KX-18441 Sign DLLs using short-lived access tokens #15
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the DLL code signing process to use short-lived access tokens instead of client ID/client secret authentication. The change enhances security by replacing static credentials with temporary tokens obtained from Azure.
Changes:
- Modified signing condition from
!= 'false'to== 'true'for more explicit control - Updated AzureSignTool command to use access token authentication instead of client ID/secret
- Added GetAzureAuthToken task in the build pipeline to obtain short-lived tokens
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Directory.build.targets | Updated signing condition and replaced client ID/secret authentication with access token authentication |
| Directory.Build.props | Removed TimestampServerUrl property definition |
| .azuredevops/pipelines/build-and-release.yml | Added GetAzureAuthToken task and updated environment variable to use the token |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <NoWarn>$(NoWarn);1591</NoWarn> | ||
| <RootNamespace>Kentico.Xperience.Disqus</RootNamespace> | ||
|
|
||
| <EnableDefaultEmbeddedResourceItems>false</EnableDefaultEmbeddedResourceItems> |
There was a problem hiding this comment.
The TimestampServerUrl property has been removed from this file, but it is still referenced in Directory.build.targets at line 12. This will cause the build to fail because the variable will be undefined. The TimestampServerUrl needs to either remain defined here or be added to the Azure DevOps variable group "Code Sign KV Auth".
| </ItemGroup> | ||
|
|
||
| <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-tenant-id $(AuthenticodeTenantId) --azure-key-vault-client-id $(AuthenticodeClientId) --azure-key-vault-client-secret $(AuthenticodeClientSecret) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" /> | ||
| <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-accesstoken $(AuthenticodeAccessToken) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" /> |
There was a problem hiding this comment.
$(AuthenticodeAccessToken) is passed as a command-line argument to dotnet AzureSignTool, which can expose this short-lived access token via build logs and the process table to anyone with access to the build environment. An attacker who obtains this token could use it to access the Azure Key Vault certificate or sign arbitrary code during the token lifetime. Prefer passing the token via a secure channel such as an environment variable or dedicated input mechanism that does not echo the secret in logs or process listings.
| <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-accesstoken $(AuthenticodeAccessToken) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" /> | |
| <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" EnvironmentVariables="AZURE_KEY_VAULT_ACCESS_TOKEN=$(AuthenticodeAccessToken)" /> |
Changes the way we access the code signing certificate. Instead of client id/client secret, we use short-lived access tokens.