Azure Key Vault signing using Client-Secret from Environment

[Andreas Ruge | DDi]

Dear Advanced Installer Support,

Currently, Advanced Installer requires us to store client-secrets in readable files, which can pose significant security risks in my oppinion. Even when the file is directly deleted after the build.

To address this concern, I kindly request the development team to consider implementing a feature that enables the use of client-secrets from the environment, offering a more secure approach, as the environment is only useable in the current process.

Using client-secrets from the environment allows for seamless integration with various deployment pipelines and continuous integration/continuous delivery (CI/CD) workflows. It simplifies the process of managing secrets across different environments and reduces the risk of accidentally exposing sensitive information.

Thank you for your attention and support.

Best regards,
Andreas Ruge

[Catalin]

Hello Andreas,

First of all, please accept my apologies for the delayed reply on this.

Perhaps I'm not understanding your request correctly here, but you can add the files as "Secure files"

How to configure digital signing in Advanced Installer Azure DevOps Task

Isn't this what you would like to achieve?

If not, please give me some more details so I can better understand this.

Best regards,
Catalin

[bill.me]

It would be great to have "Client Secret in environment variable" option for AI desktop. In some cases, we do manual build using Advanced Installer desktop and Azure key vault certificate to sing. Everything works but it requires entering client secret every time.
What if certificate settings options will have additional field - environment variable name with client secret?
If it is empty - ask for secret as now, it not - take client secret from this variable. This will allow us to not store sensitive values in a project file and in fact increase the security because the user doesn't need to keep client secret in his notes to copy paste it every manual build.

[Catalin]

Hello,

The reason why such option is not available is for security purposes, so the secret is not saved in plain text.

I will discuss this with our dev team to see whether we can approach this scenario differently and add such option to Advanced Installer.

Thank you for bringing this to our attention!

Best regards,
Catalin

[bill.me]

I understand your point and absolutely agree that the secret shouldn't be stored in a project file.

And my request is to store an environment variable name in the project settings, like that we have in the CLI tool.
And on the build stage take the client secret from this variable or if it is absent or empty ask in dialog form as now.

Thanks.

[Catalin]

Hello,

Thank you for your followup on this!

Please have a look over the following article as I think this is what you're looking for here:

Digital Signature

When using Advanced Installer from command line, you can set the Client secret using the following command: SetAzureKeyVaultSecret

Important: Due to the fact that the Client secret is not stored in the project file, SetAzureKeyVaultSecret command can be used only from a .AIC command file.

For increased security, the Client secret can be stored in an Environment variable using -secret_is_env_var_name switch. With this switch, the command will interpret that the name entered as a parameter is an environment variable.

Best regards,
Catalin