diff --git a/windows-release/msi-steps.yml b/windows-release/msi-steps.yml index ce01ca13..fb096c79 100644 --- a/windows-release/msi-steps.yml +++ b/windows-release/msi-steps.yml @@ -67,6 +67,10 @@ steps: Include: '' ExportCommand: SignCommand SigningCertificate: ${{ parameters.SigningCertificate }} + # WiX is struggling with WIF authentication and sign.exe right now, + # so we still rely on the client secret for legacy builds. + # We disable the service connection here to skip the login steps. + AzureServiceConnectionName: '' - powershell: | $cmd = $env:SignCommand -replace '"', '\"' @@ -81,12 +85,12 @@ steps: displayName: 'Build launcher installer' env: Platform: x86 + # Only need the variable here for msi.props to detect + SigningCertificate: ${{ parameters.SigningCertificate }} ${{ if parameters.SigningCertificate }}: AZURE_TENANT_ID: $(TrustedSigningTenantId) AZURE_CLIENT_ID: $(TrustedSigningClientId) - AZURE_CLIENT_SECRET: $(TrustedSigningSecret) - # Only need the variable here for msi.props to detect - SigningCertificate: ${{ parameters.SigningCertificate }} + AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret) - ${{ each b in parameters.Bundles }}: - script: | @@ -99,12 +103,12 @@ steps: PYTHONHOME: $(Build.SourcesDirectory) ${{ if b.TclTkArtifact }}: TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }} + # Only need the variable here for msi.props to detect + SigningCertificate: ${{ parameters.SigningCertificate }} ${{ if parameters.SigningCertificate }}: AZURE_TENANT_ID: $(TrustedSigningTenantId) AZURE_CLIENT_ID: $(TrustedSigningClientId) - AZURE_CLIENT_SECRET: $(TrustedSigningSecret) - # Only need the variable here for msi.props to detect - SigningCertificate: ${{ parameters.SigningCertificate }} + AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret) - powershell: | del $env:ResponseFile -ErrorAction Continue diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 127a2e07..6809d9c9 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -7,10 +7,12 @@ parameters: SigningCertificate: '' ExportCommand: '' ContinueOnError: false + AzureServiceConnectionName: 'Python Signing' steps: - ${{ if parameters.SigningCertificate }}: - powershell: | + # Install sign tool dotnet tool install --global --prerelease sign $signtool = (gcm sign -EA SilentlyContinue).Source if (-not $signtool) { @@ -32,6 +34,30 @@ steps: env: EXPORT_COMMAND: ${{ parameters.ExportCommand }} + - ${{ if parameters.AzureServiceConnectionName }}: + # We sign in once with the AzureCLI task, as it uses OIDC to obtain a + # temporary token. But the task also logs out, and so we save the token and + # use it to log in persistently (for the rest of the build). + - task: AzureCLI@2 + displayName: 'Authenticate signing tools (1/2)' + inputs: + azureSubscription: ${{ parameters.AzureServiceConnectionName }} + scriptType: 'ps' + scriptLocation: 'inlineScript' + inlineScript: | + "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" + "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" + "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" + addSpnToEnvironment: true + + - powershell: > + az login --service-principal + -u $(AZURE_CLIENT_ID) + --tenant $(AZURE_TENANT_ID) + --allow-no-subscriptions + --federated-token $(AZURE_ID_TOKEN) + displayName: 'Authenticate signing tools (2/2)' + - ${{ if parameters.Include }}: - powershell: | if ("${{ parameters.Exclude }}") { @@ -58,9 +84,6 @@ steps: env: TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd) TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs) - AZURE_TENANT_ID: $(TrustedSigningTenantId) - AZURE_CLIENT_ID: $(TrustedSigningClientId) - AZURE_CLIENT_SECRET: $(TrustedSigningSecret) ${{ if parameters.Filter }}: FILTER: ${{ parameters.Filter }}