hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Fri Sep 11, 2020 11:22 am

Hello Catalin,

I tried this locally:

Code: Select all

;aic
SetVersion 1.2.3.4
SetAzureKeyVaultSecret -asdf-
Build
There are '-' characters in the secret and it seems they cause the problem. If I remove them, the build starts (but I'll get an invalid secret key error of course). I had the same locally and in Azure Pipelines.

mcseforsale
Posts: 57
Joined: Wed Mar 27, 2013 10:53 pm

Re: Azure DevOps and Signing

Tue Sep 15, 2020 6:24 am

A significant problem of running as prescribed is that our Azure DevOps secret is shown in the DevOps pipeline output. Can you add a command to hide the output of the aipExtraCommands? We're seeing this in our output. We've already had to figure out how to wind our way around getting the DevOps key for signing.

SetAzureKeyVaultSecret ~93yourmama.


If we can hide the output of the aipExtraCommands that would be great! Thanks!

AJ

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Tue Sep 15, 2020 12:23 pm

I see *** instead of the secret in the output when I add my SetAzureKeyVaultSecret as a command line argument in the Azure task.

But that problem with the '-' in the secret string... is that a bug in AI? Or something needs to be done diffently?

mcseforsale
Posts: 57
Joined: Wed Mar 27, 2013 10:53 pm

Re: Azure DevOps and Signing

Tue Sep 15, 2020 2:48 pm

We are passing the key in as a variable. So our command string is SetAzureKeyVaultSecret %ourvariable%, which is exposing it to the pipeline output.

AJ
hthomas wrote:
Tue Sep 15, 2020 12:23 pm
I see *** instead of the secret in the output when I add my SetAzureKeyVaultSecret as a command line argument in the Azure task.

But that problem with the '-' in the secret string... is that a bug in AI? Or something needs to be done diffently?

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Wed Sep 16, 2020 2:37 pm

I tried to circumvent the '-' issue by using

Code: Select all

SetAzureKeyVaultSecret SecretEnvVarName -secret_is_env_var_name
but so far I only get an error: 'Unable to get Azure Sign token. AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type.'

Update: signing locally using the secret_is_env_var_name option worked with the secret containing hyphens. But when I tried to set this up in Azure Pipelines, I always got AADSTS7000216. The environment variable seems to be set fine and works between tasks (prints *** in the output but I assume the value is correct).

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Thu Sep 17, 2020 5:51 pm

Hello Thomas, AJ,

@AJ,
We are passing the key in as a variable. So our command string is SetAzureKeyVaultSecret %ourvariable%, which is exposing it to the pipeline output.
Are you guys passing the -secret_is_env_var_name switch? This way, the password should not be shown in the log.

@Thomas,
There are '-' characters in the secret and it seems they cause the problem. If I remove them, the build starts (but I'll get an invalid secret key error of course). I had the same locally and in Azure Pipelines.
Could you please try to change the encoding of your .AIC file to UCS-2 LE BOM and let me know if that works?


Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Fri Sep 18, 2020 11:30 am

Hello Catalin, unfortunately not.

Code: Select all

SetAzureKeyVaultSecret ENVVAR -secret_is_env_var_name
This works locally but gives AADSTS7000216 in Azure Pipelines.

Code: Select all

SetAzureKeyVaultSecret -secret-with-hyphen-
This does not work neither locally nor in Azure. In Azure I get an error "A required argument is missing: <azure_key_vault_app_client_secret>.".

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Tue Sep 22, 2020 11:51 am

Hello Thomas,

It looks like the dash character already has a meaning in Azure, therefore it might need to be escaped. Could you please try to encpasule the secret between quotes and let me know if that helps?

Code: Select all

SetAzureKeyVaultSecret "-secret-with-hyphen-"
Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Tue Sep 22, 2020 2:54 pm

Hello Catalin,
I tried it and unfortunately it doesn't work.
I still get "A required argument is missing: <azure_key_vault_app_client_secret>."
I tried this with AI 17.5.

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Thu Sep 24, 2020 3:18 pm

Hi Catalin,
could you confirm if this is a bug in AI or in AI-Azure integration or if we do something wrong? If it is a bug, then do you think we could expect a fix soon?
I'd like to set up our release pipeline in Azure with signing from the Key Vault and this is the only thing which blocks us.

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Fri Sep 25, 2020 1:21 pm

Hello Thomas,

I have done some tests together with our developer and it looks like this may indeed be an issue in what regards our command line parser.

I have forwarded this to our development team with maximum priority. Hopefully, a fix will be available soon.

I will keep you updated if we find anything that might prove to be useful for you.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Fri Sep 25, 2020 2:05 pm

Hello Catalin, thank you for the update!

Catalin
Posts: 6542
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Tue Sep 29, 2020 3:23 pm

You are always welcome, Thomas!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

hve
Posts: 10
Joined: Tue Aug 04, 2020 4:35 pm

Re: Azure DevOps and Signing

Mon Oct 26, 2020 5:25 pm

Hi Catalin,

I've looked in to the way you've implemented support for the Azure key vault Certificate signing.
It works great on my PC. :)

Is it correct, that to use this feature in an Azure pipeline you need to:
  • a) create a customized .aic file
- as well as:
  • b) configure a special build command step
I think that it would be much easier to understand - and configure, if we had an option to specify a password environment variable name inside the Software Publisher Certificate Azure Key Vault section.

Then the signing process could use this value (if set) instead of prompting the user.

Or - alternatively - support a predefined environment variable - such as ADVANCED_INSTALLER_AZURE_KEY_VAULT_CERTIFICATE_PASSWORD

Please let me know what you think of that idea?
And if a fix to the bug in the current implementation is on its way?

TIA.

hthomas
Posts: 15
Joined: Tue Sep 08, 2020 12:22 pm

Re: Azure DevOps and Signing

Mon Oct 26, 2020 5:59 pm

Hello,

you can use the Build Advanced Installer package task in Azure, you don't have to create an aic file manually. The task also has a command line arguments section where you can set the SetAzureKeyVaultSecret command:

Code: Select all

SetAzureKeyVaultSecret SecretEnvVarName -secret_is_env_var_name
or

Code: Select all

SetAzureKeyVaultSecret SecretValue
In the second case SecretValue should probably be a variable in Azure and its value is set via an Azure Key Vault task. That way the secret is not exposed.

Also, I see the hypen issue has been fixed in the latest release. Cool!

Return to “Building Installers”