Merge pull request #86 from sudara/trusted-signing

Switch windows code signing to Azure trusted signing

.github/workflows/cmake_ctest.yml

@@ -198,14 +198,39 @@ jobs:
       working-directory: ${{ env.ARTIFACTS_PATH }}
       run: 7z a -tzip "${{ env.ARTIFACT_NAME }}.zip" .
 
-    - name: Generate Installer and Sign with EV cert on Azure (Windows)
+    - name: Generate Installer
       if: ${{ matrix.name == 'Windows' }}
       shell: bash
       run: |
         iscc "packaging\installer.iss"
         mv "packaging/Output/${{ env.ARTIFACT_NAME }}.exe" "${{ env.ARTIFACTS_PATH }}/"
-        dotnet tool install --global AzureSignTool 
-        AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "${{ env.ARTIFACTS_PATH }}/${{ env.ARTIFACT_NAME }}.exe"
+
+    - name: Codesign with Azure Trusted Signing
+      if: ${{ matrix.name == 'Windows' }}
+      uses: azure/[email protected]
+      with:
+        # The Azure Active Directory tenant (directory) ID.
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+
+        # The client (application) ID of an App Registration in the tenant.
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+
+        # A client secret that was generated for the App Registration.
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+
+        # The Code Signing Account endpoint. The URI value must have a URI that aligns to the region your Code Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.
+        endpoint: ${{ secrets.AZURE_ENDPOINT }}
+
+        # The Code Signing Account name.
+        code-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
+
+        # The Certificate Profile name.
+        certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+
+        # This signs all exes inside the folder
+        files-folder: ${{ env.ARTIFACTS_PATH }}
+        files-folder-filter: exe
+        file-digest: SHA256
 
     - name: Upload Exe (Windows)
       if: ${{ matrix.name == 'Windows' }}

README.md

@@ -19,7 +19,7 @@ It also has integration with GitHub Actions, specifically:
 3. Running [pluginval](http://github.com/tracktion/pluginval) 1.x against the binaries for plugin validation
 4. Config for [installing Intel IPP](https://www.intel.com/content/www/us/en/developer/tools/oneapi/ipp.html)
 5. [Code signing and notarization on macOS](https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/)
-6. [Windows EV/OV code signing via Azure Key Vault](https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/)
+6. [Windows code signing via Azure Trusted Signing](https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/)
 
 It also contains:
 
@@ -130,7 +130,7 @@ On Xcode, see this [plugin](https://github.com/travisjeffery/ClangFormat-Xcode)
 
 ## What's the deal with code signing and notarization?
 
-This repo code signs Windows via Azure Key Vault. [Read more about how to set it up blog](https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/).
+This repo code signs Windows via Azure Trusted Signing. [Read more about how to set it up on my blog](https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/).
 
 It also code signs and notarizes on macOS. Again, you can [read my article for details](https://melatonin.dev/blog/how-to-code-sign-and-notarize-macos-audio-plugins-in-ci/).