KX-18441 Fix code signing

radekpetruska · radekpetruska · commit 90a8f846ec3d · 2026-01-21T14:43:17.000+01:00
diff --git a/.azuredevops/pipelines/build-and-release.yml b/.azuredevops/pipelines/build-and-release.yml
@@ -68,6 +68,13 @@ stages:
               feedsToUse: select
               restoreArguments: --locked-mode
 
+          - task: GetAzureAuthToken@5
+            name: KeyVaultToken
+            displayName: Get token to code signing certificate
+            inputs:
+              ServiceConnection: Code signer
+              AccessScopes: https://vault.azure.net/.default
+
           - task: DotNetCoreCLI@2
             displayName: Build
             inputs:
@@ -76,7 +83,7 @@ stages:
               configuration: ${{ variables.Configuration }}
               arguments: --no-restore --verbosity Detailed
             env:
-              AuthenticodeClientSecret: $(AuthenticodeClientSecret)
+              AuthenticodeAccessToken: $(KeyVaultToken.AuthToken)
               # Roll-forward behavior set for AzureSignTool dotnet tool (see .config\dotnet-tools.json) which requires .Net 6.0 runtime
               DOTNET_ROLL_FORWARD: Major
 
@@ -90,6 +97,10 @@ stages:
               includesymbols: true
               nobuild: false
               versioningScheme: off
+            env:
+              AuthenticodeAccessToken: $(KeyVaultToken.AuthToken)
+              # Roll-forward behavior set for AzureSignTool dotnet tool (see .config\dotnet-tools.json) which requires .Net 6.0 runtime
+              DOTNET_ROLL_FORWARD: Major
 
           - publish: $(System.DefaultWorkingDirectory)/packages
             displayName: Publish NuGet package as artifact
diff --git a/Directory.build.targets b/Directory.build.targets
@@ -1,5 +1,5 @@
 <Project>
-    <Target Name="SignAssemblyWithAuthenticodeSignature" AfterTargets="AfterBuild" Condition="'$(MSBuildProjectFullPath.Contains(&quot;node_modules&quot;))' == 'false' And $(Configuration) == 'Release' And $(SIGN_FILE) != 'false'">
+    <Target Name="SignAssemblyWithAuthenticodeSignature" AfterTargets="AfterBuild" Condition="'$(MSBuildProjectFullPath.Contains(&quot;node_modules&quot;))' == 'false' And $(Configuration) == 'Release' And $(SIGN_FILE) == 'true'">
         <PropertyGroup>
             <XmlSerializersTargetPath>$(TargetDir)$(TargetName).XmlSerializers.dll</XmlSerializersTargetPath>
         </PropertyGroup>
@@ -8,12 +8,14 @@
             <AssemblyToSign Include="$(TargetPath)" />
             <AssemblyToSign Include="$(XmlSerializersTargetPath)" Condition="Exists('$(XmlSerializersTargetPath)')" />
         </ItemGroup>
+
+        <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-accesstoken $(AuthenticodeAccessToken) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" />
     </Target>
 
     <ItemGroup>
         <Content Remove="Admin/Client/*.json" />
         <Content Remove="Admin/FrontEnd/*.json" />
         <Content Remove="Admin/*.json" />
-		<Content Remove="../Kentico.Xperience.TagManager/*.json"/>
+        <Content Remove="../Kentico.Xperience.TagManager/*.json"/>
     </ItemGroup>
 </Project>
