mcseforsale
Posts: 45
Joined: Wed Mar 27, 2013 10:53 pm

Azure DevOps and Signing

Thu Sep 19, 2019 7:51 pm

We are trying to sign our installation using a certificate that's in a keyvault, instead of using a certificate that's checked in with the repo. We've not had any luck passing the cert as a variable to the compiler at the command line. Is there a way to do this short of having a licence key checked into a repo, or having to build out a VM to compile the installers?

jjardina
Posts: 10
Joined: Wed Mar 13, 2019 5:35 pm

Re: Azure DevOps and Signing

Thu Sep 19, 2019 10:44 pm

I am working with OP on this issue.

It appears that /SetDigitalCertificateFile switch is not supported with the Azure Advanced Installer extension. I attached a list of valid AI switches that we received in the logfile for our Azure pipeline job. We have a security need to keep our certificate out of the repository. We keep our certificate in Azure Key Vault, which is accessed during build step to pull the cert from the vault and add it into a build variable.

However, it appears there is no way to shove the build variable into the aip build step. This is very strange since running advancedinstaller.com on a non-cloud build machines allows you to use the /SetDigitalCertificateFile switch on the command line. https://www.advancedinstaller.com/user- ... section268

What is the recommended way to use advanced installer Azure Plugin with digital certificates that are kept in Azure Key Vault?
Attachments
ai_switches.txt
(1.82 KiB) Downloaded 394 times

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Wed Sep 25, 2019 8:42 am

Hello guys,

Indeed, you are right, we do not currently support the /SetDigitalCertificateFile for our Azure Extension.

However, we already have the integration of Advanced Installer with Azure Key Vault on our TODO list. Hopefully, this will be added in a future version of Advanced Installer as I have now increased its priority.

As for this moment, in what regards your question, I am afraid I'm not aware of any way to use the Advanced Installer Azure Extension with certificates that are stored in Azure Key Vault.

Thank you for your understanding.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

mcseforsale
Posts: 45
Joined: Wed Mar 27, 2013 10:53 pm

Re: Azure DevOps and Signing

Mon Dec 09, 2019 9:22 pm

Has there been any movement on this issue? We are looking to begin building Azure pipelines containing signed installer building ASAP.

Thanks!
Andy G.

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Tue Dec 10, 2019 10:06 am

Hello Andy,

Unfortunately, as for this moment, this has not yet been implemented.

The main reason behind this was the fact that the tool we are using to sign (SignTool.exe) was not compatible with Azure Key Vault.

However, now I have made some research and I could notice some improvements have been made on this matter. I have forwarded it to our development team and hopefully this will be implemented in a future version of Advanced Installer.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

jjardina
Posts: 10
Joined: Wed Mar 13, 2019 5:35 pm

Re: Azure DevOps and Signing

Wed Jan 15, 2020 11:45 pm

Just bumping this to ask if anything has been done about this issue? We are at a critical stage of our pipelining in Azure and do not have a workaround for this issue. Thank you.

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Thu Jan 16, 2020 8:28 am

Hello,

Unfortunately, this has not yet been implemented in Advanced Installer.

I have forwarded your feedback to our developer team and hopefully this will be implemented in a future version of Advanced Installer.

I will let you know when this will be implemented by updating this thread.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

jjardina
Posts: 10
Joined: Wed Mar 13, 2019 5:35 pm

Re: Azure DevOps and Signing

Tue Feb 25, 2020 8:08 pm

Just bumping this to ask if anything has been done about this issue? Thank you.

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Wed Feb 26, 2020 3:58 pm

Hello,

Unfortunately, this improvement has not yet been implemented.

The developer in charge of this was and is still working on something with a higher priority.

Due to this, I have discussed about this and assigned the improvement to another developer. Hopefully, we will start investigating this subject soon.

I will update this thread with any news I will get.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

mcseforsale
Posts: 45
Joined: Wed Mar 27, 2013 10:53 pm

Re: Azure DevOps and Signing

Fri Apr 10, 2020 7:42 pm

Bump for attention. :D

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Mon Apr 13, 2020 1:52 pm

Hello guys,

Unfortunately, this has not yet been implemented in Advanced Installer.

However, I have highlighted your request once again in today's status meeting and we will be starting our investigations & research soon on this matter.

As I am not experienced with Azure Key Vault, I will need your guys' feedback, so we can try to smooth this process as much as possible and also to be sure you guys will get what you need.

So far, from my research, what I found about Azure Key Vault is that it is basically a place where you can store your certificates in the cloud (please correct me if I'm wrong).

If possible, could you please elaborate a bit on the authentication method? How would you like Advanced Installer to be able to authenticate into the key vault?

Also, as you guys may know, we are currently using the signtool.exe tool that comes with the Windows SDK. Unfortunately, this tool does not support signing with a certificate from a key vault.

After further research, I have found out that there actually exists a tool capable of signing a resource using a certificate from a key vault, named AzureSignTool.exe.

One of our main focuses right now is enabling the Device Guard signging.

As I am not very familiar with these, this looks similar to what you guys have requested. If possible, could you please have a look on the above article and let me know if this would help you in any way?

Looking forward to hearing from you!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

rafw86
Posts: 11
Joined: Tue May 19, 2020 9:43 am

Re: Azure DevOps and Signing

Tue May 19, 2020 9:47 am

Hi, any progress in this matter? I would like to build an installer and sign in the files with certificate from Azure KeyVault within my pipelines as well.

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Tue May 19, 2020 11:14 am

Hello and welcome to Advanced Installer forums,

This is currently still under our investigation.

I will update this thread as soon as I'll have any news from the development team.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

jjardina
Posts: 10
Joined: Wed Mar 13, 2019 5:35 pm

Re: Azure DevOps and Signing

Thu May 28, 2020 6:48 pm

Catalin wrote:
Mon Apr 13, 2020 1:52 pm
If possible, could you please elaborate a bit on the authentication method? How would you like Advanced Installer to be able to authenticate into the key vault?
@Catalin
You shouldn't worry about AI authenticating against the key vault. We grab the cert using built-in key vault tools in Azure pipelines and assign the certificate to a build variable. What you should be able to do is accept the variable that contains the certificate into AI Azure extension. Similar to how from the command line on legacy build machines we can use "advancedinstaller.com /SetDigitalCertificateFile=" command line option. Except in this case, we would point to the build variable that contains the certificate.

Just adding that option would simplify your Azure extension development, because AI would not worry about querying the key vault, it would just accept a certificate that is stored in a variable.

Hope this clarifies the situation. Our only workaround at this point is to store the certificate in another repo and then pull the cert repo into a dedicated folder in the code repo at build time. Our .aip is configured to look in this folder for the certificate. This work-around is terrible as it makes our pipelines more difficult to maintain and exposes our certificate to people who should not have access to it.

Catalin
Posts: 4423
Joined: Wed Jun 13, 2018 7:49 am

Re: Azure DevOps and Signing

Tue Jun 02, 2020 10:53 am

Hello,

Thank you for your followup on this!

I have forwarded it to the development team.

I will keep you guys updated with the information I receive from the development team.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”