Migrate Windows code signing to Azure Trusted Signing#2910
Merged
Conversation
The Azure Key Vault code-signing cert previously used by jsign expired, breaking the Windows binary signing step. Switch to Azure Trusted Signing (Microsoft-managed short-lived certs) so we stop having to rotate certs. - Bump jsign 6.0 -> 7.4. - Swap --storetype AZUREKEYVAULT for TRUSTEDSIGNING. - Use https://codesigning.azure.net token audience. - Derive the keystore host from AZURE_SIGNING_ACCOUNT_ENDPOINT and pass account/profile via --alias. - Replace AZURE_SIGNING_KEY_VAULT_URI with AZURE_SIGNING_ACCOUNT_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, and AZURE_SIGNING_CERT_PROFILE_NAME in the Makefile guard and in the release/prerelease/build workflow env passthrough. The ESC environment already exposes the new variables and the signing service principal has the "Artifact Signing Certificate Profile Signer" role on pulumi-code-signing/pulumi-code-signing. Companion to pulumi/ci-mgmt#2126.
kmosher
added
the
impact/no-changelog-required
Contributor
Does the PR have any schema changes?Looking good! No breaking changes found. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review: Migrate Windows code signing to Azure Trusted Signing
The migration from AZUREKEYVAULT to TRUSTEDSIGNING looks correct. I verified all four files that previously referenced AZURE_SIGNING_KEY_VAULT_URI on the base branch and all are updated in this PR.
What I checked
Makefile logic:
- Token audience correctly changed to
(codesigning.azure.net/redacted) - Endpoint host stripping (
${ENDPOINT_HOST#https://}etc.) is robust — handleshttps://,(redacted) and trailing slash correctly before passing to--keystore` --alias "${AZURE_SIGNING_ACCOUNT_NAME}/${AZURE_SIGNING_CERT_PROFILE_NAME}"matches the jsign 7.x TRUSTEDSIGNING formatSKIP_SIGNINGguard in the Makefile (the||pattern) still correctly catches partial configurations and fails CI fast
GitHub Actions workflows (build/prerelease/release):
- Three new env vars replace the single old one consistently across all three workflows
SKIP_SIGNINGexpression:&&across all six vars (all empty → skip) is correct semantics — if any signing var is present but others are absent,SKIP_SIGNING=falseand the Makefile guard catches the misconfiguration and exits 1 in CI
Scope check:
build_provider.ymlreferenced in the PR description doesn't exist in this repo; all four files that contained the old var have been updatedscripts/crossbuild.mkalso doesn't exist here (those changes live in the companion repos)
Minor observations (non-blocking)
- The downloaded jsign JAR (
wget) has no hash verification — same as the previous jsign 6.0 target, so not a regression introduced here az account get-access-tokendoesn't pass--output none(unlikeaz login), but the output is piped tojqso it has no impact on correctness
Reviewed by Internal Trusted PR Reviewer
To install this agentic workflow, run
gh aw add pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@99a309bf18258dbae98c8176ea10657e0b08deca
zacdirect
approved these changes
Apr 9, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2910 +/- ##
=======================================
Coverage 53.99% 53.99%
=======================================
Files 52 52
Lines 6439 6439
=======================================
Hits 3477 3477
Misses 2674 2674
Partials 288 288 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates Windows binary signing from Azure Key Vault (
jsign --storetype AZUREKEYVAULT) to Azure Trusted Signing. The previous AKV code-signing cert expired, breaking the release pipeline. Trusted Signing issues short-lived Microsoft-managed certs so there's nothing to rotate.Makefile/scripts/crossbuild.mk: bumpjsign6.0 → 7.4, switch--storetypetoTRUSTEDSIGNING, use thehttps://codesigning.azure.nettoken audience, derive the keystore host fromAZURE_SIGNING_ACCOUNT_ENDPOINT, pass account/profile via--alias, update theSKIP_SIGNINGguard and error message..github/workflows/{build,release,prerelease,build_provider}.yml: replace theAZURE_SIGNING_KEY_VAULT_URIenv passthrough with the three newAZURE_SIGNING_ACCOUNT_*outputs and update theSKIP_SIGNINGexpression.Companion to pulumi/ci-mgmt#2126, pulumi/pulumi-command#1200, and pulumi/pulumi-provider-boilerplate#1236. The ESC environment already exposes the new variables and the signing SP has the
Artifact Signing Certificate Profile Signerrole on thepulumi-code-signing/pulumi-code-signingprofile. Verified end-to-end against pulumi-command, pulumi-random, and pulumi-provider-boilerplate.Test plan