Update to latest signing infrastructure

Fixes 7546

Author: robmen

.github/workflows/build.yml

@@ -24,6 +24,9 @@ jobs:
   build:
     name: Build
     runs-on: windows-2022
+    permissions:
+      packages: write
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -34,6 +37,11 @@ jobs:
       #   shell: cmd
       #   run: ./src/vs_config.cmd
 
+      - name: Install sign tool
+        if: (github.ref == 'refs/heads/master')
+        shell: cmd
+        run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.23356.1
+
       - name: Configure automated logging and crash dumps
         shell: cmd
         run: |
@@ -46,13 +54,22 @@ jobs:
           reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f
           reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1
 
+      - name: 'Az CLI login'
+        if: (github.ref == 'refs/heads/master')
+        uses: azure/login@v1
+        with:
+          allow-no-subscriptions: true
+          client-id: ${{ secrets.WIX_SIGNING_CLIENTID }}
+          tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }}
+          subscription-id: ${{ secrets.WIX_SIGNING_SUBSCRIPTIONID }}
+
       - name: Build wix4
         shell: cmd
         run: ./src/build_official.cmd
         env:
           RuntimeTestsEnabled: true
-          SigningUser:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_USER || '' }}
-          SigningSecret:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_SECRET || '' }}
+          SigningVaultUri:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_VAULTURI || '' }}
+          SigningCertName:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_CERTNAME || '' }}
 
       - name: Validate test results
         shell: cmd

src/Directory.Build.targets

@@ -4,9 +4,9 @@
 <Project>
   <PropertyGroup>
     <SigningToolFolder>$(ToolsFolder)</SigningToolFolder>
-    <SigningToolExe>$(SigningToolFolder)\SignClient.exe</SigningToolExe>
-    <SigningFilelist>$(SigningToolFolder)\empty-filelist.txt</SigningFilelist>
-    <SigningConfiguration>$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), signing.json))\signing.json</SigningConfiguration>
+    <SigningToolExe>$(SigningToolFolder)\sign.exe</SigningToolExe>
+    <SigningFilelist>$(MSBuildThisFileDirectory)signing-empty-file-list.txt</SigningFilelist>
+    <SigningConfiguration>--description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-managed-identity true --azure-key-vault-url "$(SigningVaultUri)" --azure-key-vault-certificate "$(SigningCertName)"</SigningConfiguration>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(IsWixTestSupportProject)'=='true' ">
@@ -113,47 +113,39 @@
     </ItemGroup>
   </Target>
 
-  <Target Name="_GetSignClient"
-          Condition=" !Exists('$(SigningToolExe)') ">
-
-    <WriteLinesToFile File='$(SigningFilelist)' Lines='do-not-sign-files-in-nupkg' Overwrite='true' />
-
-    <Exec Command='dotnet.exe tool install --tool-path "$(SigningToolFolder)" SignClient' IgnoreExitCode='true' />
-  </Target>
-
-  <Target Name="SignOutput" DependsOnTargets="_GetSignClient" AfterTargets="AfterBuild"
-          Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' and 
+  <Target Name="SignOutput" AfterTargets="AfterBuild"
+          Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' and 
                       ('$(MSBuildProjectExtension)'=='.csproj' or ('$(MSBuildProjectExtension)'=='.vcxproj' and '$(ConfigurationType)'!='StaticLibrary'))">
 
-    <Message Importance="high" Text="Signing file: $(TargetPath) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing file: $(TargetPath)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i $(TargetPath) -c "$(SigningConfiguration)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault $(TargetPath) $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
-  <Target Name="SignNupkg" DependsOnTargets="_GetSignClient" AfterTargets="Pack;PackNative"
-          Condition=" '$(SigningUser)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
+  <Target Name="SignNupkg" AfterTargets="Pack;PackNative"
+          Condition=" '$(SigningCertName)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
     <ItemGroup>
       <SigningNupkgs Include="@(NuGetPackOutput)" Condition=" '%(Extension)'=='.nupkg' " />
     </ItemGroup>
 
-    <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SigningNupkgs->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SigningNupkgs->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
-  <Target Name="SignBundleEngine" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
-    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+  <Target Name="SignBundleEngine" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
+    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundleEngine->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundleEngine->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
-  <Target Name="SignBundle" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
-    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+  <Target Name="SignBundle" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
+    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundle->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundle->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 

src/internal/SetBuildNumber/SetBuildNumber.proj

@@ -22,8 +22,7 @@
       GitThisAssembly;
       SetGlobalJson;
       SetDirectoryPackagesProps;
-      SetOverallWixVersions;
-      InstallSigningClient
+      SetOverallWixVersions
     </SetBuildNumbersDependsOn>
 
     <GlobalJsonPath>$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json))</GlobalJsonPath>
@@ -106,12 +105,6 @@
   </Target>
 
 
-  <Target Name="InstallSigningClient"
-          DependsOnTargets="_GetSignClient"
-          Condition=" '$(SigningUser)'!='' ">
-  </Target>
-
-
   <Target Name="SetBuildNumbers"
           DependsOnTargets="$(SetBuildNumbersDependsOn)"
           BeforeTargets="AfterBuild" />

src/signing-empty-file-list.txt

@@ -0,0 +1 @@
+this-file-prevents-files-from-being-signed-in-nupkgs