How to sign your package with Azure Trusted Signing while building a package with GitHub Actions?

This article will guide you step by step on how to use the Trusted Signing option to sign your package built with GitHub Actions.

Advanced Installer project and GitHub Actions

Advanced Installer offers support for automating MSI Build using GitHub Actions. A comprehensive guide on how to implement this can be found in this article: How to automate the MSI building using GitHub Actions.

Implementing Trusted Signing for your Advanced Installer project built with GitHub Actions

To run Advanced Installer GitHub Action with Azure Signing you have to follow the steps:

1. Enroll in Azure Trusted Signing.

2. Install Azure CLI from here

3. Login in Azure CLI with your credentials using az login command.

Azure cli login

4. Once logged in Azure CLI, create a Service Principal using the following command:

az ad sp create-for-rbac --name "YOUR_PRINCIPAL_NAME" --role contributor --scopes /subscriptions/YOUR_SUBSCRIPTION_ID --sdk-auth

Create service principal

After the principal is created, you will receive a JSON output with the SP private info, you will need the clientId, clientSecret and tenantId.

Caution!Make sure to write the clientId, clientSecret and tenantId somewhere safe, you will not be able to retrieve them again!

5. In Microsoft Azure, go to the Code Signing resource and then to Access control (IAM), add a Trusted Signing Certificate Profile Signer role for the newly created Service Principal.

6. The next step is to go to GitHub.com, Settings page and create secret variables for the clientId, clientSecret and tenantId. You can name them, for example, SECRETS_TENANTID, SECRETS_CLIENTID and SECRETS_CLIENTSECRET.

Configure github variable

7. Edit your Github project build.yaml file to set the AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET environment variables to their respective values, in our case we would need to have:

      env:
  AZURE_TENANT_ID: ${{ secrets.SECRETS_TENANTID }}
  AZURE_CLIENT_ID: ${{ secrets.SECRETS_CLIENTID }}
  AZURE_CLIENT_SECRET: ${{ secrets.SECRETS_CLIENTSECRET }}
  ...
  - name: Setup .NET Core SDK 
        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: '8.0'
  ...
  uses: caphyon/advinst-github-action@v2.0
  with:
    advinst-license: ${{ secrets.ADVINST_LICENSE_KEY }}
    aip-path: Sample\Installer\Msix\SampleProject.aip
    aip-build-name: Build_MSIX
    aip-commands: |
        SetVersion ${{ needs.version.outputs.version }}
    

8. The last step to go to your Advanced Installer project, go to Digital Signature page and enable digital signing using Azure Trusted Signing and populate End Point, Account Name and Certificate Name with corresponding values.