Skip to content

Latest commit

 

History

History
80 lines (56 loc) · 3.44 KB

how-to-sign-ci-policy.md

File metadata and controls

80 lines (56 loc) · 3.44 KB
Raw
title description author ms.author ms.service ms.topic ms.date ms.custom
Sign a CI policy
Learn how to sign new CI policies by using Trusted Signing.
microsoftshawarma
rakiasegev
trusted-signing
how-to
06/03/2024
template-how-to-pattern, devx-track-azurepowershell

Sign a CI policy by using Trusted Signing

This article shows you how to sign new code integrity (CI) policies by using the Trusted Signing service.

Prerequisites

To complete the steps in this article, you need:

  • A Trusted Signing account, identity validation, and certificate profile.
  • Individual or group assignment of the Trusted Signing Certificate Profile Signer role.
  • Azure PowerShell in Windows installed.
  • Az.CodeSigning module downloaded.

Sign a CI policy

  1. ⁠Open PowerShell 7.

  2. Optionally, you can create a metadata.json file that looks like this example:("Endpoint" URI value must be a URI that aligns with the region where you created your Trusted Signing account and certificate profile when you set up these resources.)

    {
"Endpoint":"https://xxx.codesigning.azure.net/",
"CodeSigningAccountName":"<Trusted Signing Account Name>",
"CertificateProfileName":"<Certificate Profile Name>"
}

  3. Get the root certificate that you want to add to the trust store:

    Get-AzCodeSigningRootCert -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer

    If you're using a metadata.json file, run this command instead:

    Get-AzCodeSigningRootCert -MetadataFilePath C:\temp\metadata.json https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer

  4. To get the Extended Key Usage (EKU) to insert into your policy:

    Get-AzCodeSigningCustomerEku -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/

    If you're using a metadata.json file, run this command instead:

    Get-AzCodeSigningCustomerEku -MetadataFilePath C:\temp\metadata.json

  5. To sign your policy, run the invoke command:

    Invoke-AzCodeSigningCIPolicySigning -accountName TestAccount -profileName TestCertProfile -endpointurl "https://xxx.codesigning.azure.net/" -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com

    If you're using a metadata.json file, run this command instead:

    Invoke-AzCodeSigningCIPolicySigning -MetadataFilePath C:\temp\metadata.json -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com

Create and deploy a CI policy

For steps to create and deploy your CI policy, see these articles: