Skip to content

Switch to OIDC for signing login. #290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zooba merged 7 commits into from
Oct 15, 2025
Merged

Switch to OIDC for signing login. #290

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cbbff59
Switch to OIDC for signing login.
zooba Oct 14, 2025
f8a325d
Store the certificate in the build file
zooba Oct 14, 2025
2bf9740
Satisfy linter
zooba Oct 14, 2025
aee82e1
Remove attempted fix for test signing
zooba Oct 14, 2025
543ff51
Always use CLI credentials
zooba Oct 14, 2025
76b4653
Resort to secrets again for legacy MSI build
zooba Oct 14, 2025
ab51931
Remove environment variable I thought I got last commit
zooba Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 10 additions & 6 deletions windows-release/msi-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ steps:
Include: ''
ExportCommand: SignCommand
SigningCertificate: ${{ parameters.SigningCertificate }}
# WiX is struggling with WIF authentication and sign.exe right now,
# so we still rely on the client secret for legacy builds.
# We disable the service connection here to skip the login steps.
AzureServiceConnectionName: ''

- powershell: |
$cmd = $env:SignCommand -replace '"', '\"'
Expand All @@ -81,12 +85,12 @@ steps:
displayName: 'Build launcher installer'
env:
Platform: x86
# Only need the variable here for msi.props to detect
SigningCertificate: ${{ parameters.SigningCertificate }}
${{ if parameters.SigningCertificate }}:
AZURE_TENANT_ID: $(TrustedSigningTenantId)
AZURE_CLIENT_ID: $(TrustedSigningClientId)
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
# Only need the variable here for msi.props to detect
SigningCertificate: ${{ parameters.SigningCertificate }}
AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret)

- ${{ each b in parameters.Bundles }}:
- script: |
Expand All @@ -99,12 +103,12 @@ steps:
PYTHONHOME: $(Build.SourcesDirectory)
${{ if b.TclTkArtifact }}:
TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }}
# Only need the variable here for msi.props to detect
SigningCertificate: ${{ parameters.SigningCertificate }}
${{ if parameters.SigningCertificate }}:
AZURE_TENANT_ID: $(TrustedSigningTenantId)
AZURE_CLIENT_ID: $(TrustedSigningClientId)
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
# Only need the variable here for msi.props to detect
SigningCertificate: ${{ parameters.SigningCertificate }}
AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret)

- powershell: |
del $env:ResponseFile -ErrorAction Continue
Expand Down
29 changes: 26 additions & 3 deletions windows-release/sign-files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ parameters:
SigningCertificate: ''
ExportCommand: ''
ContinueOnError: false
AzureServiceConnectionName: 'Python Signing'

steps:
- ${{ if parameters.SigningCertificate }}:
- powershell: |
# Install sign tool
dotnet tool install --global --prerelease sign
$signtool = (gcm sign -EA SilentlyContinue).Source
if (-not $signtool) {
Expand All @@ -32,6 +34,30 @@ steps:
env:
EXPORT_COMMAND: ${{ parameters.ExportCommand }}

- ${{ if parameters.AzureServiceConnectionName }}:
# We sign in once with the AzureCLI task, as it uses OIDC to obtain a
# temporary token. But the task also logs out, and so we save the token and
# use it to log in persistently (for the rest of the build).
- task: AzureCLI@2
displayName: 'Authenticate signing tools (1/2)'
inputs:
azureSubscription: ${{ parameters.AzureServiceConnectionName }}
scriptType: 'ps'
scriptLocation: 'inlineScript'
inlineScript: |
"##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}"
"##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}"
"##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}"
addSpnToEnvironment: true

- powershell: >
az login --service-principal
-u $(AZURE_CLIENT_ID)
--tenant $(AZURE_TENANT_ID)
--allow-no-subscriptions
--federated-token $(AZURE_ID_TOKEN)
displayName: 'Authenticate signing tools (2/2)'

- ${{ if parameters.Include }}:
- powershell: |
if ("${{ parameters.Exclude }}") {
Expand All @@ -58,9 +84,6 @@ steps:
env:
TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd)
TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs)
AZURE_TENANT_ID: $(TrustedSigningTenantId)
AZURE_CLIENT_ID: $(TrustedSigningClientId)
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
${{ if parameters.Filter }}:
FILTER: ${{ parameters.Filter }}

Expand Down