KX-18441 Fix code signing #100
Conversation
There was a problem hiding this comment.
Pull request overview
This PR restores accidentally deleted code signing functionality by reintroducing the AzureSignTool execution command and updates the authentication mechanism from client secrets to Azure managed authentication tokens.
Changes:
- Restored the missing
Execcommand that performs assembly signing with AzureSignTool - Changed signing condition from opt-out (
!= 'false') to opt-in (== 'true') for explicit control - Updated Azure DevOps pipeline to use GetAzureAuthToken task instead of client secrets for improved security
- Fixed whitespace consistency (tabs to spaces) in Directory.build.targets
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Directory.build.targets | Reintroduced the missing AzureSignTool signing command, updated signing condition to require explicit opt-in, and fixed whitespace consistency |
| .azuredevops/pipelines/build-and-release.yml | Added GetAzureAuthToken task to acquire Azure Key Vault access token and updated build task to use the token instead of client secret |
| <AssemblyToSign Include="$(XmlSerializersTargetPath)" Condition="Exists('$(XmlSerializersTargetPath)')" /> | ||
| </ItemGroup> | ||
|
|
||
| <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-accesstoken $(AuthenticodeAccessToken) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" /> |
There was a problem hiding this comment.
The Exec command passes the Key Vault access token in cleartext via the --azure-key-vault-accesstoken $(AuthenticodeAccessToken) argument, which is likely to be echoed in MSBuild logs and visible in process listings, exposing a reusable secret to anyone with build log or host access. An attacker with access to this token could impersonate the build system to use the signing certificate (or other Key Vault secrets), enabling unauthorized code signing or broader secret compromise. Use a mechanism that does not log or expose the token in the command line (for example, a secure environment variable or built-in credential mechanism supported by AzureSignTool).
| <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-accesstoken $(AuthenticodeAccessToken) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" /> | |
| <Exec | |
| Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" | |
| EnvironmentVariables="AZURE_KEY_VAULT_ACCESSTOKEN=$(AuthenticodeAccessToken)" /> |
radekpetruska
force-pushed
the
feature/KX-18441_new_code_signing
branch
from
01533b3 to
d2f3dca
Compare
radekpetruska
force-pushed
the
feature/KX-18441_new_code_signing
branch
from
d2f3dca to
90a8f84
Compare
Someone deleted the code vital for code signing. This PR reintroduces it.