Hello,
I have an authenticode certificate (.pfx) which I use to sign executables.
How can I configure Team Build so that it signs every single executable (.exe, .dll, ...) automatically while building the project?
Hello,
I have an authenticode certificate (.pfx) which I use to sign executables.
How can I configure Team Build so that it signs every single executable (.exe, .dll, ...) automatically while building the project?
Don't.
You do not want to automatically sign builds. Most builds don't need signing anyway, they're only used for automate tests. Some build may be handed to your in-house testers. But only builds that you actually release outside your organization need Authenticode signatures. In that case, you should have a manual verification step after signing anyway. So, signing manually doesn't insert an extra manual step in the release process, and automating it saves very little time. In exchange, there will be far less signed files floating around in your organization, and you can make much stronger guarantees about the files that are.
I disagree. Since the code signing certificate must be installed on the build computer in order to perform signing, why not sign everything that is built on that computer every time it is built? The computer is "at risk" because it has the code signing certificate installed, so it will need to be protected in some fashion (physical security and system security). If it is protected, why not let it do the work it was intended to do, prepare the files for delivery, consistently, repeatably, every time?
Unfortunately, the answer "don't" also seems to be the standard Microsoft answer, since they seem to provide almost no support in MSBuild to loop over a list of file names, calling a program once for each file name in the list. I've found ways to pass a wildcard generated list of files to the Signtool.exe program, but it can only handle one file at a time.
I fear (for me) that it is back to writing a batch file which loops over its arguments and calls signtool for each argument. Writing batch files for the common task of signing a build output makes me think MSBuild really isn't as mature a build system as it should be. Either that, or signtool has the wrong interface. In either case, signing multiple files without enumerating the name of every file to sign appears to be a "no go" with MSBuild.