Daniel
Posts: 8244
Joined: Mon Apr 02, 2012 1:11 pm
Contact: Website

Handling Azure Trusted Signing in non-interactive automated build processes

Hi,

When you want to make use of our Azure Trusted Signing support to sign your setup projects you will notice that there are 2 requirements you need to fulfill:

A. .NET 6.0 Runtime must be installed on the machine where your Advanced Installer setup project is built

B. Your Azure account login that hosts the Trusted Signing certificate has to be cached/saved on the machine where your Advanced Installer setup project is built

The prompt to log in with your Azure account is interactive (the Microsoft login web page is opened in your default web browser). Thus if you are running the setup project build as part of an unattended build (e.g. automated build task running under System account or a build pipeline running in an Azure cloud VM), then the login operation cannot be accomplished.

In this case the solution is to make sure that your Azure account is already logged in and cached on your build server machine.

There are multiple methods to save and cache your Azure account login on the machine where your Advanced Installer setup project is built:

1. you can install Visual Studio and log in with your Azure account credentials in Visual Studio
2. or you can install Azure CLI and log in Azure CLI with your credentials
3. or you can simply open your web browser and log into your Microsoft account using your Azure account credentials

Note: The Azure account login must be saved and cached under the same Windows user account as the one used by your automated build process.

However, any of the above login operations are UI interactive and if the Windows user account under which your automated build process runs doesn't have UI (e.g. System) account, then the solution is to save your Azure account login IDs in per-user environment variables for the related Windows user account.

4. To save and cache your Azure account login IDs in environment variables you can proceed like this:

a. on any machine from your network install Azure CLI

b. login in Azure CLI with your Azure account credentials using az login command
screen1.jpg
screen1.jpg (77.52 KiB) Viewed 1821 times

c. once logged in Azure CLI, create a Service Principal using the following command:

Code: Select all

az ad sp create-for-rbac --name "YOUR_PRINCIPAL_NAME" --role contributor --scopes <YOUR_SUBSCRIPTION_ID> --sdk-auth

To get the string value of <YOUR_SUBSCRIPTION_ID> you should log into your Azure account, select your Trusted Signing Account and click on the "JSON View" hyperlink. Then simply copy the value of "id" property.
screen2.jpg
screen2.jpg (98.65 KiB) Viewed 1821 times
screen3.jpg
screen3.jpg (75.3 KiB) Viewed 1821 times

After the Service Principal is created, you will receive a JSON output with the login private info, you will need the clientId, clientSecret and tenantId.

d. In Microsoft Azure, go to the Code Signing resource and then to Access control (IAM), add a Trusted Signing Certificate Profile Signer role for the newly created Service Principal.
screen4.jpg
screen4.jpg (132.07 KiB) Viewed 1821 times

e. now the last step is to save the login private info (the clientId, clientSecret and tenantId) into per-user environment variables created for the Windows user account under which your automated build process runs on your build server machine

For instance, if your automated build process runs under System account you can proceed like this:

i. open a command prompt window under System account using PSExec tool; to do so run PSexec in an elevated (Run as administrator) command prompt window with the following command

Code: Select all

PSexec -i -s cmd.exe
ii. in the command prompt window opened under System account run "SystemPropertiesAdvanced.exe" command to open the "System Properties" panel
screen5.jpg
screen5.jpg (125.73 KiB) Viewed 1821 times
iii. now create the following per-user environment variables: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID and populate them with the login private info values (clientId, clientSecret and tenantId)
screen6.jpg
screen6.jpg (80.81 KiB) Viewed 1821 times

This way the Azure Service Principal login private info is saved and cached into per-user environment variables and when using this approach you will no longer be prompted to enter your Azure account credentials during signing operation. This is because Microsoft's Signtool automatically detects and uses them from the per-user environment variables.

Now, the last step to use Trusted Signing feature (with no prompt for Azure log in) into your setup project is just to configure your Trusted Signing certificate info in "Digital Signatures" view in Advanced Installer.
screen7.jpg
screen7.jpg (79.42 KiB) Viewed 1807 times

That was all!

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Sample Projects”