Azure SignTool in an Azure Pipeline using Federated Credentials

[Lazer91]

Since I couldn't find any other guide or document that shows how to use Federated Credentials with Azure SignTool, and since I think it's a very useful feature because it removes the need for secrets rotation, I thought to show how I did it.

Prerequisites

• An Azure DevOps Project with a YAML Pipeline;
• An Entra AppRegistration (a.k.a. Service Principal)
• A Service Connection linking the AppRegistration to the DevOps Project, using Federated Credentials --> HowTo (learn.microsoft.com)
• Of course, an Azure KeyVault with a certificate inside, where your AppRegistration has proper permissions.

YAML Pipeline snippet

This pipeline will produce an artifact with the specified myExe.exe file signed. The "trick" is to use the generic AzureCLI@2 task to run Azure SignTool, without really calling any az command:

variables:
- name: FilePath
  value: ./myExe.exe
- name: AzureKeyVaultUrl
  value: https://myVault.vault.azure.net/  # <-- replace with your KeyVault URL
- name: AzureKeyVaultCertificateName
  value: my-cert # <-- replace with your certificate name
- name: TenantId
  value: myTenant

jobs:
- job: sign_file
  displayName: Sign file

  steps:
  - task: UseDotNet@2
    inputs:
      version: 10.0.x
    
  - task: DotNetCoreCLI@2
    inputs:
      command: custom
      custom: tool
      arguments: 'install --global AzureSignTool'
  
  - task: AzureCLI@2
    displayName: "Sign with AzureSignTool and Federated Credentials"
    inputs:
      azureSubscription: <myServiceConnection> # <-- replace with your service connection name
      scriptType: ps
      scriptLocation: inlineScript
      inlineScript: |
        
        azuresigntool sign `
          -kvt $(TenantId) `
          -kvu $(AzureKeyVaultUrl) `
          -kvm `
          -kvc $(AzureKeyVaultCertificateName) `
          -tr http://timestamp.digicert.com `
          -v $(FilePath) `
          --skip-signed
  
  - publish: $(FilePath)
    artifact: signedFile

If you have any better idea to achieve the same, I'd be very interested 😊.