Switch to OIDC for signing login.

Adds the test certificate root CA to work around signing tool limitation.

Author: zooba

windows-release/TestCertRoot.cer

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF4jCCA8qgAwIBAgIQfaIvgmtqu6hPjv+NyFOgRzANBgkqhkiG9w0BAQwFADCB
+gTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjFS
+MFAGA1UEAxNJTWljcm9zb2Z0IElkZW50aXR5IFZlcmlmaWNhdGlvbiBURVNUIE9O
+TFkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDA0MTYxODQ5
+MjRaFw00NTA0MTYxODU3NThaMIGBMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWlj
+cm9zb2Z0IENvcnBvcmF0aW9uMVIwUAYDVQQDE0lNaWNyb3NvZnQgSWRlbnRpdHkg
+VmVyaWZpY2F0aW9uIFRFU1QgT05MWSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0
+eSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApSJ41oA+1J4w
+UvgaCv15SdfRcHDKIEyO6QZG5GkBIF6lq8SmEwVeGlX7qPE1lbeZ+fus1X++Gfi9
+FYrC1q1GgZAfhpDlmj5NFonHpVjTKQsgTz3pducrDijFdA0LxZTqe5luseNdNOLc
+SkqdaEj+VzSgzS4CfBqnk36yhlUrfBLOVhSoApZLZsAxsMUq5puOGk/rXoKHjeYr
+SPa+FFaI3r4Kz26qgZ+HJsrd0AIurAUIlSy/fGAMPkcd/1NJBJ6jNPdrjSR8aUmU
+bTRRo5ImF0avOtirTwYaaYkvGf9vydMcE8fgzB8JMSwQAM52i9vjZ7b4UXv2CgM/
+C7jsp9JA2XY5OJJaSGh0Ab1UBzPJbB+HQNLnl9mUlHKqGxbM4saIV3aUkE0rl2gZ
+KkWhztvOcAv9USQLFwhYIdKBN1RjuFQ83DbvwZ8W9xLG0Qv2QgT9WAYOL6VXv/nX
+AZy2Zhefvluh4H/glANEc/AQhdwpI2cdlVYs99yA2ppjzMdcgiymZHsUS5WXy5k9
+sMVldFQ6sfT/OEXkNntVUbTIaSYRF70626q9X+5VmqrMkMH125AKapesL5ekB08j
+8zqqHQxoHihG/bv+RoLllA1+nuUmdpPCadoPg5PuFz3KTG/UVL+sOOnsA9CYHNMg
+meXh2ORvDUKxggz0aJX3l35DB0TFKHECAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFINztgy61yyzu84KpaJPGrRhu00r
+MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQAkizoOlkTmonOs
+H7uUWKcL+r6uEdhuD6yhu4ZERDV0xIWe3dw98Eq9RRdOsvqRkKDy28bPyvVD8XDm
+6gQqu6g1UPkgUY5PzuSrOLTFjqPX7WB7La7+nBVqjBBdEHL+hZLh77OIi2pgzuIo
+B9yn25LcU0mu1S3UphPhXfvTGUfOZyLDvHRaTHPieaCZ6im1YcpJWdVe7K+59R4h
+BHty88+hyv0TJ5ymAWRUhzqwt4iVga/yCVeaEoTZxEfJeshklRvPs74/1SEFhUJt
+/z3WqejqalUs8bxYBVdYjJeMkiDNoNc29ELjSY2Q4cQMcMsw9pQgjn7iA22ILzii
+XF7tIwNnLWGcTjiVqWL8nMDu04UV+nSNggkpeBRSbNMNX47Z1i3SOwxSvHm99hQ4
+PaxE2KAL4YuT3AKzJ4Ez+NBoyhKdQDOEhGg+5vgde0I8+5VKE6xnxj6C4ns0SqUP
+FAdS2qvJnYK2BDPHYAPWCNQOk/wRMFHTJfawuo1kFSsdIKeRFybHWAlh/TIvjWIt
+DOkLRI4mXYrK12NaEMpDOAwj8OM1kLdonLoGNIQqPDbvP6xZP8Ql/Qx5D7ZPdSxk
+vsNmjgvCFs+G0MVbeOhEJ5ttWaJ9PyakVz8kVE2TXRbrmqFXC/GQGhHbr5m7TTIP
+cyfNsdfsKFE0GOrSxQsxI86SBX82IA==
+-----END CERTIFICATE-----

windows-release/msi-steps.yml

@@ -81,12 +81,8 @@ steps:
     displayName: 'Build launcher installer'
     env:
       Platform: x86
-      ${{ if parameters.SigningCertificate }}:
-        AZURE_TENANT_ID: $(TrustedSigningTenantId)
-        AZURE_CLIENT_ID: $(TrustedSigningClientId)
-        AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
-        # Only need the variable here for msi.props to detect
-        SigningCertificate: ${{ parameters.SigningCertificate }}
+      # Only need the variable here for msi.props to detect
+      SigningCertificate: ${{ parameters.SigningCertificate }}
 
   - ${{ each b in parameters.Bundles }}:
     - script: |
@@ -99,12 +95,8 @@ steps:
         PYTHONHOME: $(Build.SourcesDirectory)
         ${{ if b.TclTkArtifact }}:
           TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }}
-        ${{ if parameters.SigningCertificate }}:
-          AZURE_TENANT_ID: $(TrustedSigningTenantId)
-          AZURE_CLIENT_ID: $(TrustedSigningClientId)
-          AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
-          # Only need the variable here for msi.props to detect
-          SigningCertificate: ${{ parameters.SigningCertificate }}
+        # Only need the variable here for msi.props to detect
+        SigningCertificate: ${{ parameters.SigningCertificate }}
 
   - powershell: |
       del $env:ResponseFile -ErrorAction Continue

windows-release/sign-files.yml

@@ -7,10 +7,16 @@ parameters:
   SigningCertificate: ''
   ExportCommand: ''
   ContinueOnError: false
+  AzureServiceConnectionName: 'Python Signing'
 
 steps:
 - ${{ if parameters.SigningCertificate }}:
   - powershell: |
+      # Install test root, so that signing tool can do test signing
+      # See https://github.com/dotnet/sign/issues/908 for underlying issue
+      Import-Certificate -FilePath .\TestCertRoot.cer -CertStoreLocation Cert:\LocalMachine\Root
+
+      # Install sign tool
       dotnet tool install --global --prerelease sign
       $signtool = (gcm sign -EA SilentlyContinue).Source
       if (-not $signtool) {
@@ -32,6 +38,29 @@ steps:
     env:
       EXPORT_COMMAND: ${{ parameters.ExportCommand }}
 
+  # We sign in once with the AzureCLI task, as it uses OIDC to obtain a
+  # temporary token. But the task also logs out, and so we save the token and
+  # use it to log in persistently (for the rest of the build).
+  - task: AzureCLI@2
+    displayName: 'Authenticate signing tools (1/2)'
+    inputs:
+      azureSubscription: ${{ parameters.AzureServiceConnectionName }}
+      scriptType: 'ps'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" 
+        "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}"
+        "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}"
+      addSpnToEnvironment: true
+
+  - powershell: >
+      az login --service-principal
+      -u $(AZURE_CLIENT_ID)
+      --tenant $(AZURE_TENANT_ID)
+      --allow-no-subscriptions
+      --federated-token $(AZURE_ID_TOKEN)
+    displayName: 'Authenticate signing tools (2/2)'
+
   - ${{ if parameters.Include }}:
     - powershell: |
         if ("${{ parameters.Exclude }}") {
@@ -58,9 +87,6 @@ steps:
       env:
         TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd)
         TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs)
-        AZURE_TENANT_ID: $(TrustedSigningTenantId)
-        AZURE_CLIENT_ID: $(TrustedSigningClientId)
-        AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
         ${{ if parameters.Filter }}:
           FILTER: ${{ parameters.Filter }}