use azuresigntool

andrewnester · andrewnester · commit ab1a63362ee5 · 2025-11-12T13:30:30.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -73,72 +73,22 @@ jobs:
             go.sum
             .goreleaser-windows.yaml
 
-      - name: Add signtool to PATH
+      - name: Azure Login and get Key Vault token
         shell: pwsh
         run: |
-          # Find signtool in Windows SDK
-          $signtoolPath = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter "signtool.exe" -ErrorAction SilentlyContinue |
-            Where-Object { $_.FullName -match "x64" } |
-            Select-Object -First 1 -ExpandProperty DirectoryName
-
-          if ($signtoolPath) {
-            Write-Host "Found signtool at: $signtoolPath"
-            echo "$signtoolPath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          } else {
-            Write-Error "signtool not found"
-            exit 1
-          }
-
-      - name: Install Azure Code Signing tools
-        shell: pwsh
-        run: |
-          # Download and install Azure Code Signing tools
-          Invoke-WebRequest -Uri "https://www.nuget.org/api/v2/package/Microsoft.Trusted.Signing.Client" -OutFile "$env:TEMP\TrustedSigning.zip"
-          Expand-Archive -Path "$env:TEMP\TrustedSigning.zip" -DestinationPath "$env:TEMP\TrustedSigning" -Force
-
-          # Add to PATH so signtool can find the dlib
-          $dllPath = (Get-ChildItem -Path "$env:TEMP\TrustedSigning" -Recurse -Filter "Azure.CodeSigning.Dlib.dll" | Select-Object -First 1).DirectoryName
-          echo "$dllPath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
-      - name: Azure Login
-        shell: pwsh
-        run: |
-          # Login to public Azure (not Germany) for Code Signing service
           az login --service-principal `
             -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} `
             -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} `
             --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
 
-      - name: Create Azure Code Signing metadata
-        shell: pwsh
-        run: |
-          $metadata = @{
-            "Endpoint" = "https://eus.codesigning.azure.net/"
-            "CodeSigningAccountName" = "deco-sign"
-            "CertificateProfileName" = "deco-sign"
-          }
-          $metadata | ConvertTo-Json | Out-File -FilePath "metadata.json" -Encoding utf8
-
-      - name: Create signing script
+          $accessToken = az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv
+          echo "::add-mask::$accessToken"
+          echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV
+
+      - name: Install AzureSignTool
         shell: pwsh
         run: |
-          $script = @'
-          $env:AZURE_TENANT_ID = "${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}"
-          $env:AZURE_CLIENT_ID = "${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}"
-          $env:AZURE_CLIENT_SECRET = "${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}"
-
-          $filePath = $args[0]
-          Write-Host "Signing: $filePath"
-
-          & signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /dlib Azure.CodeSigning.Dlib.dll /dmdf metadata.json "$filePath"
-
-          if ($LASTEXITCODE -ne 0) {
-            Write-Error "Signing failed with exit code $LASTEXITCODE"
-            exit $LASTEXITCODE
-          }
-          '@
-
-          $script | Out-File -FilePath "sign.ps1" -Encoding utf8
+          dotnet tool install --global AzureSignTool
 
       - name: Run GoReleaser for Windows
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
diff --git a/.goreleaser-windows.yaml b/.goreleaser-windows.yaml
@@ -41,7 +41,7 @@ builds:
 
     hooks:
       post:
-        - pwsh -File sign.ps1 "{{ .Path }}"
+        - azuresigntool sign --azure-key-vault-url "https://deco-sign.vault.microsoftazure.de/" --azure-key-vault-client-id "{{ .Env.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "{{ .Env.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "{{ .Env.AZURE_TENANT_ID }}" --azure-key-vault-certificate "deco-sign" --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --timestamp-digest sha256 "{{ .Path }}"
 
 archives:
   - formats: ["zip"]
