HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

Storing Code Signing Certificate

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
codecertificatesigningstoring

Problem

I own a public and open-source Windows Forms/C# application in a Github repo that I want to start code signing with my certificate through Azure Pipelines CI. I have set up my pipeline and it is building fine, the next step is to integrate automatic code signing, which until this point I have been doing manually. I have taken the following steps:

  • Certificate has been added to Secure File storage



  • Code Signing Extension Installed https://marketplace.visualstudio.com/items?itemName=stefankert.codesigning



  • Task variables have been created and marked as secret



After adding a task, the YML generating is:

- task: codesigning@2
  inputs:
    secureFileId: '$(certName)'
    signCertPassword: '$(certPass)'
    files: '**/*.exe'
    timeServer: 'http://timestamp.digicert.com'
    hashingAlgorithm: 'SHA256'


So, saving this, it is obviously going to update my azure-pipelines.yml in my repository. Is it possible to perform code signing in Azure Pipelines without exposing any information in the repository? Is this considered best practice for code-signing in Azure Pipelines?

Solution

From what I can see you have done everything correctly, you have stored both the certificate material (i.e. the PFX) and the password for the PFX in a secure location that presumably no one else can access. Assuming you don't give anyone else permissions on your Azure tenant and you don't blindly accept pull requests that change azure-pipelines.yml then you are in a good place.

If you are feeling paranoid, then you could create a second pipeline using a private repository that is triggered when the previous pipeline completes successfully. However, IMHO, I would carefully consider the risk you are exposing yourself to against the complexity and fragility of trying to tie two pipelines together.

Context

StackExchange DevOps Q#8768, answer score: 2

Revisions (0)

No revisions yet.