5

I'm working on a pipeline migration from an old manually implemented ci/cd solution to Azure DevOps. There are some prebuilt functions/processes that I'm still reusing.

For example. Like how they package all their solution as artifacts.

I'm trying to keep the code changes as minimal as possible.

The build pipeline creates a ClickOnce package .zip.

Then on the release stage, the myapp.exe.config in the Application Files gets transformed via XML-Document-Transform. Also the application manifest <ApplicationName>.application gets manually edited through Powershell. The <deploymentProvider codebase="http://1.1.1.1/samplefolder/myapp.application" /> gets changed on release depending on the environment/path it is going to be deployed to.

Application Manifest

<asmv1:assembly ...>
<deployment ...>
    <subscription>
      <update>
        <beforeApplicationStartup />
      </update>
    </subscription>
    <deploymentProvider codebase="http://1.1.1.1/samplefolder/myapp.application" />
</deployment>
</asmv1:assembly>

Now I understand that this method requires Re-Signing of the whole package. They have a custom .exe file to re-sign the whole package (it's not mage.exe). Unfortunately, I cant reuse the said executable to re-sign it.

All I have is their Certificate Thumbprint. But I don't know what to do with it.

Questions:

  1. What are my other options to re-sign the package?
  2. Is there a better way to do this? Do I have to make another build step for this solution?
Hexxed
  • 683
  • 1
  • 10
  • 28
  • I found this 3rd-party extension: [Packaging & Deployment Tools](https://marketplace.visualstudio.com/items?itemName=anthonyguichette-debord.AGD-Tools), which can re-sign and publish a click-once package using MAGE.EXE application. However, for custom .exe certification file, I am sorry that I don't find solution to this. BTW, if you need to interactive with pipeline agent to re-sign the package, you could try to use [self-hosted agent](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#install) to build this solution. – Edward Han-MSFT Feb 18 '21 at 07:22
  • It's not freeware but I've used Advanced Installer before to do this sort of task. You can re-sign packages with whatever signature you want. I'm sure there's probably a freeware way of doing this too but as far as repackagers go I'm fairly happy with Advanced Installer. – TheFunk Feb 20 '21 at 14:54

1 Answers1

2

I have managed to sign the ClickOnce Appmanifest (*.application) and *.exe.manifest files on release by using dotnet mage. I've done this by adding the certificate (.pfx or .p12) file in the Secure Files and the certificate password in the pipeline variables.

enter image description here

  1. Use the .NET Core task specify to use version 5.x.
  2. optional step Re-install via dotnet tool update --global microsoft.dotnet.mage --version 5.0.0
  3. Run the following in powershell
  ## Signing the exe.manifest file
  dotnet mage -update "<folder>/Application Files/<assembly folder name>/<assemblyname>.exe.manifest" -fd "<folder>/Application Files/<folder>" -CertFile "$(SignKey.secureFilePath)" -Password "$(SignKeyPassword)"

  ## Signing the .Application file
  dotnet mage -update "<the .Application full path>" -pu "$publisherURL" -pub "$(PublisherDetails)" -appmanifest "Application Files/<assembly folder name>/<assemblyname>.exe.manifest" -CertFile "$(SignKey.secureFilePath)" -Password "$(SignKeyPassword)"
Hexxed
  • 683
  • 1
  • 10
  • 28