this tool is installed https://github.com/dotnet/sign
- call the command
sign code azure-key-vault "{YOUR_PUBLISH_FOLDER}\{YOUR_APP_NAME}.application" --azure-key-vault-url "{YOUR_KEY_VAULT_URL}" --azure-key-vault-certificate "{YOUR_CERTIFICATE_NAME}" --application-name "{YOUR_APP_NAME}" --publisher-name "{YOUR_PUBLISHER_NAME}" --timestamp-url "http://timestamp.digicert.com/"
This worked for me surprisingly well, since it figured out what to sign automatically and there is no need to rename/sign on build dll's now. Shame it took quite some time to figure out, since there is no example in documentation. Also, I don't know how to make it work when all parameters specified explicitly (without environment variables), since it brags that
The client secret options are obsolete and should no longer be specified.
Upvotes: 0
Reputation: 1811
I have used the code here:
https://github.com/davici-code/AzureSignToolClickOnce
to succesfully sign ClickOnce applications in Azure DevOps with a certificate stored in Azure Key Vault.
It signs all the required executables and manifest files. Internally AzureSignTool is used to sign the executables and the mage code signs the manifest with Authenticode.
https://www.davici.nl/blog/clickonce-signing-from-azure-devops-via-azure-key-vault
For Jenkins it would also work.
Upvotes: 1
Related Questions
- MSBuild cannot sign a ClickOnce manifest using a temporary key (errors MSB3326 and MSB3321)
- Sign a CSR with Azure Key Vault
- Sign application with a certificate in ClickOnce deployment
- Build fails when signing code in Azure Pipeline
- How to sign using new keyvault client from azure.security.keyvault
- Securely Signing ClickOnce Applications in Azure DevOps Pipeline
- clickonce certificate key (from godaddy/starfield) - password invalid
- Azure: Connect to key vault from cloud worker via certificate
- VSTS Online - Build Solution With ClickOnce Signing PFX Password
- Are there any way to Sign Clickonce application when building with TFS online services?