cd: using AzureSignTool and NuGetSignTool to sign

mee-ironsoftware · mee-ironsoftware · commit 0e6400da05fe · 2025-07-16T17:12:38.000+07:00
diff --git a/CI/azure-pipelines-build.yml b/CI/azure-pipelines-build.yml
@@ -17,6 +17,13 @@ parameters:
     displayName: NuGet-Version
     type: string
     default: '0'
+
+# Required Pipeline Variables for Code Signing:
+# - AZURE_KEY_VAULT_URL: Azure Key Vault URL (e.g., https://your-vault.vault.azure.net/)
+# - AZURE_KEY_VAULT_APPLICATION_ID: Azure AD Application Client ID
+# - AZURE_KEY_VAULT_CLIENT_SECRET: Azure AD Application Client Secret (Pipeline Secret Variable)
+# - AZURE_KEY_VAULT_TENANT_ID: Azure AD Tenant ID
+# - AZURE_KEY_VAULT_CERTIFICATE_NAME: Name of the certificate in Key Vault
 variables:
   - group: IronDrawingVersions
   
@@ -36,6 +43,9 @@ variables:
         value: ${{ parameters.inputNuGetVersion }}-prerelease
       ${{ if eq(parameters.preRelease, false) }}:
         value: ${{ parameters.inputNuGetVersion }}
+
+  - name: TimestampUrl
+    value: http://timestamp.digicert.com
 # Build Trigger
 trigger:
     branches:
diff --git a/CI/job_templates/deploy_drawing_libraries.yml b/CI/job_templates/deploy_drawing_libraries.yml
@@ -7,11 +7,6 @@ jobs:
   - job: DeployDrawingLibraries
     steps:
     - checkout: none
-    - task: DownloadSecureFile@1
-      displayName: Download IronBarCode Code-Signing Cert
-      name: DownloadSigningCert
-      inputs:
-        secureFile: 'ironcert.pfx'
     - task: DownloadPipelineArtifact@2
       inputs:
         buildType: 'current'
@@ -35,14 +30,28 @@ jobs:
         buildProperties: 'version=${{ parameters.NuGetVersion }};IncludeSymbols=true;SymbolPackageFormat=snupkg'
         includeSymbols: true
     # Sign NuGet Packages
-    - task: NuGetCommand@2
-      displayName: Sign IronDrawing NuGet Package
+    - task: DotNetCoreCLI@2
+      displayName: INSTALL NuGetKeyVaultSignTool
       inputs:
-        command: 'custom'
-        arguments: >-
-          sign $(Build.ArtifactStagingDirectory)\IronSoftware.System.Drawing.${{ parameters.NuGetVersion }}.symbols.nupkg
-          -CertificatePath $(Agent.TempDirectory)\ironcert.pfx
-          -Timestamper http://timestamp.digicert.com -NonInteractive -CertificatePassword $(CertificatePassword)
+        command: custom
+        custom: tool
+        arguments: install --global NuGetKeyVaultSignTool
+    - task: PowerShell@2
+      displayName: Sign IronDrawing NuGet Package with NuGetKeyVaultSignTool
+      inputs:
+        targetType: 'inline'
+        script: |
+          NuGetKeyVaultSignTool sign "$(Build.ArtifactStagingDirectory)\IronSoftware.System.Drawing.${{ parameters.NuGetVersion }}.symbols.nupkg" `
+            --azure-key-vault-url "$(AZURE_KEY_VAULT_URL)" `
+            --azure-key-vault-client-id "$(AZURE_KEY_VAULT_APPLICATION_ID)" `
+            --azure-key-vault-client-secret "$(AZURE_KEY_VAULT_CLIENT_SECRET)" `
+            --azure-key-vault-tenant-id "$(AZURE_KEY_VAULT_TENANT_ID)" `
+            --azure-key-vault-certificate "$(AZURE_KEY_VAULT_CERTIFICATE_NAME)" `
+            --timestamp-rfc3161 "$(TimestampUrl)" `
+            --timestamp-digest sha256 `
+            --file-digest sha256 `
+            --verbose 
+            
     - task: NuGetCommand@2
       inputs:
         command: 'push'
diff --git a/CI/step_templates/sign_drawing_libraries_dll.yml b/CI/step_templates/sign_drawing_libraries_dll.yml
@@ -1,17 +1,47 @@
 steps:
-- task: CmdLine@2
+# Install .NET 8 SDK for AzureSignTool
+- task: UseDotNet@2
+  displayName: INSTALL .NET 8 SDK
+  inputs:
+    packageType: sdk
+    version: 8.x
+- task: DotNetCoreCLI@2
+  displayName: INSTALL AzureSignTool
+  inputs:
+    command: custom
+    custom: tool
+    arguments: install --global AzureSignTool
+- task: PowerShell@2
   displayName: 'Sign IronSoftware.Drawing.Common.dll .NET6'
   inputs:
       workingDirectory: 'bin\$(Configuration)\netstandard2.0'
-      script: >-
-        $(Build.SourcesDirectory)\NuGet\signtool.exe sign
-        /v /d IronDrawing /f $(Agent.TempDirectory)/ironcert.pfx /p $(CertificatePassword)
-        /t http://timestamp.digicert.com /fd SHA256 "IronSoftware.Drawing.Common.dll"
-- task: CmdLine@2
+      targetType: 'inline'
+      script: |
+        azuresigntool sign `
+          --azure-key-vault-url "$(AZURE_KEY_VAULT_URL)" `
+          --azure-key-vault-client-id "$(AZURE_KEY_VAULT_APPLICATION_ID)" `
+          --azure-key-vault-client-secret "$(AZURE_KEY_VAULT_CLIENT_SECRET)" `
+          --azure-key-vault-tenant-id "$(AZURE_KEY_VAULT_TENANT_ID)" `
+          --azure-key-vault-certificate "$(AZURE_KEY_VAULT_CERTIFICATE_NAME)" `
+          --timestamp-rfc3161 "$(TimestampUrl)" `
+          --timestamp-digest sha256 `
+          --file-digest sha256 `
+          --verbose `
+          "IronSoftware.Drawing.Common.dll"
+- task: PowerShell@2
   displayName: 'Sign IronSoftware.Drawing.Common.dll .NET6'
   inputs:
       workingDirectory: 'bin\$(Configuration)\net60'
-      script: >-
-        $(Build.SourcesDirectory)\NuGet\signtool.exe sign
-        /v /d IronDrawing /f $(Agent.TempDirectory)/ironcert.pfx /p $(CertificatePassword)
-        /t http://timestamp.digicert.com /fd SHA256 "IronSoftware.Drawing.Common.dll"
+      targetType: 'inline'
+      script: |
+        azuresigntool sign `
+          --azure-key-vault-url "$(AZURE_KEY_VAULT_URL)" `
+          --azure-key-vault-client-id "$(AZURE_KEY_VAULT_APPLICATION_ID)" `
+          --azure-key-vault-client-secret "$(AZURE_KEY_VAULT_CLIENT_SECRET)" `
+          --azure-key-vault-tenant-id "$(AZURE_KEY_VAULT_TENANT_ID)" `
+          --azure-key-vault-certificate "$(AZURE_KEY_VAULT_CERTIFICATE_NAME)" `
+          --timestamp-rfc3161 "$(TimestampUrl)" `
+          --timestamp-digest sha256 `
+          --file-digest sha256 `
+          --verbose `
+          "IronSoftware.Drawing.Common.dll"
