如何使用 Azure Key Vault 中的证书/密钥对使用 Azure Pipelines 构建的代码进行签名? [英] How to sign code built using Azure Pipelines using a certificate/key in Azure Key Vault?

问题描述

我们正在从本地构建服务器迁移到 Azure Pipelines.我们生产收缩包装"桌面软件，因此很明显，我们需要在发布之前对所有二进制文件进行签名.我们当前的构建基础架构使用 GlobalSign 的 USB 硬件令牌来完成此操作，但很明显，当我们进行云构建时，这将不起作用 - 遗憾的是，云没有配备 USB 端口:D

We're in the process of moving from on-premise build servers to Azure Pipelines. We produce "shrink-wrap" desktop software so clearly we need to sign all our binaries before releasing. Our current build infrastructure does this using a USB hardware token from GlobalSign, but clearly that isn't going to work when we're doing cloud builds - sadly, clouds are not equipped with USB ports :D

现在，GlobalSign 最近开始广告 Azure Key Vault 作为密钥存储选项，他们非常乐意将其出售给我们，但我不确定我们实际上如何将其与我们的构建管道集成(或者甚至是否可能).

Now, GlobalSign has recently started advertising Azure Key Vault as a key storage option, and they're perfectly happy to sell this to us, but I'm not sure how we'd actually integrate that with our build pipelines (or indeed whether that's even possible).

有人真的做过这个吗?

推荐答案

代码签名

我一直在与 Azure Key Vault 和 Azure Pipelines 进行斗争，以对我们的代码进行签名，并取得了成功.所以这就是我发现的.

Code Signing

I've been battling with Azure Key Vault and Azure Pipelines to get our code signed, and succeeded. So here's what I found out.

至关重要的是，用于代码签名的扩展验证 (EV) 证书与普通"SSL 证书截然不同.标准的可以随心所欲地导出，这意味着您可以将其上传到 Azure Pipelines 并与标准的 Microsoft 签名工具一起使用.

Critically, Extended Validation (EV) certificates used for code signing are very different animals to 'normal' SSL certificates. The standard ones can be exported as much as you like, which means you can upload it to Azure Pipelines and use it with the standard Microsoft Sign Tool.

但是，一旦 EV 证书在 Azure Key Vault 中，它就不会以任何通常的方式出现.您必须使用 以上止痛药

However, once an EV certificate is in Azure Key Vault, it isn't coming out in any usual fashion. You must call it from Pipelines using the excellent Azure Sign Tool as discovered by Anodyne above

将您的证书放入 Key Vault.您可以使用您喜欢的任何证书颁发机构来生成证书，只要他们知道您需要一个 EV 证书，并且重要的是具有硬件安全模块 (HSM) 和 不是 一个带有物理 USB 密钥的.Key Vault 等任何基于云的系统都需要 HSM 版本.

Get your certificate into Key Vault. You can use any certificate authority you like to generate the certificate, as long as they understand that you'll need an EV certificate, and critically one that has a hardware security module (HSM), and not one with a physical USB key. Any cloud based system like Key Vault will need an HSM version.

要获得外部访问此证书的权限，您可以关注此页面 但注意它错过了一步.因此，请先阅读该文档，然后再阅读这些总结步骤，以设置 Key Vault:

To get the permissions to access this certificate externally you can follow this page but beware it misses a step. So read that document first, then these summarised steps, to get the Key Vault set up:

1. 打开 Azure 门户，转到 Azure Active Directory 区域，然后创建一个 App 注册:输入一个容易记住的名称，忽略 Redirect URI，然后保存.
2. 转到您的特定 Key Vault，然后是 Access control (IAM)，然后是 Add role assignment.在 select 输入框中输入您刚刚创建的应用程序的名称.还要选择一个Role，我建议Reader然后保存.
3. 缺失的部分:仍然在 Key Vault 中，单击访问策略菜单项.单击 Add Access Policy 并添加您的应用程序.Certificate Permissions 需要勾选 Get.而 Key Permissions，尽管您在这个保管库中可能根本没有任何钥匙，但需要有 Get 和 Sign.您会认为这两个会在证书权限中...
4. 返回到您刚刚创建的应用程序.选择 Certificates &秘密，然后选择上传证书(一个纯粹用于远程访问 Key Vault 的新证书)或创建一个客户端秘密.如果是后者，请保留密码的副本，您将不会再看到它！
5. 在应用程序的 Overview 部分将是 应用程序(客户端)ID.这和密码或证书将在以后的管道任务中提供给 Azure 签名工具.

1. Open the Azure portal, go to the Azure Active Directory area, and create an App registration: put in a memorable name, ignore the Redirect URI, and save it.
2. Go to your specific Key Vault, then Access control (IAM), then Add role assignment. Type the name of the app you just created into the select input box. Also choose a Role, I suggest Reader and then save.
3. The Missing Part: Still in the Key Vault, click the Access policies menu item. Click Add Access Policy and add your application. The Certificate Permissions need to have the Get ticked. And the Key Permissions, despite the fact that you may not have any keys at all in this vault, need to have Get and Sign. You would have thought these two would be in the certificate perms...
4. Go back to the application you just created. Select the Certificates & secrets, and either choose to upload a certificate (a new one purely for accessing the Key Vault remotely) or create a client secret. If the latter, keep a copy of the password, you won't see it again!
5. In the Overview section of the app will be the Application (client) ID. This, and the password or certificate, is what will be fed to the Azure Sign Tool later on in a Pipelines task.

处理来自 Azure 的实际代码签名需要多个步骤.以下内容适用于 Microsoft 托管代理，但类似问题会影响您拥有的任何私人代理.

Handling the actual code signing from Azure requires a number of steps. The following applies to Microsoft hosted agents, although similar issues will affect any private agents that you have.

1. Azure Sign Tool 需要安装 .NET Core SDK，但版本至少为 2.x，并且由于 最新 .NET Core SDK 是 一直使用，这意味着只要 Windows 的版本足够新，你不需要自己安装它.你可以看到哪个版本的 SDK 随 Windows 代理一起提供.

1. The Azure Sign Tool needs the .NET Core SDK to be installed, but a version that's at least version 2.x, and since the latest .NET Core SDK is always used, this means as long as the version of Windows is current enough, you don't need to install it yourself. And you can see which version of the SDK is shipped with which Windows agent.

Azure Pipelines 中当前的 Hosted 操作系统版本，也称为 Default Hosted，在撰写本文时为 Windows Server 2012 R2.这还不够最新.安装更新的 .NET Core SDK 来解决这个问题会拖延每次构建的时间，尽管安装可以运行，但调用 Azure 签名工具可能不起作用.它似乎只找到旧版本的 SDK，并抛出此错误:无法在 DLL 'mssign32' 中找到名为 'SignerSignEx3' 的入口点.

The current Hosted OS version in Azure Pipelines, also called Default Hosted, is, at the time of writing, Windows Server 2012 R2. Which isn't up to date enough. Installing a newer .NET Core SDK to overcome this is a time drag on every build, and although the installation works, calling the Azure Sign Tool may not work. It seems to be finding only older versions of the SDK, and throws this error: Unable to find an entry point named 'SignerSignEx3' in DLL 'mssign32'.

因此，最简单的方法是更改​​您的构建以使用更高版本的操作系统映像.Windows 2019 就像一个魅力.并且无需安装任何版本的 .NET Core.

So the easiest thing to do is change your build to use a later OS image. Windows 2019 works like a charm. And there is no need to install any version of .NET Core.

然后创建一个命令行任务来安装 Azure 签名工具.您也可以使用 .NET Core CLI 任务，但没有必要.在任务中，输入:

Then create a command line task to install the Azure Sign Tool. You can use a .NET Core CLI task as well, but there is no need. In the task, type this:

set DOTNET_SKIP_FIRST_TIME_EXPERIENCE=true
dotnet tool install --global AzureSignTool --version 2.0.17

自然使用您想要的任何版本.

Naturally using whichever version that you want.

DOTNET_SKIP_FIRST_TIME_EXPERIENCE 环境变量不是绝对必要的，但设置它可以加快速度(见这里的解释).

The DOTNET_SKIP_FIRST_TIME_EXPERIENCE environment variable isn't strictly necessary, but setting it speeds things up quite a bit (see here for an explanation).

最后，创建另一个命令行任务并输入要运行的 Azure 签名工具命令.在 Windows 上，这将类似于以下内容，请注意使用 ^ 而不是 / 作为行继续标记.当然，请参阅此处了解更多参数信息:

Finally, create another command line task and type in the Azure Sign Tool command that you wish to run with. On Windows this would be something like below, note with ^ not / as a line continuation marker. Naturally, see here for more parameter information:

 AzureSignTool.exe sign -du "MY-URL" ^
   -kvu https://MY-VAULT-NAME.vault.azure.net ^
   -kvi CLIENT-ID-BIG-GUID ^
   -kvs CLIENT-PASSWORD ^
   -kvc MY-CERTIFICATE-NAME ^
   -tr http://timestamp.digicert.com ^
   -v ^
   $(System.DefaultWorkingDirectory)/Path/To/My/Setup/Exe

理论上，您应该会成功！签名工具的输出相当不错，通常能指出问题所在.

And in theory, you should have success! The output of the sign tool is rather good, and usually nails where the problem is.

如果需要补发证书，情况就大不一样了.

If you need to re-issue a certificate, the situation is quite different.

1. 在 Azure 中，转到证书并单击它，打开一个页面，显示该证书的版本，包括当前版本和旧版本.

1. In Azure, go to the certificate and click on it, opening a page showing the versions of that certificate, both current and older versions.

点击新版本"按钮，可能接受默认设置(取决于您希望做出的选择)，然后点击创建".

Click the 'New Version' button, probably accepting the defaults (depending on the choices you wish to make) and click 'Create'.

这会将您带回版本页面，并且会出现一个消息框，指出证书 XXXX 的创建当前正在等待".单击此处(或证书操作"按钮)打开证书操作"侧页.在那里，下载 CSR(证书签名请求).

This takes you back to the Versions page, and there will be a message box stating 'The creation of certificate XXXX is currently pending'. Click there (or on the 'Certificate Operation' button) to open the 'Certificate Operation' side page. Once there, download the CSR (certificate signing request).

在 GlobalSign 中，按照他们的说明重新颁发 现有证书.重新发布后，他们将发送一封电子邮件，说明如何下载.

In GlobalSign, follow their instructions to re-issue the existing certificate. Once it has been re-issued, they will send an email describing how to download it.

再次登录GlobalSign，输入临时密码后，打开CSR并复制全文(以-----BEGIN CERTIFICATE REQUEST--开头)) 进入 GlobalSign.提交.

Log into GlobalSign again, and after entering the temporary password, open the CSR and copy the whole text (which starts with -----BEGIN CERTIFICATE REQUEST-----) into GlobalSign. Submit it.

使用安装我的证书"按钮下载.然后在 Azure 的证书操作"侧页面中 - 使用合并签名请求"按钮将 .CER 文件上传到 Azure.这将创建证书的新版本.

Download using the 'Install My Certificate' button. Then in the Azure 'Certificate Operation' side page - use the 'Merge Signed Request' button that to upload the .CER file to Azure. This creates the new version of the certificate.

禁用旧版本的证书.

这篇关于如何使用 Azure Key Vault 中的证书/密钥对使用 Azure Pipelines 构建的代码进行签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！