-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InstallAppleCertificate: Please allow installing p12 from source (read desc before you judge me!) #13913
Comments
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days |
Not stale, still an issue :( |
Agreed pulling from disk should be an option. We are trying to work around this issue by uploading to secure file during the pipeline using this hack . I am also going to look at the source for this task and see if there is an easy way to add this. |
The Javascript is pretty annoying to reverse engineer, but this is the same process just less convoluted. |
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days |
Not stale, this is still a valid request. @dragon788, can you add a comment, my comment isn't removing the stale flag it seems. |
Hi @toddwalstad-eaton thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one once be able to. This would probably require additional checks from the point of security. |
I would like to suggest this issue is actually expanded to allow the task to work secrets from KeyVault, either directly fetching from Key Vault or using an output variable from the |
Agree with @asdaandrewhaigh. Support for certificates/identities store in Key Vault and/or using the output of |
In order to grab it from KeyVault your AzureKeyVault task would need to set
runAsPreJob=true and you'd need to base64 decode if you stored it as a
secret.
If you stored the certificate and key and password as a secret separately
to assemble a p12 you'd need openssl or similar to create the bundle and
I'm not sure if that is supported by Apple.
I have been able to store the name of a certificate in Secure Files in a
Variable group backed by a KeyVault, but in the pipeline I had to export a
variable that tricked the variable group execution of the Get Secrets Key
Vault task to use runAsPreJob=true even though that isn't present in the
UI, the trouble was it sets that for all future references to the Get
Secrets task.
…On Tue, Jan 24, 2023, 12:09 PM Jeremy Reichman ***@***.***> wrote:
Agree with @asdaandrewhaigh <https://github.com/asdaandrewhaigh>. Support
for certificates/identities store in Key Vault and/or using the output of
AzureKeyVault task step would be logical improvements.
—
Reply to this email directly, view it on GitHub
<#13913 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADXCXQKNBZOW2BNVIVNTFTWUALEHANCNFSM4TZIQKSQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days |
Keeping this alive as I am not seeing any progress toward a resolution. |
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days |
Any chance this could be worked on? |
This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days |
Question, Bug, or Feature?
Type: Feature
Enter Task Name: InstallAppleCertificate
Environment
Issue Description
TL:DR; The InstallAppleCertificate task only works for secure files. Please add an option to install the certificate from a local working directory instead, as part of the normal execution phase.
We use a custom bash task early in the pipeline to populate the environment variables and download/decode some secure files based on our external secrets storage service (We use doppler.com but this could also apply to hashicorp vault or any other non-azure secure file service).
When building and signing iOS .ipa files, this process falls down because the InstallAppleCertificate task will ONLY work with azure pipeline secure files.
At the moment our temporary solve is to keep a copy of the p12 file in azure secure files, as well as our external vault. We also have to copy the password twice too, since the InstallAppleCertificate runs pre-job-execution before our external vault script has populated any variables. So, not ideal!
Thanks in advance 👍
The text was updated successfully, but these errors were encountered: