I wanted to sign my binaries while deploying to Azure App Service through github (using Kudu underneath). I understand I can run a custom script for building the project. Maybe I could use this method to sign the binaries during the build process and deploy the signed bits? I suppose I can place my certificate in Azure Key Vault. How can I access this without checking in any secrets into github?
Anybody have experience with this?
You're on the right track here. A custom deployment script should do it:
http://blog.amitapple.com/post/38417491924/azurewebsitecustomdeploymentpart1
https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script
In Kudu you won't have Azure PowerShell installed, so you'll have to pull your certificate from Key Vault over REST.
UPDATE: Azure Functions do have the Azure RM cmdlets installed. You could write a Function App in PowerShell that pulls the cert from Key Vault. Use a Service Principal to Login-AzureRmAccount
unattended.
The secrets needed to accomplish that should be kept in Application Settings. They are exposed to you in Kudu as Environment Variables: https://azure.microsoft.com/en-gb/documentation/articles/web-sites-configure/
App settings
This section contains name/value pairs that you web app will load on start up. For .NET apps, these settings are injected into your .NET configuration AppSettings at runtime, overriding existing settings.
PHP, Python, Java and Node applications can access these settings as environment variables at runtime. For each app setting, two environment variables are created; one with the name specified by the app setting entry, and another with a prefix of APPSETTING_. Both contain the same value.
Alternatively, you could pull the certificate from App Service store (the "My" store). Here's how:
From https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/:
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to * in which case all your certificates will be loaded to your web applications personal certificate store.
using System;
using System.Security.Cryptography.X509Certificates;
namespace UseCertificateInAzureWebsiteApp
{
class Program
{
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
}
}
No certificate validation is being done for you. You need to implement that yourself, by comparing to values stored in App Settings or Key Vault.