When you want to make use of our Azure Trusted Signing support to sign your setup projects you will notice that there are 2 requirements you need to fulfill:
A. .NET 6.0 Runtime must be installed on the machine where your Advanced Installer setup project is built
B. Your Azure account login that hosts the Trusted Signing certificate has to be cached/saved on the machine where your Advanced Installer setup project is built
The prompt to log in with your Azure account is interactive (the Microsoft login web page is opened in your default web browser). Thus if you are running the setup project build as part of an unattended build (e.g. automated build task running under System account or a build pipeline running in an Azure cloud VM), then the login operation cannot be accomplished.
In this case the solution is to make sure that your Azure account is already logged in and cached on your build server machine.
There are multiple methods to save and cache your Azure account login on the machine where your Advanced Installer setup project is built:
1. you can install Visual Studio and log in with your Azure account credentials in Visual Studio
2. or you can install Azure CLI and log in Azure CLI with your credentials
3. or you can simply open your web browser and log into your Microsoft account using your Azure account credentials
Note: The Azure account login must be saved and cached under the same Windows user account as the one used by your automated build process.
However, any of the above login operations are UI interactive and if the Windows user account under which your automated build process runs doesn't have UI (e.g. System) account, then the solution is to save your Azure account login IDs in per-user environment variables for the related Windows user account.
4. To save and cache your Azure account login IDs in environment variables you can proceed like this:
a. on any machine from your network install Azure CLI
b. login in Azure CLI with your Azure account credentials using az login command
c. once logged in Azure CLI, create a Service Principal using the following command:
Code: Select all
az ad sp create-for-rbac --name "YOUR_PRINCIPAL_NAME" --role contributor --scopes <YOUR_SUBSCRIPTION_ID> --sdk-auth
To get the string value of <YOUR_SUBSCRIPTION_ID> you should log into your Azure account, select your Trusted Signing Account and click on the "JSON View" hyperlink. Then simply copy the value of "id" property.
After the Service Principal is created, you will receive a JSON output with the login private info, you will need the clientId, clientSecret and tenantId.
d. In Microsoft Azure, go to the Code Signing resource and then to Access control (IAM), add a Trusted Signing Certificate Profile Signer role for the newly created Service Principal.
e. now the last step is to save the login private info (the clientId, clientSecret and tenantId) into per-user environment variables created for the Windows user account under which your automated build process runs on your build server machine
For instance, if your automated build process runs under System account you can proceed like this:
i. open a command prompt window under System account using PSExec tool; to do so run PSexec in an elevated (Run as administrator) command prompt window with the following command
Code: Select all
PSexec -i -s cmd.exe
iii. now create the following per-user environment variables: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID and populate them with the login private info values (clientId, clientSecret and tenantId)
This way the Azure Service Principal login private info is saved and cached into per-user environment variables and when using this approach you will no longer be prompted to enter your Azure account credentials during signing operation. This is because Microsoft's Signtool automatically detects and uses them from the per-user environment variables.
Now, the last step to use Trusted Signing feature (with no prompt for Azure log in) into your setup project is just to configure your Trusted Signing certificate info in "Digital Signatures" view in Advanced Installer.
That was all!
All the best,
Daniel