patternMinor
Storing Code Signing Certificate
Viewed 0 times
codecertificatesigningstoring
Problem
I own a public and open-source Windows Forms/C# application in a Github repo that I want to start code signing with my certificate through Azure Pipelines CI. I have set up my pipeline and it is building fine, the next step is to integrate automatic code signing, which until this point I have been doing manually. I have taken the following steps:
After adding a task, the YML generating is:
So, saving this, it is obviously going to update my azure-pipelines.yml in my repository. Is it possible to perform code signing in Azure Pipelines without exposing any information in the repository? Is this considered best practice for code-signing in Azure Pipelines?
- Certificate has been added to Secure File storage
- Code Signing Extension Installed https://marketplace.visualstudio.com/items?itemName=stefankert.codesigning
- Task variables have been created and marked as secret
After adding a task, the YML generating is:
- task: codesigning@2
inputs:
secureFileId: '$(certName)'
signCertPassword: '$(certPass)'
files: '**/*.exe'
timeServer: 'http://timestamp.digicert.com'
hashingAlgorithm: 'SHA256'So, saving this, it is obviously going to update my azure-pipelines.yml in my repository. Is it possible to perform code signing in Azure Pipelines without exposing any information in the repository? Is this considered best practice for code-signing in Azure Pipelines?
Solution
From what I can see you have done everything correctly, you have stored both the certificate material (i.e. the PFX) and the password for the PFX in a secure location that presumably no one else can access. Assuming you don't give anyone else permissions on your Azure tenant and you don't blindly accept pull requests that change
If you are feeling paranoid, then you could create a second pipeline using a private repository that is triggered when the previous pipeline completes successfully. However, IMHO, I would carefully consider the risk you are exposing yourself to against the complexity and fragility of trying to tie two pipelines together.
azure-pipelines.yml then you are in a good place.If you are feeling paranoid, then you could create a second pipeline using a private repository that is triggered when the previous pipeline completes successfully. However, IMHO, I would carefully consider the risk you are exposing yourself to against the complexity and fragility of trying to tie two pipelines together.
Context
StackExchange DevOps Q#8768, answer score: 2
Revisions (0)
No revisions yet.