Search code examples
azureazure-pipelinessignfile-format

What certificate file format do I export to, so I can use the certificate in Azure Pipelines?

New to Azure Pipelines. I'm working on migrating our build/release for some of our apps, into Azure Pipelines. We sign Windows app. Currently, this is done with a certificate on our TFS build/release server. I'd like to export the certificate from our TFS server, so I can put it into Azure Pipeline's Secure File location. From the MMC on our build/release I've added the Certificates MMC add-on. I've found the relevant certificate I want to export. Right clicking on the certificate I've selected the task to export the certificate. It's asked me what file format I should use. It lists 3:

  • DER encoded binary X.509 (.CER)
  • Base-64 encoded X.509 (.CER)
  • Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)

The last one, if I select it, will open several other options, but I'm thinking what I want is either the first or second one.

Which should I export to, so I can put it into our Azure Pipeline's Secure File, for signing Windows applications during the Pipeline's run?

Solution

  • You can use what works best for you. In terms of Azure Pipelines there is no difference between them, they are just files.

    You can check also Code Signing extension

    enter image description here

    Parameters include:

    • Secure File: The certificate that was uploaded to Secure Files to be used to sign the given files. (Using Secure Files in Azure DevOps).
    • Secure File Password: The password for the provided certificate. Use a new variable with its lock enabled on the Variables tab to encrypt this value.
    • File(s) to Sign: Relative path from the repo root to the file(s) you want to sign. You can use wildcards to specify multiple files (more information). For example, **/bin/*.dll for all .DLL files in the 'bin' subfolder.
    • Timestamp Server Url: Absolute Url of the timestamp server to use.. Default: http://timestamp.digicert.com
    • Hashing Algorithm: The file digest algorithm to use for creating file signatures (i.e. SHA256 or SHA1). Default: SHA256
    • Select singtool.exe: Option to select signtool to use for signing
      • Built-In: This is the default option. It uses the signtool.exe that comes along with the task
      • Custom Path: With this option you can define a custom path that the task will use to sign your files. IMPORTANT: the custompath has to end with signtool.exe
      • Latest version installed: This option uses the latest installed version on the current system. This only works on machines that have the Windows 10 SDK installed. The base path that is used for getting the signtool is C:\Program Files (x86)\Windows Kits\10\bin. The task grabs the latest installed version and tries to use the x64 version of the .exe. If it is not available it uses x86. If the x86 signtool is not available the task fails. If this is the case please check if the Windows 10 SDK is installed on your build agent.
    • Description: A description to add to the file being signed