locked
AdditionalPropertiesForBuildTarget? How to add code signing to TeamBuild? RRS feed

  • Question

  • Is AdditionalPropertiesForBuildTarget implemented in 2008? If not, a) it should be and b) how would I add signing to the TB, instead of the individual projects?

    Also, what's the best way to do this ... by specifying the SNK file? Is that the only option? No way to use a thumbprint to a imported cert, as with Click Once manifests?

    Thanks

    Wednesday, May 27, 2009 5:54 PM

Answers

  • SNK files are actually used to do strong-naming not code signing (this is an important difference). Strong-names can only be stored in files and can't be imported into the certificate store since they're not actually certificates. Grant's post (which Bill refers to) is your best bet to secure the SNK.
    Regards, William Bartholomew Team System MVP Co-author of Inside the Microsoft Build Engine: Using MSBuild and Team Foundation Build (Microsoft Press, 2009) www.bartholomew.id.au | www.teamsystemnotes.com | www.tfsbuild.com
    • Proposed as answer by Bill.Wang Wednesday, June 3, 2009 10:33 AM
    • Marked as answer by Todd Beaulieu Wednesday, June 3, 2009 10:50 AM
    Thursday, May 28, 2009 9:44 AM
  • Hi Todd

    The "certificate" used by SN.exe is just a public/private key pair. While the certificate used by Mage.exe is using real X.509 certificates. Sn.exe command doesn't support referencing a certificate by providing a thumbprint. Feel free to let us know if you have further questions.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Send us any feedback you have about the help from MSFT at fbmsdn@microsoft.com.
    • Edited by Bill.Wang Monday, June 1, 2009 11:22 AM Refine the reply.
    • Marked as answer by Todd Beaulieu Wednesday, June 3, 2009 10:50 AM
    Monday, June 1, 2009 11:21 AM

All replies

  • Strangely, I found "CustomPropertiesForBuild", which seems to work.

    This still leaves the question of whether it's possible to sign with an imported (personal store of the build agent account) key, instead of a physical file. It feels odd that I have to tuck a copy of a file somewhere and work hard to make sure nobody has rights to get at it. I could easily be misguided here, though.

    <
    CustomPropertiesForBuild>SignAssembly=true;DelaySign=false;AssemblyOriginatorKeyFile=c:\builds\DataopsAssemblySigning.snk</CustomPropertiesForBuild>
    Wednesday, May 27, 2009 7:00 PM
  • Hi Todd

    Please take a look at Strong Name your assemblies with Team Build using a private key. It introduces a way to use a password protected key during a team build. Does it fulfill your expectation? 
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Send us any feedback you have about the help from MSFT at fbmsdn@microsoft.com.
    • Proposed as answer by Bill.Wang Wednesday, June 3, 2009 10:33 AM
    • Unproposed as answer by Bill.Wang Thursday, June 4, 2009 2:09 AM
    Thursday, May 28, 2009 6:44 AM
  • SNK files are actually used to do strong-naming not code signing (this is an important difference). Strong-names can only be stored in files and can't be imported into the certificate store since they're not actually certificates. Grant's post (which Bill refers to) is your best bet to secure the SNK.
    Regards, William Bartholomew Team System MVP Co-author of Inside the Microsoft Build Engine: Using MSBuild and Team Foundation Build (Microsoft Press, 2009) www.bartholomew.id.au | www.teamsystemnotes.com | www.tfsbuild.com
    • Proposed as answer by Bill.Wang Wednesday, June 3, 2009 10:33 AM
    • Marked as answer by Todd Beaulieu Wednesday, June 3, 2009 10:50 AM
    Thursday, May 28, 2009 9:44 AM
  • So, as usual, I was going about this the wrong way. ugh. In my opinion, it doesn't help when the properties tag uses the term "sign the assembly" for strong naming, as well as "delayed signing", if it's not actually signing the assembly, but just applying a strong name to it. In other words, if there's an "important difference" between the two, it ought to be painfully clear and I just don't find it so. Heck, it even appears to me that the same csproj property is used for both purposes.

    Ok...

    I changed all my assemblies over to use delayed signing with the SNK file. I added the SNK to TFS in a common location and just branched it into the root of each project. I'm not sure if this the best way to accomplish this. I'm still experimenting. If you have any thoughts on this, please feel free to inject them!

    Now I'm ready to add the code signing to the Team Build. I'm still a bit confused on this topic. I read the article mentioned, but what I don't get is why I'm able to reference a THUMBPRINT for Click Once manifest generation, yet I'm forced to reference a file system object for code signing. I like the thumbprint deal because it allows an administrator to install the password-protected PFX under the build agent's service account's Personal Store. Then I use that thumbprint as a key to locate the certificate. My Click Once build process is already in place using one paradigm, but now I have to use a different paradigm for code signing (with a physical file)?

    Seriously, the last thing I want is to have to request someone do a build interactively on the build server. That's just wrong.

    There's no other property that would let me specify the thumbprint, instead of the AssemblyOriginatorKeyFile? I've tried drilling down into the build task, but hit a dead end at "BuildProjectFilesInParallel" method. Not sure how to poke deeper to see what properties are being used internally. This technique is how I got the deployment manifest working.

    Thank you!
    Thursday, May 28, 2009 1:01 PM
  • Hi Todd

    The "certificate" used by SN.exe is just a public/private key pair. While the certificate used by Mage.exe is using real X.509 certificates. Sn.exe command doesn't support referencing a certificate by providing a thumbprint. Feel free to let us know if you have further questions.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Send us any feedback you have about the help from MSFT at fbmsdn@microsoft.com.
    • Edited by Bill.Wang Monday, June 1, 2009 11:22 AM Refine the reply.
    • Marked as answer by Todd Beaulieu Wednesday, June 3, 2009 10:50 AM
    Monday, June 1, 2009 11:21 AM