I have an Authenticode certificate (.pfx) which I use to sign executables.
How can I configure Team Build so that it signs every single executable (.exe, .dll, …) automatically while building the project?
authenticodecertificatemsbuildtfsbuild
I have an Authenticode certificate (.pfx) which I use to sign executables.
How can I configure Team Build so that it signs every single executable (.exe, .dll, …) automatically while building the project?
Best Answer
Here's the method we use:
Unload the WiX project and select Edit
Scroll to the bottom, where you can find
<Import Project="$(WixTargetsPath)" />
Add a new line immediately above it:
<Import Project="ProjectName.custom.targets" />
We use the naming convention "ProjectName.custom.targets", but the file can be named anything you want.Create a new XML file named ProjectName.custom.Targets and place the following code into it:
Create a test authenticode certificate (we named ours AuthenticodeTest.pfx) and place it in source control - the path to it is set in the AuthenticodeCertFile property. To test it out, run msbuild at command line and change the OutDir property - ie/ msbuild Test.sln /p:OutDir=C:\Test
Some customizations will be needed if:
To run your final build select "Queue New Build" in TFS. Click "Parameters" and expand "Advanced". Under "MSBuild Arguments" add
/p:AuthenticodeCertFile=ProductionCertFile.pfx /p:AuthenticodePassword=Secret
. Note that this may not be entirely secure - it could be tricky to have the build agent find the PFX file without checking it in and the password could be logged in the build output. Alternately you could create a special locked down build agent for this, or run the build locally at command line - but obviously that wouldn't be a "clean room" environment. It may be worth creating a special locked down "clean" server specifically for that purpose.