This script signs your ClickOnce application with SignTool and then signs the manifest with Mage, using a provided PFX certificate or the thumbprint of one already installed into the user's certificate store.
To code sign the ClickOnce application and the manifest, you need to use both SignTool and Mage.
SignTool doesn't like SHA1, Mage doesn't like SHA2. What are we to do?
Thanks to the lovely guidance from: StackOverFlow and combining that with another blerb
Built on the work of Joe Pitt.
- SignTool - used to code sign the application executable and setup executables
- Mage - used to sign the application manifest and click once .application file
- OpenSSL - used to roundtrip PFX file before importing, based on this, to convert to a suitable 'CryptoAPI' version
- CertUtil - imports the certificate into the Cert://CurrentUser/My store
- Administrator
-
Either PMXPath and PMXPassword OR SHA256CertThumbprint are required for successful signing.
-
If using PMXPath and PMXPassword, the certificate file will be installed and used. If you are using a Hosted Agent, this is the best option.
-
If using SHA256CertThumbprint, the certificate must already be installed at Cert://CurrentUser/My. If you are self-hosting a build agent, then the build agent account is where this needs to live.
-
You can leverage Secure Files in Azure Dev Ops to supply the PMX file to the script, thus keeping it out of the repository.
- Disable signing the ClickOnce manifest in your project files
- Verify build agent is running as Administrator
- Add SignClickOnceApp.ps1 to your repository or place in your build system at a known location.
- Add PMX Certificate to Secure Files in your DevOps project
- Add Download Secure File Task to your pipeline and configure to download certificate
- Add Powershell Task
- Call SignClickOnceApp with -PMXPath $(DOWNLOADSECUREFILE.SECUREFILEPATH) and other parameters, see script documentation TODO add example invocations
- Profit