locked
How to sign built binaries through TFS build 2013 RRS feed

  • Question

  • Hi,

    I am using TFS builds 2013 for my CI process.

    Now I want to sign all the binaries I built using signtool.exe and apply my certificate to them.

    I want to do using TFS builds, can any one help on how I can update the xaml templates to run Visual Studio Dev command promt in order to sign the binaries.

    regards,

    Pratik


    Pratik Tayde

    • Moved by Sheethal J S Wednesday, February 22, 2017 9:51 AM More related to TFS
    Wednesday, February 22, 2017 9:00 AM

Answers

All replies

  • The query posted by you has not reached the right forum. Your issue is related to Team Foundation Server. I will move this thread to corresponding forum.

    Wednesday, February 22, 2017 9:47 AM
  • You can edit the build template, so it is possible to run some extra steps.

    see http://www.colinsalmcorner.com/post/build-script-hooks-for-tfs-2012-builds

    Wednesday, February 22, 2017 10:07 AM
  • Hi Pratik2911,

    You could write your signTool.exe commands into PowerShell or batch (.bat) scripts files.

    You don’t need to customize default TFVC template. You could set your commands scripts file path as the value of the Build->5.Advanced->post build script path.

    Best Regards

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, February 23, 2017 9:50 AM
  • Hi Yan,

    This seems to be a simpler option but problem I am facing here is to sign a dll using signtool.exe I need to put the commands in Visual Studio Dev command prompt.

    However when I pass the commands through powershell/cmd it is invoking normal commands and not Developer command.

    Can any one tell the way by which I can invoke Visual Studio Dev command prompt through powershell and pass signtool arguments to sign the required binaries.

    regards,

    Pratik


    Pratik Tayde

    Friday, February 24, 2017 9:56 AM
    • Marked as answer by Pratik2911 Friday, February 24, 2017 12:01 PM
    Friday, February 24, 2017 10:06 AM
  • Hi Kim,

    Thanks for the update, I was unaware of this cmdlet.

    However I didn't see any password parameter in this cmdlet and my certificate requires password. so when I us this cmdlet it prompts a popup window asking password and after entering password the dlls are signed.

    Now as I want to integrate it in my CI flow, I want to pass the password automatically through script to avoid any manual input.

    Is there any way or cmdlet in powershell to automate this?

    Thanks in advance,

    Pratik 


    Pratik Tayde

    Friday, February 24, 2017 10:52 AM
  • hi Pratik,

    why aren't you using a postbuild step in your projects and sign the binaries from within Visual Studio?


    Please use "Mark as Answer" if my post solved your problem and use "Vote As Helpful" if a post was useful.

    Friday, February 24, 2017 11:13 AM
  • Hi Daniel,

    As per me post build step in projects won't work when you try to build entire solution using TFS builds.

    Also signing it through post build will signed the dlls for each build and I don't want to do that, Iwant to signed the dlls only for my Production build.

    Through powershell I will be able to do that.

    regards,

    Pratik


    Pratik Tayde

    Friday, February 24, 2017 11:37 AM
  • I don't think you can avoid the password prompt. and if you can you need to have the password somewhere, which can compromise the security.

    You can import the certificate to the store and prevent it from being exported. and then call it in your script.

    Friday, February 24, 2017 11:41 AM
  • As per me post build step in projects won't work when you try to build entire solution using TFS builds.

    Also signing it through post build will signed the dlls for each build and I don't want to do that, Iwant to signed the dlls only for my Production build.

    if you've installed VS on build agent and select .SLN to be build than TFS Build behave exactly the same as done on developer computer in VS IDE.

    in the postbuild step you can execute statements based on the configuration to be build


    Please use "Mark as Answer" if my post solved your problem and use "Vote As Helpful" if a post was useful.


    Friday, February 24, 2017 11:53 AM
  • Hi Kim,

    I am able to pass the password alongwith certificate using following code,

     Yes, as you said it is a risk as the pwd is exposed.

    Thanks for the assistance.


    Pratik Tayde

    • Marked as answer by Pratik2911 Friday, February 24, 2017 12:01 PM
    Friday, February 24, 2017 12:01 PM
  • Pratik,

    install the certifcate in the certificate store of the build account and mark it non-exportable.

    you can referr to the certificate using thumprint and you don't need to specify the password in the script.


    Please use "Mark as Answer" if my post solved your problem and use "Vote As Helpful" if a post was useful.

    Friday, February 24, 2017 12:17 PM