From cbbff59f25ef757afc64fb67e7156a29abdbc3f6 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 14 Oct 2025 19:51:23 +0100 Subject: [PATCH 1/7] Switch to OIDC for signing login. Adds the test certificate root CA to work around signing tool limitation. --- windows-release/TestCertRoot.cer | 34 ++++++++++++++++++++++++++++++++ windows-release/msi-steps.yml | 16 ++++----------- windows-release/sign-files.yml | 32 +++++++++++++++++++++++++++--- 3 files changed, 67 insertions(+), 15 deletions(-) create mode 100644 windows-release/TestCertRoot.cer diff --git a/windows-release/TestCertRoot.cer b/windows-release/TestCertRoot.cer new file mode 100644 index 00000000..66ad380a --- /dev/null +++ b/windows-release/TestCertRoot.cer @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF4jCCA8qgAwIBAgIQfaIvgmtqu6hPjv+NyFOgRzANBgkqhkiG9w0BAQwFADCB +gTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjFS +MFAGA1UEAxNJTWljcm9zb2Z0IElkZW50aXR5IFZlcmlmaWNhdGlvbiBURVNUIE9O +TFkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDA0MTYxODQ5 +MjRaFw00NTA0MTYxODU3NThaMIGBMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWlj +cm9zb2Z0IENvcnBvcmF0aW9uMVIwUAYDVQQDE0lNaWNyb3NvZnQgSWRlbnRpdHkg +VmVyaWZpY2F0aW9uIFRFU1QgT05MWSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0 +eSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApSJ41oA+1J4w +UvgaCv15SdfRcHDKIEyO6QZG5GkBIF6lq8SmEwVeGlX7qPE1lbeZ+fus1X++Gfi9 +FYrC1q1GgZAfhpDlmj5NFonHpVjTKQsgTz3pducrDijFdA0LxZTqe5luseNdNOLc +SkqdaEj+VzSgzS4CfBqnk36yhlUrfBLOVhSoApZLZsAxsMUq5puOGk/rXoKHjeYr +SPa+FFaI3r4Kz26qgZ+HJsrd0AIurAUIlSy/fGAMPkcd/1NJBJ6jNPdrjSR8aUmU +bTRRo5ImF0avOtirTwYaaYkvGf9vydMcE8fgzB8JMSwQAM52i9vjZ7b4UXv2CgM/ +C7jsp9JA2XY5OJJaSGh0Ab1UBzPJbB+HQNLnl9mUlHKqGxbM4saIV3aUkE0rl2gZ +KkWhztvOcAv9USQLFwhYIdKBN1RjuFQ83DbvwZ8W9xLG0Qv2QgT9WAYOL6VXv/nX +AZy2Zhefvluh4H/glANEc/AQhdwpI2cdlVYs99yA2ppjzMdcgiymZHsUS5WXy5k9 +sMVldFQ6sfT/OEXkNntVUbTIaSYRF70626q9X+5VmqrMkMH125AKapesL5ekB08j +8zqqHQxoHihG/bv+RoLllA1+nuUmdpPCadoPg5PuFz3KTG/UVL+sOOnsA9CYHNMg +meXh2ORvDUKxggz0aJX3l35DB0TFKHECAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG +MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFINztgy61yyzu84KpaJPGrRhu00r +MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQAkizoOlkTmonOs +H7uUWKcL+r6uEdhuD6yhu4ZERDV0xIWe3dw98Eq9RRdOsvqRkKDy28bPyvVD8XDm +6gQqu6g1UPkgUY5PzuSrOLTFjqPX7WB7La7+nBVqjBBdEHL+hZLh77OIi2pgzuIo +B9yn25LcU0mu1S3UphPhXfvTGUfOZyLDvHRaTHPieaCZ6im1YcpJWdVe7K+59R4h +BHty88+hyv0TJ5ymAWRUhzqwt4iVga/yCVeaEoTZxEfJeshklRvPs74/1SEFhUJt +/z3WqejqalUs8bxYBVdYjJeMkiDNoNc29ELjSY2Q4cQMcMsw9pQgjn7iA22ILzii +XF7tIwNnLWGcTjiVqWL8nMDu04UV+nSNggkpeBRSbNMNX47Z1i3SOwxSvHm99hQ4 +PaxE2KAL4YuT3AKzJ4Ez+NBoyhKdQDOEhGg+5vgde0I8+5VKE6xnxj6C4ns0SqUP +FAdS2qvJnYK2BDPHYAPWCNQOk/wRMFHTJfawuo1kFSsdIKeRFybHWAlh/TIvjWIt +DOkLRI4mXYrK12NaEMpDOAwj8OM1kLdonLoGNIQqPDbvP6xZP8Ql/Qx5D7ZPdSxk +vsNmjgvCFs+G0MVbeOhEJ5ttWaJ9PyakVz8kVE2TXRbrmqFXC/GQGhHbr5m7TTIP +cyfNsdfsKFE0GOrSxQsxI86SBX82IA== +-----END CERTIFICATE----- diff --git a/windows-release/msi-steps.yml b/windows-release/msi-steps.yml index ce01ca13..0bb1ba00 100644 --- a/windows-release/msi-steps.yml +++ b/windows-release/msi-steps.yml @@ -81,12 +81,8 @@ steps: displayName: 'Build launcher installer' env: Platform: x86 - ${{ if parameters.SigningCertificate }}: - AZURE_TENANT_ID: $(TrustedSigningTenantId) - AZURE_CLIENT_ID: $(TrustedSigningClientId) - AZURE_CLIENT_SECRET: $(TrustedSigningSecret) - # Only need the variable here for msi.props to detect - SigningCertificate: ${{ parameters.SigningCertificate }} + # Only need the variable here for msi.props to detect + SigningCertificate: ${{ parameters.SigningCertificate }} - ${{ each b in parameters.Bundles }}: - script: | @@ -99,12 +95,8 @@ steps: PYTHONHOME: $(Build.SourcesDirectory) ${{ if b.TclTkArtifact }}: TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }} - ${{ if parameters.SigningCertificate }}: - AZURE_TENANT_ID: $(TrustedSigningTenantId) - AZURE_CLIENT_ID: $(TrustedSigningClientId) - AZURE_CLIENT_SECRET: $(TrustedSigningSecret) - # Only need the variable here for msi.props to detect - SigningCertificate: ${{ parameters.SigningCertificate }} + # Only need the variable here for msi.props to detect + SigningCertificate: ${{ parameters.SigningCertificate }} - powershell: | del $env:ResponseFile -ErrorAction Continue diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 127a2e07..216acdc0 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -7,10 +7,16 @@ parameters: SigningCertificate: '' ExportCommand: '' ContinueOnError: false + AzureServiceConnectionName: 'Python Signing' steps: - ${{ if parameters.SigningCertificate }}: - powershell: | + # Install test root, so that signing tool can do test signing + # See https://github.com/dotnet/sign/issues/908 for underlying issue + Import-Certificate -FilePath .\TestCertRoot.cer -CertStoreLocation Cert:\LocalMachine\Root + + # Install sign tool dotnet tool install --global --prerelease sign $signtool = (gcm sign -EA SilentlyContinue).Source if (-not $signtool) { @@ -32,6 +38,29 @@ steps: env: EXPORT_COMMAND: ${{ parameters.ExportCommand }} + # We sign in once with the AzureCLI task, as it uses OIDC to obtain a + # temporary token. But the task also logs out, and so we save the token and + # use it to log in persistently (for the rest of the build). + - task: AzureCLI@2 + displayName: 'Authenticate signing tools (1/2)' + inputs: + azureSubscription: ${{ parameters.AzureServiceConnectionName }} + scriptType: 'ps' + scriptLocation: 'inlineScript' + inlineScript: | + "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" + "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" + "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" + addSpnToEnvironment: true + + - powershell: > + az login --service-principal + -u $(AZURE_CLIENT_ID) + --tenant $(AZURE_TENANT_ID) + --allow-no-subscriptions + --federated-token $(AZURE_ID_TOKEN) + displayName: 'Authenticate signing tools (2/2)' + - ${{ if parameters.Include }}: - powershell: | if ("${{ parameters.Exclude }}") { @@ -58,9 +87,6 @@ steps: env: TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd) TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs) - AZURE_TENANT_ID: $(TrustedSigningTenantId) - AZURE_CLIENT_ID: $(TrustedSigningClientId) - AZURE_CLIENT_SECRET: $(TrustedSigningSecret) ${{ if parameters.Filter }}: FILTER: ${{ parameters.Filter }} From f8a325d706ccdf4ce54415eb45274afd23078484 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 14 Oct 2025 20:11:23 +0100 Subject: [PATCH 2/7] Store the certificate in the build file --- windows-release/TestCertRoot.cer | 34 -------------------------- windows-release/sign-files.yml | 41 ++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 34 deletions(-) delete mode 100644 windows-release/TestCertRoot.cer diff --git a/windows-release/TestCertRoot.cer b/windows-release/TestCertRoot.cer deleted file mode 100644 index 66ad380a..00000000 --- a/windows-release/TestCertRoot.cer +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIF4jCCA8qgAwIBAgIQfaIvgmtqu6hPjv+NyFOgRzANBgkqhkiG9w0BAQwFADCB -gTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjFS -MFAGA1UEAxNJTWljcm9zb2Z0IElkZW50aXR5IFZlcmlmaWNhdGlvbiBURVNUIE9O -TFkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDA0MTYxODQ5 -MjRaFw00NTA0MTYxODU3NThaMIGBMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWlj -cm9zb2Z0IENvcnBvcmF0aW9uMVIwUAYDVQQDE0lNaWNyb3NvZnQgSWRlbnRpdHkg -VmVyaWZpY2F0aW9uIFRFU1QgT05MWSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0 -eSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApSJ41oA+1J4w -UvgaCv15SdfRcHDKIEyO6QZG5GkBIF6lq8SmEwVeGlX7qPE1lbeZ+fus1X++Gfi9 -FYrC1q1GgZAfhpDlmj5NFonHpVjTKQsgTz3pducrDijFdA0LxZTqe5luseNdNOLc -SkqdaEj+VzSgzS4CfBqnk36yhlUrfBLOVhSoApZLZsAxsMUq5puOGk/rXoKHjeYr -SPa+FFaI3r4Kz26qgZ+HJsrd0AIurAUIlSy/fGAMPkcd/1NJBJ6jNPdrjSR8aUmU -bTRRo5ImF0avOtirTwYaaYkvGf9vydMcE8fgzB8JMSwQAM52i9vjZ7b4UXv2CgM/ -C7jsp9JA2XY5OJJaSGh0Ab1UBzPJbB+HQNLnl9mUlHKqGxbM4saIV3aUkE0rl2gZ -KkWhztvOcAv9USQLFwhYIdKBN1RjuFQ83DbvwZ8W9xLG0Qv2QgT9WAYOL6VXv/nX -AZy2Zhefvluh4H/glANEc/AQhdwpI2cdlVYs99yA2ppjzMdcgiymZHsUS5WXy5k9 -sMVldFQ6sfT/OEXkNntVUbTIaSYRF70626q9X+5VmqrMkMH125AKapesL5ekB08j -8zqqHQxoHihG/bv+RoLllA1+nuUmdpPCadoPg5PuFz3KTG/UVL+sOOnsA9CYHNMg -meXh2ORvDUKxggz0aJX3l35DB0TFKHECAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFINztgy61yyzu84KpaJPGrRhu00r -MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQAkizoOlkTmonOs -H7uUWKcL+r6uEdhuD6yhu4ZERDV0xIWe3dw98Eq9RRdOsvqRkKDy28bPyvVD8XDm -6gQqu6g1UPkgUY5PzuSrOLTFjqPX7WB7La7+nBVqjBBdEHL+hZLh77OIi2pgzuIo -B9yn25LcU0mu1S3UphPhXfvTGUfOZyLDvHRaTHPieaCZ6im1YcpJWdVe7K+59R4h -BHty88+hyv0TJ5ymAWRUhzqwt4iVga/yCVeaEoTZxEfJeshklRvPs74/1SEFhUJt -/z3WqejqalUs8bxYBVdYjJeMkiDNoNc29ELjSY2Q4cQMcMsw9pQgjn7iA22ILzii -XF7tIwNnLWGcTjiVqWL8nMDu04UV+nSNggkpeBRSbNMNX47Z1i3SOwxSvHm99hQ4 -PaxE2KAL4YuT3AKzJ4Ez+NBoyhKdQDOEhGg+5vgde0I8+5VKE6xnxj6C4ns0SqUP -FAdS2qvJnYK2BDPHYAPWCNQOk/wRMFHTJfawuo1kFSsdIKeRFybHWAlh/TIvjWIt -DOkLRI4mXYrK12NaEMpDOAwj8OM1kLdonLoGNIQqPDbvP6xZP8Ql/Qx5D7ZPdSxk -vsNmjgvCFs+G0MVbeOhEJ5ttWaJ9PyakVz8kVE2TXRbrmqFXC/GQGhHbr5m7TTIP -cyfNsdfsKFE0GOrSxQsxI86SBX82IA== ------END CERTIFICATE----- diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 216acdc0..444e9ad7 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -8,12 +8,52 @@ parameters: ExportCommand: '' ContinueOnError: false AzureServiceConnectionName: 'Python Signing' + # To avoid complicated file handling, we just copy-paste the test root + # certificate here. This is publicly available from + # http://www.microsoft.com/pkiops/certs/Microsoft%20Identity%20Verification%20TEST%20ONLY%20Root%20Certificate%20Authority%202020.crt + TestRoot: | + -----BEGIN CERTIFICATE----- + MIIF4jCCA8qgAwIBAgIQfaIvgmtqu6hPjv+NyFOgRzANBgkqhkiG9w0BAQwFADCB + gTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjFS + MFAGA1UEAxNJTWljcm9zb2Z0IElkZW50aXR5IFZlcmlmaWNhdGlvbiBURVNUIE9O + TFkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDA0MTYxODQ5 + MjRaFw00NTA0MTYxODU3NThaMIGBMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWlj + cm9zb2Z0IENvcnBvcmF0aW9uMVIwUAYDVQQDE0lNaWNyb3NvZnQgSWRlbnRpdHkg + VmVyaWZpY2F0aW9uIFRFU1QgT05MWSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0 + eSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApSJ41oA+1J4w + UvgaCv15SdfRcHDKIEyO6QZG5GkBIF6lq8SmEwVeGlX7qPE1lbeZ+fus1X++Gfi9 + FYrC1q1GgZAfhpDlmj5NFonHpVjTKQsgTz3pducrDijFdA0LxZTqe5luseNdNOLc + SkqdaEj+VzSgzS4CfBqnk36yhlUrfBLOVhSoApZLZsAxsMUq5puOGk/rXoKHjeYr + SPa+FFaI3r4Kz26qgZ+HJsrd0AIurAUIlSy/fGAMPkcd/1NJBJ6jNPdrjSR8aUmU + bTRRo5ImF0avOtirTwYaaYkvGf9vydMcE8fgzB8JMSwQAM52i9vjZ7b4UXv2CgM/ + C7jsp9JA2XY5OJJaSGh0Ab1UBzPJbB+HQNLnl9mUlHKqGxbM4saIV3aUkE0rl2gZ + KkWhztvOcAv9USQLFwhYIdKBN1RjuFQ83DbvwZ8W9xLG0Qv2QgT9WAYOL6VXv/nX + AZy2Zhefvluh4H/glANEc/AQhdwpI2cdlVYs99yA2ppjzMdcgiymZHsUS5WXy5k9 + sMVldFQ6sfT/OEXkNntVUbTIaSYRF70626q9X+5VmqrMkMH125AKapesL5ekB08j + 8zqqHQxoHihG/bv+RoLllA1+nuUmdpPCadoPg5PuFz3KTG/UVL+sOOnsA9CYHNMg + meXh2ORvDUKxggz0aJX3l35DB0TFKHECAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG + MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFINztgy61yyzu84KpaJPGrRhu00r + MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQAkizoOlkTmonOs + H7uUWKcL+r6uEdhuD6yhu4ZERDV0xIWe3dw98Eq9RRdOsvqRkKDy28bPyvVD8XDm + 6gQqu6g1UPkgUY5PzuSrOLTFjqPX7WB7La7+nBVqjBBdEHL+hZLh77OIi2pgzuIo + B9yn25LcU0mu1S3UphPhXfvTGUfOZyLDvHRaTHPieaCZ6im1YcpJWdVe7K+59R4h + BHty88+hyv0TJ5ymAWRUhzqwt4iVga/yCVeaEoTZxEfJeshklRvPs74/1SEFhUJt + /z3WqejqalUs8bxYBVdYjJeMkiDNoNc29ELjSY2Q4cQMcMsw9pQgjn7iA22ILzii + XF7tIwNnLWGcTjiVqWL8nMDu04UV+nSNggkpeBRSbNMNX47Z1i3SOwxSvHm99hQ4 + PaxE2KAL4YuT3AKzJ4Ez+NBoyhKdQDOEhGg+5vgde0I8+5VKE6xnxj6C4ns0SqUP + FAdS2qvJnYK2BDPHYAPWCNQOk/wRMFHTJfawuo1kFSsdIKeRFybHWAlh/TIvjWIt + DOkLRI4mXYrK12NaEMpDOAwj8OM1kLdonLoGNIQqPDbvP6xZP8Ql/Qx5D7ZPdSxk + vsNmjgvCFs+G0MVbeOhEJ5ttWaJ9PyakVz8kVE2TXRbrmqFXC/GQGhHbr5m7TTIP + cyfNsdfsKFE0GOrSxQsxI86SBX82IA== + -----END CERTIFICATE----- + steps: - ${{ if parameters.SigningCertificate }}: - powershell: | # Install test root, so that signing tool can do test signing # See https://github.com/dotnet/sign/issues/908 for underlying issue + $env:TEST_ROOT_CERT | Out-File .\TestCertRoot.cer -Encoding ascii Import-Certificate -FilePath .\TestCertRoot.cer -CertStoreLocation Cert:\LocalMachine\Root # Install sign tool @@ -37,6 +77,7 @@ steps: displayName: 'Install Trusted Signing tools' env: EXPORT_COMMAND: ${{ parameters.ExportCommand }} + TEST_ROOT_CERT: ${{ parameters.TestRoot }} # We sign in once with the AzureCLI task, as it uses OIDC to obtain a # temporary token. But the task also logs out, and so we save the token and From 2bf9740507ab04b218cf7ab0200ff920227fb0bf Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 14 Oct 2025 20:13:10 +0100 Subject: [PATCH 3/7] Satisfy linter --- windows-release/sign-files.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 444e9ad7..d3d92be4 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -89,7 +89,7 @@ steps: scriptType: 'ps' scriptLocation: 'inlineScript' inlineScript: | - "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" + "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" addSpnToEnvironment: true From aee82e1c82e0d865b14edbd591bfb1847b9f1bf3 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 14 Oct 2025 21:13:05 +0100 Subject: [PATCH 4/7] Remove attempted fix for test signing --- windows-release/sign-files.yml | 45 ---------------------------------- 1 file changed, 45 deletions(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index d3d92be4..2211bb92 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -8,54 +8,10 @@ parameters: ExportCommand: '' ContinueOnError: false AzureServiceConnectionName: 'Python Signing' - # To avoid complicated file handling, we just copy-paste the test root - # certificate here. This is publicly available from - # http://www.microsoft.com/pkiops/certs/Microsoft%20Identity%20Verification%20TEST%20ONLY%20Root%20Certificate%20Authority%202020.crt - TestRoot: | - -----BEGIN CERTIFICATE----- - MIIF4jCCA8qgAwIBAgIQfaIvgmtqu6hPjv+NyFOgRzANBgkqhkiG9w0BAQwFADCB - gTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjFS - MFAGA1UEAxNJTWljcm9zb2Z0IElkZW50aXR5IFZlcmlmaWNhdGlvbiBURVNUIE9O - TFkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAyMDAeFw0yMDA0MTYxODQ5 - MjRaFw00NTA0MTYxODU3NThaMIGBMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWlj - cm9zb2Z0IENvcnBvcmF0aW9uMVIwUAYDVQQDE0lNaWNyb3NvZnQgSWRlbnRpdHkg - VmVyaWZpY2F0aW9uIFRFU1QgT05MWSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0 - eSAyMDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApSJ41oA+1J4w - UvgaCv15SdfRcHDKIEyO6QZG5GkBIF6lq8SmEwVeGlX7qPE1lbeZ+fus1X++Gfi9 - FYrC1q1GgZAfhpDlmj5NFonHpVjTKQsgTz3pducrDijFdA0LxZTqe5luseNdNOLc - SkqdaEj+VzSgzS4CfBqnk36yhlUrfBLOVhSoApZLZsAxsMUq5puOGk/rXoKHjeYr - SPa+FFaI3r4Kz26qgZ+HJsrd0AIurAUIlSy/fGAMPkcd/1NJBJ6jNPdrjSR8aUmU - bTRRo5ImF0avOtirTwYaaYkvGf9vydMcE8fgzB8JMSwQAM52i9vjZ7b4UXv2CgM/ - C7jsp9JA2XY5OJJaSGh0Ab1UBzPJbB+HQNLnl9mUlHKqGxbM4saIV3aUkE0rl2gZ - KkWhztvOcAv9USQLFwhYIdKBN1RjuFQ83DbvwZ8W9xLG0Qv2QgT9WAYOL6VXv/nX - AZy2Zhefvluh4H/glANEc/AQhdwpI2cdlVYs99yA2ppjzMdcgiymZHsUS5WXy5k9 - sMVldFQ6sfT/OEXkNntVUbTIaSYRF70626q9X+5VmqrMkMH125AKapesL5ekB08j - 8zqqHQxoHihG/bv+RoLllA1+nuUmdpPCadoPg5PuFz3KTG/UVL+sOOnsA9CYHNMg - meXh2ORvDUKxggz0aJX3l35DB0TFKHECAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG - MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFINztgy61yyzu84KpaJPGrRhu00r - MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQAkizoOlkTmonOs - H7uUWKcL+r6uEdhuD6yhu4ZERDV0xIWe3dw98Eq9RRdOsvqRkKDy28bPyvVD8XDm - 6gQqu6g1UPkgUY5PzuSrOLTFjqPX7WB7La7+nBVqjBBdEHL+hZLh77OIi2pgzuIo - B9yn25LcU0mu1S3UphPhXfvTGUfOZyLDvHRaTHPieaCZ6im1YcpJWdVe7K+59R4h - BHty88+hyv0TJ5ymAWRUhzqwt4iVga/yCVeaEoTZxEfJeshklRvPs74/1SEFhUJt - /z3WqejqalUs8bxYBVdYjJeMkiDNoNc29ELjSY2Q4cQMcMsw9pQgjn7iA22ILzii - XF7tIwNnLWGcTjiVqWL8nMDu04UV+nSNggkpeBRSbNMNX47Z1i3SOwxSvHm99hQ4 - PaxE2KAL4YuT3AKzJ4Ez+NBoyhKdQDOEhGg+5vgde0I8+5VKE6xnxj6C4ns0SqUP - FAdS2qvJnYK2BDPHYAPWCNQOk/wRMFHTJfawuo1kFSsdIKeRFybHWAlh/TIvjWIt - DOkLRI4mXYrK12NaEMpDOAwj8OM1kLdonLoGNIQqPDbvP6xZP8Ql/Qx5D7ZPdSxk - vsNmjgvCFs+G0MVbeOhEJ5ttWaJ9PyakVz8kVE2TXRbrmqFXC/GQGhHbr5m7TTIP - cyfNsdfsKFE0GOrSxQsxI86SBX82IA== - -----END CERTIFICATE----- - steps: - ${{ if parameters.SigningCertificate }}: - powershell: | - # Install test root, so that signing tool can do test signing - # See https://github.com/dotnet/sign/issues/908 for underlying issue - $env:TEST_ROOT_CERT | Out-File .\TestCertRoot.cer -Encoding ascii - Import-Certificate -FilePath .\TestCertRoot.cer -CertStoreLocation Cert:\LocalMachine\Root - # Install sign tool dotnet tool install --global --prerelease sign $signtool = (gcm sign -EA SilentlyContinue).Source @@ -77,7 +33,6 @@ steps: displayName: 'Install Trusted Signing tools' env: EXPORT_COMMAND: ${{ parameters.ExportCommand }} - TEST_ROOT_CERT: ${{ parameters.TestRoot }} # We sign in once with the AzureCLI task, as it uses OIDC to obtain a # temporary token. But the task also logs out, and so we save the token and From 543ff51ac71b75f48896251ab745abb3d7e8173e Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 14 Oct 2025 23:21:56 +0100 Subject: [PATCH 5/7] Always use CLI credentials --- windows-release/sign-files.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 2211bb92..604bdc77 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -47,6 +47,7 @@ steps: "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" + "##vso[task.setvariable variable=AZURE_TOKEN_CREDENTIALS]AzureCliCredential" addSpnToEnvironment: true - powershell: > From 76b46533475a62001d11e7201d724a76910a86ec Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 14 Oct 2025 23:56:53 +0100 Subject: [PATCH 6/7] Resort to secrets again for legacy MSI build --- windows-release/msi-steps.yml | 12 +++++++++ windows-release/sign-files.yml | 45 +++++++++++++++++----------------- 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/windows-release/msi-steps.yml b/windows-release/msi-steps.yml index 0bb1ba00..fb096c79 100644 --- a/windows-release/msi-steps.yml +++ b/windows-release/msi-steps.yml @@ -67,6 +67,10 @@ steps: Include: '' ExportCommand: SignCommand SigningCertificate: ${{ parameters.SigningCertificate }} + # WiX is struggling with WIF authentication and sign.exe right now, + # so we still rely on the client secret for legacy builds. + # We disable the service connection here to skip the login steps. + AzureServiceConnectionName: '' - powershell: | $cmd = $env:SignCommand -replace '"', '\"' @@ -83,6 +87,10 @@ steps: Platform: x86 # Only need the variable here for msi.props to detect SigningCertificate: ${{ parameters.SigningCertificate }} + ${{ if parameters.SigningCertificate }}: + AZURE_TENANT_ID: $(TrustedSigningTenantId) + AZURE_CLIENT_ID: $(TrustedSigningClientId) + AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret) - ${{ each b in parameters.Bundles }}: - script: | @@ -97,6 +105,10 @@ steps: TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }} # Only need the variable here for msi.props to detect SigningCertificate: ${{ parameters.SigningCertificate }} + ${{ if parameters.SigningCertificate }}: + AZURE_TENANT_ID: $(TrustedSigningTenantId) + AZURE_CLIENT_ID: $(TrustedSigningClientId) + AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret) - powershell: | del $env:ResponseFile -ErrorAction Continue diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 604bdc77..ae615d33 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -34,29 +34,30 @@ steps: env: EXPORT_COMMAND: ${{ parameters.ExportCommand }} - # We sign in once with the AzureCLI task, as it uses OIDC to obtain a - # temporary token. But the task also logs out, and so we save the token and - # use it to log in persistently (for the rest of the build). - - task: AzureCLI@2 - displayName: 'Authenticate signing tools (1/2)' - inputs: - azureSubscription: ${{ parameters.AzureServiceConnectionName }} - scriptType: 'ps' - scriptLocation: 'inlineScript' - inlineScript: | - "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" - "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" - "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" - "##vso[task.setvariable variable=AZURE_TOKEN_CREDENTIALS]AzureCliCredential" - addSpnToEnvironment: true + - ${{ if parameters.AzureServiceConnectionName }}: + # We sign in once with the AzureCLI task, as it uses OIDC to obtain a + # temporary token. But the task also logs out, and so we save the token and + # use it to log in persistently (for the rest of the build). + - task: AzureCLI@2 + displayName: 'Authenticate signing tools (1/2)' + inputs: + azureSubscription: ${{ parameters.AzureServiceConnectionName }} + scriptType: 'ps' + scriptLocation: 'inlineScript' + inlineScript: | + "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" + "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" + "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" + "##vso[task.setvariable variable=AZURE_TOKEN_CREDENTIALS]AzureCliCredential" + addSpnToEnvironment: true - - powershell: > - az login --service-principal - -u $(AZURE_CLIENT_ID) - --tenant $(AZURE_TENANT_ID) - --allow-no-subscriptions - --federated-token $(AZURE_ID_TOKEN) - displayName: 'Authenticate signing tools (2/2)' + - powershell: > + az login --service-principal + -u $(AZURE_CLIENT_ID) + --tenant $(AZURE_TENANT_ID) + --allow-no-subscriptions + --federated-token $(AZURE_ID_TOKEN) + displayName: 'Authenticate signing tools (2/2)' - ${{ if parameters.Include }}: - powershell: | From ab519316360de71520b9873b7bc5148fcde31c08 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Wed, 15 Oct 2025 00:07:41 +0100 Subject: [PATCH 7/7] Remove environment variable I thought I got last commit --- windows-release/sign-files.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index ae615d33..6809d9c9 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -48,7 +48,6 @@ steps: "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}" "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}" - "##vso[task.setvariable variable=AZURE_TOKEN_CREDENTIALS]AzureCliCredential" addSpnToEnvironment: true - powershell: >