-
|
I'm trying to use Azure's Trusted Signing Account to Sign my files (MSI, DLL, EXE etc.) but I haven't able to make it work. What I'm trying to use it, I want to use a custom signer that signs with my own commands on every file. My current signing process is not working if i sign it externally (after MSI and EXE build is finished). For example; Is it possible to do this? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Found the solution. I have created a class named using System;
using WixSharp;
namespace MyNameSpace;
internal class MSCustomSigner : DigitalSignature
{
public override int Apply(string fileToSign)
{
Console.WriteLine("Signing: " + fileToSign);
var process = new System.Diagnostics.Process();
process.StartInfo.FileName = "powershell.exe";
process.StartInfo.Arguments = $"-ExecutionPolicy Bypass -File ../../scripts/Sign-File.ps1 -Target \"{fileToSign}\"";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.RedirectStandardError = true;
process.OutputDataReceived += (sender, args) => Console.WriteLine(args.Data);
process.ErrorDataReceived += (sender, args) => Console.WriteLine(args.Data);
process.StartInfo.CreateNoWindow = true;
process.Start();
process.WaitForExit(30000);
Console.WriteLine($"Signing completed with exit code: {process.ExitCode}");
if (process.ExitCode != 0) throw new Exception($"Signing failed for {fileToSign}");
return 1;
}
}I have passed the class to the project and boostrapper. var bootstrapper = new Bundle(PackageHelper.DisplayName)
{
DigitalSignature = new MSCustomSigner()
};
// ... my other codes
var project = new ManagedProject(productName)
{
SignAllFiles = true,
DigitalSignature = new MSCustomSigner()
}; |
Beta Was this translation helpful? Give feedback.
-
|
Excellent. |
Beta Was this translation helpful? Give feedback.
-
|
I also want to share how I signing files with Azure Trusted Signing (which many people have asked in different repos - including this one). I'm using a Powershell Module named I have my C# class included below for invoking this Powershell Scripts
using System;
using WixSharp;
internal class MSCustomSigner : DigitalSignature
{
public bool IsEngine { get; set; }
public override int Apply(string fileToSign)
{
#if DEBUG
// I'm not signing my files if it is a Development Build.
return 0;
#endif
var signerPowershellFile = IsEngine ? "Sign-Engine.ps1" : "Sign-File.ps1";
Console.WriteLine("Signing" + (IsEngine ? "[Engine]" : string.Empty) + " : " + fileToSign);
var process = new System.Diagnostics.Process();
process.StartInfo.FileName = "pwsh";
process.StartInfo.Arguments = $"-ExecutionPolicy Bypass -File \"../../scripts/{signerPowershellFile}\" -Target \"{fileToSign}\"";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.RedirectStandardError = true;
process.OutputDataReceived += (sender, args) => Console.WriteLine(args.Data);
process.ErrorDataReceived += (sender, args) => Console.WriteLine(args.Data);
process.StartInfo.CreateNoWindow = true;
process.Start();
// Begin asynchronous reading of both streams
process.BeginOutputReadLine();
process.BeginErrorReadLine();
process.WaitForExit(30000);
if (process.ExitCode != 0) throw new Exception($"Signing failed for {fileToSign}");
Console.WriteLine($"Signed: {fileToSign}");
return process.ExitCode;
}
}
param(
[string]$Target = $(throw "Please provide a path to sign")
)
# Get Exact path from relative path
$Target = Resolve-Path $Target
# Check file if exists
if (-not (Test-Path $Target)) {
Write-Host "File not found: $Target"
exit 1
}
#Check file if it is Signed before
if ((Get-AuthenticodeSignature $Target).Status -eq "Valid") {
Write-Host "File is already signed: $Target"
exit 0
}
# Check TrustedSigning module is installed or not if not, Install
if (-not (Get-Module -Name TrustedSigning -ListAvailable)) {
Write-Host "TrustedSigning Module is not installed. Installing..."
Install-Module -Name TrustedSigning -Scope Local -Force
}
Write-Host "Signing $Target"
Invoke-TrustedSigning -Endpoint https://weu.codesigning.azure.net -CertificateProfileName "Signing-Certificate" -FileDigest SHA256 -CodeSigningAccountName "Your-Code-Signing-Account-Name-from-Azure-Portal" -TimestampRfc3161 'http://timestamp.acs.microsoft.com' -TimestampDigest SHA256 -Files $Target
Write-Host "Signed $Target"
Exit 0
param(
[string]$Target = $(throw "Please provide a path to sign")
)
# Get Exact path from relative path
$Target = Resolve-Path $Target
# Check file if exists
if (-not (Test-Path $Target)) {
Write-Host "File not found: $Target"
exit 1
}
# Check TrustedSigning module is installed or not if not, Install
if (-not (Get-Module -Name TrustedSigning -ListAvailable)) {
Write-Host "TrustedSigning Module is not installed. Installing..."
Install-Module -Name TrustedSigning -Scope Local -Force
}
# Find Directory
$Directory = Split-Path $Target
# Find File Name
$FileName = Split-Path $Target -Leaf
# Extart file name without extension
$FileNameWithoutExtension = [System.IO.Path]::GetFileNameWithoutExtension($FileName)
# Combine with new file name ends with "-engine"
$Engine = Join-Path -Path $Directory -ChildPath "$FileNameWithoutExtension-engine.exe"
$Signed = Join-Path -Path $Directory -ChildPath "$FileNameWithoutExtension-signed.exe"
wix burn detach $Target -engine $Engine
Invoke-TrustedSigning -Endpoint https://weu.codesigning.azure.net -CertificateProfileName "Signing-Certificate" -FileDigest SHA256 -CodeSigningAccountName "Your-Code-Signing-Account-Name-from-Azure-Portal" -TimestampRfc3161 'http://timestamp.acs.microsoft.com' -TimestampDigest SHA256 -Files $Engine
wix burn reattach $Target -engine $Engine -o $Signed
Invoke-TrustedSigning -Endpoint https://weu.codesigning.azure.net -CertificateProfileName "Signing-Certificate" -FileDigest SHA256 -CodeSigningAccountName "Your-Code-Signing-Account-Name-from-Azure-Portal" -TimestampRfc3161 'http://timestamp.acs.microsoft.com' -TimestampDigest SHA256 -Files $Signed
Exit 0Maybe you wonder why are we doing a separate signing process for the Engine (for bootstrapped installations such as EXE files). Signing all files together breaks the EXE file and it is causing cache errors (I don't know why). First, we are detaching the exe file, then signing it again, and also reattaching and signing it again. It will fix your process. I don't want to go into detail about how you can create an Azure Account and a Trusted Signing Account but you can find details here; https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations When your account is approved successfully, you are gonna see the following screen in your portal.
Maybe we can create a guide or blog post for it @oleg-shilo ? I don't know. |
Beta Was this translation helpful? Give feedback.
I also want to share how I signing files with Azure Trusted Signing (which many people have asked in different repos - including this one).
I'm using a Powershell Module named
TrustedSigningwhich is here: https://www.powershellgallery.com/packages/TrustedSigning.I have my C# class included below for invoking this Powershell Scripts
Sign-File.ps1andSign-Engine.ps1.MSCustomSigner.cs