Skip to content

Commit 17c36be

Browse files
zoobazooba
authored
Use OIDC for code signing authentication in Windows release and dependency builds. (#290)
We continue to use the secret key for MSI builds, because the OIDC auth caused them to fail.
1 parent 7e95632 commit 17c36be

File tree

2 files changed

+36
-9
lines changed

2 files changed

+36
-9
lines changed

windows-release/msi-steps.yml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,10 @@ steps:
6767
Include: ''
6868
ExportCommand: SignCommand
6969
SigningCertificate: ${{ parameters.SigningCertificate }}
70+
# WiX is struggling with WIF authentication and sign.exe right now,
71+
# so we still rely on the client secret for legacy builds.
72+
# We disable the service connection here to skip the login steps.
73+
AzureServiceConnectionName: ''
7074

7175
- powershell: |
7276
$cmd = $env:SignCommand -replace '"', '\"'
@@ -81,12 +85,12 @@ steps:
8185
displayName: 'Build launcher installer'
8286
env:
8387
Platform: x86
88+
# Only need the variable here for msi.props to detect
89+
SigningCertificate: ${{ parameters.SigningCertificate }}
8490
${{ if parameters.SigningCertificate }}:
8591
AZURE_TENANT_ID: $(TrustedSigningTenantId)
8692
AZURE_CLIENT_ID: $(TrustedSigningClientId)
87-
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
88-
# Only need the variable here for msi.props to detect
89-
SigningCertificate: ${{ parameters.SigningCertificate }}
93+
AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret)
9094
9195
- ${{ each b in parameters.Bundles }}:
9296
- script: |
@@ -99,12 +103,12 @@ steps:
99103
PYTHONHOME: $(Build.SourcesDirectory)
100104
${{ if b.TclTkArtifact }}:
101105
TclTkLibraryDir: $(Pipeline.Workspace)\${{ b.TclTkArtifact }}
106+
# Only need the variable here for msi.props to detect
107+
SigningCertificate: ${{ parameters.SigningCertificate }}
102108
${{ if parameters.SigningCertificate }}:
103109
AZURE_TENANT_ID: $(TrustedSigningTenantId)
104110
AZURE_CLIENT_ID: $(TrustedSigningClientId)
105-
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
106-
# Only need the variable here for msi.props to detect
107-
SigningCertificate: ${{ parameters.SigningCertificate }}
111+
AZURE_CLIENT_SECRET: $(TrustedSigningClientSecret)
108112
109113
- powershell: |
110114
del $env:ResponseFile -ErrorAction Continue

windows-release/sign-files.yml

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,12 @@ parameters:
77
SigningCertificate: ''
88
ExportCommand: ''
99
ContinueOnError: false
10+
AzureServiceConnectionName: 'Python Signing'
1011

1112
steps:
1213
- ${{ if parameters.SigningCertificate }}:
1314
- powershell: |
15+
# Install sign tool
1416
dotnet tool install --global --prerelease sign
1517
$signtool = (gcm sign -EA SilentlyContinue).Source
1618
if (-not $signtool) {
@@ -32,6 +34,30 @@ steps:
3234
env:
3335
EXPORT_COMMAND: ${{ parameters.ExportCommand }}
3436
37+
- ${{ if parameters.AzureServiceConnectionName }}:
38+
# We sign in once with the AzureCLI task, as it uses OIDC to obtain a
39+
# temporary token. But the task also logs out, and so we save the token and
40+
# use it to log in persistently (for the rest of the build).
41+
- task: AzureCLI@2
42+
displayName: 'Authenticate signing tools (1/2)'
43+
inputs:
44+
azureSubscription: ${{ parameters.AzureServiceConnectionName }}
45+
scriptType: 'ps'
46+
scriptLocation: 'inlineScript'
47+
inlineScript: |
48+
"##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}"
49+
"##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}"
50+
"##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}"
51+
addSpnToEnvironment: true
52+
53+
- powershell: >
54+
az login --service-principal
55+
-u $(AZURE_CLIENT_ID)
56+
--tenant $(AZURE_TENANT_ID)
57+
--allow-no-subscriptions
58+
--federated-token $(AZURE_ID_TOKEN)
59+
displayName: 'Authenticate signing tools (2/2)'
60+
3561
- ${{ if parameters.Include }}:
3662
- powershell: |
3763
if ("${{ parameters.Exclude }}") {
@@ -58,9 +84,6 @@ steps:
5884
env:
5985
TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd)
6086
TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs)
61-
AZURE_TENANT_ID: $(TrustedSigningTenantId)
62-
AZURE_CLIENT_ID: $(TrustedSigningClientId)
63-
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
6487
${{ if parameters.Filter }}:
6588
FILTER: ${{ parameters.Filter }}
6689

0 commit comments

Comments
 (0)