现在,GlobalSign最近开始推广Azure Key Vault作为密钥存储选项,并且他们非常乐意向我们出售此服务,但我不确定如何将其与我们的构建管道实际集成(或者是否可能)。
有人真正做到了吗?
我一直在努力使用Azure Key Vault和Azure Pipelines对我们的代码进行签名,并成功了。以下是我的发现。
关键是,用于代码签名的扩展验证(EV)证书与“普通”的SSL证书非常不同。标准证书可以随意导出,这意味着您可以将其上传到Azure Pipelines并使用标准的Microsoft Sign Tool。
但是,一旦将EV证书放入Azure Key Vault中,就无法以任何通常的方式取出。您必须使用Anodyne above发现的优秀的Azure Sign Tool从Pipelines调用它。
将证书放入Key Vault中。您可以使用任何证书颁发机构来生成证书,只要他们知道您需要一张EV证书,而且至关重要的是,需要一个硬件安全模块(HSM),而不是一个带有物理USB密钥的证书。任何像Key Vault这样的云系统都需要HSM版本。
要获取访问此证书的权限,请follow this page,但要注意它漏掉了一步。因此,首先阅读该文档,然后按照以下摘要步骤设置Key Vault:
Azure Active Directory
区域创建一个 应用程序注册
:输入易记名称,忽略 重定向 URI
,并保存。密钥保管库
,然后进入 访问控制(IAM)
,再选择 添加角色分配
。在 选择
输入框中输入刚刚创建的应用程序名称。还需要选择一个 角色
,建议选择 读取者
,然后保存。访问策略
菜单项。单击 添加访问策略
并添加你的应用程序。需要在 证书权限
中选中 获取
。尽管你在此保管库中可能没有任何密钥,但是 密钥权限
也需要选中 获取
和 签名
。你可能认为这两个会在证书权限中...证书和密码
,然后选择上传证书(专门用于远程访问密钥保管库)或创建 客户端密码
。如果选择后者,请记下密码,否则你将无法再看到它!概述
部分中,会显示 应用程序(客户端)ID
。这个和密码或证书是接下来在管道任务中传递给 Azure 签名工具的内容。从Azure处理实际的代码签名需要多个步骤。以下内容适用于Microsoft托管代理,尽管类似的问题也会影响您拥有的任何私有代理。
The Azure Sign Tool needs the .NET Core SDK to be installed, but a version that's at least version 2.x, and since the latest .NET Core SDK is always used, this means as long as the version of Windows is current enough, you don't need to install it yourself. And you can see which version of the SDK is shipped with which Windows agent.
The current Hosted
OS version in Azure Pipelines, also called Default Hosted
, is, at the time of writing, Windows Server 2012 R2. Which isn't up to date enough. Installing a newer .NET Core SDK to overcome this is a time drag on every build, and although the installation works, calling the Azure Sign Tool may not work. It seems to be finding only older versions of the SDK, and throws this error: Unable to find an entry point named 'SignerSignEx3' in DLL 'mssign32'.
So the easiest thing to do is change your build to use a later OS image. Windows 2019 works like a charm. And there is no need to install any version of .NET Core.
Then create a command line task to install the Azure Sign Tool. You can use a .NET Core CLI task as well, but there is no need. In the task, type this:
set DOTNET_SKIP_FIRST_TIME_EXPERIENCE=true
dotnet tool install --global AzureSignTool --version 2.0.17
Naturally using whichever version that you want.
The DOTNET_SKIP_FIRST_TIME_EXPERIENCE environment variable isn't strictly necessary, but setting it speeds things up quite a bit (see here for an explanation).
Finally, create another command line task and type in the Azure Sign Tool command that you wish to run with. On Windows this would be something like below, note with ^
not /
as a line continuation marker. Naturally, see here for more parameter information:
AzureSignTool.exe sign -du "MY-URL" ^
-kvu https://MY-VAULT-NAME.vault.azure.net ^
-kvi CLIENT-ID-BIG-GUID ^
-kvs CLIENT-PASSWORD ^
-kvc MY-CERTIFICATE-NAME ^
-tr http://timestamp.digicert.com ^
-v ^
$(System.DefaultWorkingDirectory)/Path/To/My/Setup/Exe
理论上,您应该会成功!签名工具的输出相当不错,通常可以找到问题所在。
如果您需要重新颁发证书,情况就很不同了。
在Azure中,进入证书并点击它,打开显示该证书版本的页面,包括当前版本和旧版本。-----BEGIN CERTIFICATE REQUEST-----
开头)到GlobalSign中。提交它。