如何从 powershell 使用在构建管道上使用的 *.pfx 证书和下载安全文件任务 [英] How to use from a powershell a *.pfx certificate used on build pipeline with the download secure file task

问题描述

我遇到了这个问题:我需要从构建管道上使用的 powershell 脚本连接到 azure 订阅，但出于安全要求，我无法在代码上写入用户和密码，因此我有一个带有凭据的 pfx 证书.现在我正在使用名为下载安全文件的任务，将证书放在构建中.然后我试图从 powershell 代码访问证书.

我已经在我的机器上测试了代码，但是当我尝试在构建管道上使用它时，我无法使用此访问证书

我遇到了这样的错误

正在登录...D:a1sScriptsfileName.ps1:脚本不起作用:术语cert.secureFilePath"不被识别作为 cmdlet、函数、脚本文件或可运行程序的名称.检查名称的拼写，或者路径是否为包括，请验证路径是否正确，然后重试.

$tenantId = "xxxxxxxxxxx"$appId = "zzzzz"$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH%$certThumbprint = $cert.Thumbprint写主机登录...";登录-AzureRmAccount `-ServicePrincipal`-TenantId $tenantId `-ApplicationId $appId `-CertificateThumbprint $certThumbprint

<块引用>

您访问链接变量组中变量的值的方式与您在管道本身中定义的变量完全相同.例如，要访问链接到管道的变量组中名为 customer 的变量的值，请在任务参数或脚本中使用 $(customer).但是，不能在脚本中直接访问秘密变量(加密变量和密钥库变量) - 而是必须将它们作为参数传递给任务

如果我在库中添加一个名为 sSecStrPassword 的变量.然后代码可以更改如下:

function GetThumbprintPFX {param([string] $CertificatePath, [string]$Password)$certificateObject = 新对象 System.Security.Cryptography.X509Certificates.X509Certificate2$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)$thumbprint = $certificateObject.Thumbprint返回 $thumbprint}$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'写主机$thumbprint"

测试结果:

有关变量组的更多信息，请参阅此

3. 创建一个变量组并添加一个名为sSecStrPassword
的变量

4. 将变量链接到构建

5. 添加 powershell 脚本任务并在其中添加以下脚本.

# 在此处编写您的 powershell 命令.写主机 $env:DOWNLOADSECUREFILE_SECUREFILEPATH函数 GetThumbprintPFX {param([string] $CertificatePath, [string]$Password)$certificateObject = 新对象 System.Security.Cryptography.X509Certificates.X509Certificate2$certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)$thumbprint = $certificateObject.Thumbprint返回 $thumbprint}$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'写主机$thumbprint"

6. 将构建排入队列并检查结果.

I got this problem: I need to connect to an azure subscrition from a powershell script used on a build pipeline, but for security requirements i can't write user and password on the code, so i have a pfx certificate with the credentials. Right now i'm using the task named dowload secure file, to put the certificate on the build. Then i'm trying to access the certificate from the powershell code.

I already test the code on my machine, but when i'm trying to use it on the build pipeline i cannot access the certificate with this

and i got an error like this

Logging in... D:a1sScriptsfileName.ps1 : The Script does not work :The term 'cert.secureFilePath' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

$tenantId  = "xxxxxxxxxxx"
$appId = "zzzzz"
$cert = %DOWNLOADSECUREFILE_SECUREFILEPATH% 
$certThumbprint = $cert.Thumbprint

Write-Host "Logging in...";

Login-AzureRmAccount `
-ServicePrincipal `
-TenantId $tenantId `
-ApplicationId $appId `
-CertificateThumbprint $certThumbprint

Tasks used on the build pipeline

解决方案

The full path of the downloaded Secure file is stored to the $env:DOWNLOADSECUREFILE_SECUREFILEPATH environment variable. For more information about Download Secure File task please refer to this document.

We could get the certThumbprint with following code

$CertificatePath = "$env:DOWNLOADSECUREFILE_SECUREFILEPATH"
$sSecStrPassword = "xxxxx"
$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import($CertificatePath, $sSecStrPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
$thumbprint = $certificateObject.Thumbprint 

If we don't want to use to user and password in the code directly. We could use the Azure Pipeline library. And we could reference it in the code.

If you want to encrypt and securely store the value, choose the "lock" icon at the end of the row. When you're finished adding variables, choose Save

You access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(customer) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts - instead they must be passed as arguments to a task

If I add a Variable named sSecStrPassword in the library. Then the code could be changed as following:

function GetThumbprintPFX {
 param([string] $CertificatePath, [string]$Password)
 $certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
 $certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
 $thumbprint = $certificateObject.Thumbprint
 return $thumbprint  
}


$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"

Test Result:

For more information about Variable groups, please refer to this link. And Azure Key Vault is another choice for security requirements.

Update:

The following is the detail steps to use the pfx file in the Azure Devops pipeline.

1. prepare a .pfx file.
2. Add a download secure file task and upload the pfx file.

3. create a variable group and add a variable named sSecStrPassword

4. link the variable to the build

5. Add powershell script task and add the following script in it.

# Write your powershell commands here.

Write-Host $env:DOWNLOADSECUREFILE_SECUREFILEPATH

function GetThumbprintPFX {
 param([string] $CertificatePath, [string]$Password)
 $certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
 $certificateObject.Import($CertificatePath, $Password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
 $thumbprint = $certificateObject.Thumbprint
 return $thumbprint  
}

$thumbprint = GetThumbprintPFX -CertificatePath $env:DOWNLOADSECUREFILE_SECUREFILEPATH -Password '$(sSecStrPassword)'
Write-Host "$thumbprint"

6. queue the build and check the result.

这篇关于如何从 powershell 使用在构建管道上使用的 *.pfx 证书和下载安全文件任务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！