Resort to secrets again for legacy MSI build

Author: zooba

windows-release/msi-steps.yml

@@ -67,6 +67,10 @@ steps:
         Include: ''
         ExportCommand: SignCommand
         SigningCertificate: ${{ parameters.SigningCertificate }}
+        # WiX is struggling with WIF authentication and sign.exe right now,
+        # so we still rely on the client secret for legacy builds.
+        # We disable the service connection here to skip the login steps.
+        AzureServiceConnectionName: ''
 
     - powershell: |
         $cmd = $env:SignCommand -replace '"', '\"'
@@ -83,6 +87,10 @@ steps:
       Platform: x86
       # Only need the variable here for msi.props to detect
       SigningCertificate: ${{ parameters.SigningCertificate }}
+      ${{ if parameters.SigningCertificate }}:
+        AZURE_TENANT_ID: $(TrustedSigningTenantId)
+        AZURE_CLIENT_ID: $(TrustedSigningClientId)
+        AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret)
 
   - ${{ each b in parameters.Bundles }}:
     - script: |
@@ -97,6 +105,10 @@ steps:
           TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }}
         # Only need the variable here for msi.props to detect
         SigningCertificate: ${{ parameters.SigningCertificate }}
+        ${{ if parameters.SigningCertificate }}:
+          AZURE_TENANT_ID: $(TrustedSigningTenantId)
+          AZURE_CLIENT_ID: $(TrustedSigningClientId)
+          AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret)
 
   - powershell: |
       del $env:ResponseFile -ErrorAction Continue

windows-release/sign-files.yml

@@ -34,29 +34,30 @@ steps:
     env:
       EXPORT_COMMAND: ${{ parameters.ExportCommand }}
 
-  # We sign in once with the AzureCLI task, as it uses OIDC to obtain a
-  # temporary token. But the task also logs out, and so we save the token and
-  # use it to log in persistently (for the rest of the build).
-  - task: AzureCLI@2
-    displayName: 'Authenticate signing tools (1/2)'
-    inputs:
-      azureSubscription: ${{ parameters.AzureServiceConnectionName }}
-      scriptType: 'ps'
-      scriptLocation: 'inlineScript'
-      inlineScript: |
-        "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}"
-        "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}"
-        "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}"
-        "##vso[task.setvariable variable=AZURE_TOKEN_CREDENTIALS]AzureCliCredential"
-      addSpnToEnvironment: true
+  - ${{ if parameters.AzureServiceConnectionName }}:
+    # We sign in once with the AzureCLI task, as it uses OIDC to obtain a
+    # temporary token. But the task also logs out, and so we save the token and
+    # use it to log in persistently (for the rest of the build).
+    - task: AzureCLI@2
+      displayName: 'Authenticate signing tools (1/2)'
+      inputs:
+        azureSubscription: ${{ parameters.AzureServiceConnectionName }}
+        scriptType: 'ps'
+        scriptLocation: 'inlineScript'
+        inlineScript: |
+          "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}"
+          "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}"
+          "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}"
+          "##vso[task.setvariable variable=AZURE_TOKEN_CREDENTIALS]AzureCliCredential"
+        addSpnToEnvironment: true
 
-  - powershell: >
-      az login --service-principal
-      -u $(AZURE_CLIENT_ID)
-      --tenant $(AZURE_TENANT_ID)
-      --allow-no-subscriptions
-      --federated-token $(AZURE_ID_TOKEN)
-    displayName: 'Authenticate signing tools (2/2)'
+    - powershell: >
+        az login --service-principal
+        -u $(AZURE_CLIENT_ID)
+        --tenant $(AZURE_TENANT_ID)
+        --allow-no-subscriptions
+        --federated-token $(AZURE_ID_TOKEN)
+      displayName: 'Authenticate signing tools (2/2)'
 
   - ${{ if parameters.Include }}:
     - powershell: |