AL-Go icon indicating copy to clipboard operation
AL-Go copied to clipboard
verified publisher icon microsoft

Trusted Signing

Open TKapitan opened this issue 1 year ago • 1 comments

Hi @freddydk, Are there any plans to add Azure Trusted Signing to sign app files? We are now using this service for our app store submissions, and it's one of the missing things I found when assessing whether we can move in the future to AL-Go from our custom solution CI/CD.

TKapitan avatar Jul 07 '24 02:07 TKapitan

AL-Go for GitHub is using dotnet sign for signing apps. Very recently, dotnet sign got support for trusted signing, so I am guessing that we just need to wire some pieces together. It does however require that we can try this out, find somebody who can use azure trusted signing (which I cannot setup with my Microsoft account) or that we setup a side subscription where we can try this.

If you already have setup azure trusted signing, then maybe we can work together on this after my vacation?

FreundDK avatar Jul 07 '24 04:07 FreundDK

Trusted Signing is now supported in AL-Go for GitHub. Currently in preview

freddydk avatar Nov 01 '24 05:11 freddydk

@freddydk Any documentation on how to utilize this?

navdotnetreqs avatar Mar 19 '25 07:03 navdotnetreqs

You can read more about the service here: https://azure.microsoft.com/en-us/products/trusted-signing and here: https://learn.microsoft.com/en-us/azure/trusted-signing/ - and you can use https://aka.ms/algosettings#trustedsigning for how to set it up in AL-Go for GitHub.

freddydk avatar Mar 19 '25 09:03 freddydk

Thank you kindly, @freddydk . I already have trusted signing set up, I was just looking for that last link your provided!

navdotnetreqs avatar Mar 19 '25 10:03 navdotnetreqs

Good day @freddydk ,

I realize this is not customer support and understand that you might not have the chance to clarify this. However, the documentation is a little sparse, and I ran into errors in the Sign workflow (triggered from CI/CD):

Error: Unexpected error when running action. Error Message: Error trying to authenticate to Azure. Error was ClientAssertionCredential authentication failed:  Could not find tenant id for provided tenant domain '9485gggg-4feb-1111-b000-b2d0d2f6b000'. , StackTrace: at ConnectAz, D:\a\_actions\microsoft\AL-Go-Actions\v6.4\AL-Go-Helper.ps1: line 2552 <- at <ScriptBlock>, D:\a\_actions\microsoft\AL-Go-Actions\v6.4\Sign\Sign.ps1: line [63](https://github.com/dev/Dev/actions/runs/13912383259/job/312386807184#step:11:66) <- at <ScriptBlock>, D:\a\_temp\32e4d874-b3ef-44ac-97ce-f9c4ba1cd558.ps1: line 3 <- at <ScriptBlock>, D:\a\_actions\microsoft\AL-Go-Actions\v6.4\Invoke-AlGoAction.ps1: line 17 <- at <ScriptBlock>, D:\a\_temp\32e4d874-b3ef-44ac-97ce-f9c4ba1cd558.ps1: line 2 <- at <ScriptBlock>, <No file>: line 1
Error: Process completed with exit code 1.

(Guid randomized).

I created a new AZURE_CREDENTIALS secret for the organization, using

New-BcAuthContext -includeDeviceLogin | New-ALGoAuthContext | set-Clipboard

In settings.json I set up

  "trustedSigning": {
    "Account": "SigningAccount",
    "Endpoint": "https://neu.codesigning.azure.net/",
    "CertificateProfile": "AppSourceProfile"
  },

This failed, so I wondered if there is specific way to set up AZURE_CREDENTIALS. Looks like the code is expecting a domain, but the secret has a guid (?).

Then I created AZURE_CREDENTIALS in the format given here: https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-secret which first failed

[CI/CD](https://github.com/dev/dev/actions/runs/13962996927/workflow)
GitHub Actions has encountered an internal error when running your job.

but then I set the secret in this format, with no whitespace: {"clientId": "<Client ID>","clientSecret": "<Client Secret>","subscriptionId": "<Subscription ID>","tenantId": "<Tenant ID>"}

This failed again, but the error is a little different.

Error: Unexpected error when running action. Error Message: Error trying to authenticate to Azure. Error was ClientSecretCredential authentication failed: Could not find tenant id for provided tenant domain '9485gggg-4feb-1111-b000-b2d0d2f6b000'. Please ensure that the provided service principal '***' is found in the provided tenant domain., StackTrace:

The settings in trustedSigning and the clientid, clientsecret, subscriptionid and tenantid are the exact enviroment variable values from my Trusted Signing Account, which I use in Powershell to sign the .app files. So the Trusted Signing itself is working fine.

signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib $ACS_DLIB /dmdf $ACS_JSON $_.FullName

navdotnetreqs avatar Mar 20 '25 06:03 navdotnetreqs

Did you obfuscate the tenant id: 9485gggg-4feb-1111-b000-b2d0d2f6b000 ? If you can email me the actual log?

freddydk avatar Mar 20 '25 06:03 freddydk

Good morning @freddydk , yeah, that was the "Guid randomized."-part. :) Emailed!

navdotnetreqs avatar Mar 21 '25 05:03 navdotnetreqs

Ok, we got this working.

  1. make sure the signing-app registration has roles Key Vault Crypto User + Key Vault Certificate User, even though these are not needed when you Trusted Sign from Powershell locally.
  2. make sure you use the client secret in the AZURE_CREDENTIALS json and it is of the following format: {"clientId": "<Client ID>","clientSecret": "<Client Secret>","subscriptionId": "<Subscription ID>","tenantId": "<Tenant ID>"}

navdotnetreqs avatar Mar 22 '25 03:03 navdotnetreqs