base

Author: brown9804

.gitignore

@@ -1,5 +1,14 @@
 # Local .terraform directories
 .terraform/
+*src/.env
+app-logs.zip
+LogFiles
+deploy.log
+__pycache__
+*.log 
+*agents_state.json
+.env.example
+.env_automation
 
 # .tfstate files
 *.tfstate
@@ -13,7 +22,6 @@ crash.*.log
 # password, private keys, and other secrets. These should not be part of version 
 # control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
-*.tfvars
 *.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
@@ -35,3 +43,11 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# .NET build output
+**/bin/
+**/obj/
+
+# Visual Studio / VS Code
+.vs/
+.vscode/

README.md

@@ -0,0 +1,130 @@
+# Azure Artifact Signing (Azure DevOps + Terraform)
+
+This repo is a minimal, demo-friendly setup for:
+- Provisioning Azure Artifact Signing (Trusted Signing) resources with Terraform.
+- Building a small Windows .NET executable.
+- Signing it in Azure DevOps using **SignTool + Artifact Signing dlib** (private key stays in Microsoft-managed HSMs).
+
+## What Terraform creates
+
+- Resource group
+- Artifact Signing account (`Microsoft.CodeSigning/codeSigningAccounts`)
+- (Optional, Terraform-deployed) Certificate profile (`.../certificateProfiles`) once you provide an **Identity validation Id**
+- (Optional, Terraform-deployed) Microsoft Entra app registration + service principal for an Azure DevOps **Workload Identity Federation** service connection
+- (Optional, Terraform-deployed) Azure DevOps resources (when `ado_enabled = true`):
+   - Project
+   - Git repo
+   - YAML pipeline
+   - AzureRM service connection (Workload Identity Federation)
+   - Pipeline authorizations for the service connection + variable group
+- (Optional, Terraform-deployed) RBAC assignment: `Artifact Signing Certificate Profile Signer` at the certificate profile scope
+
+Notes:
+- **Identity validation** itself is **portal-only** (service requirement). Terraform can’t complete that workflow; you paste the resulting `identity_validation_id` into `terraform.tfvars`.
+- If Terraform creates the Azure DevOps service connection (`ado_enabled = true`), it can also read the generated WIF **Issuer** and **Subject** and create the Entra **federated credential** automatically (no copy/paste).
+
+## Prereqs
+
+- Azure CLI installed and logged in (`az login`)
+- Terraform installed
+- Permission to register resource providers + create resources in your subscription
+
+One-time provider registration (per subscription):
+
+```pwsh
+az provider register --namespace Microsoft.CodeSigning
+```
+
+## Deploy with Terraform
+
+Terraform files live in `terraform-infrastructure/`.
+
+1) Edit `terraform-infrastructure/terraform.tfvars` and set a globally-unique account name.
+
+2) Run Terraform:
+
+```pwsh
+cd terraform-infrastructure
+terraform init
+terraform validate
+terraform apply -auto-approve
+```
+
+3) In Azure portal, open the Artifact Signing account and complete **Identity validation** (portal-only).
+
+4) Copy the **Identity validation Id** from the portal and add it to `terraform-infrastructure/terraform.tfvars`:
+
+```hcl
+identity_validation_id = "00000000-0000-0000-0000-000000000000"
+certificate_profile_name = "demo-code-signing"
+certificate_profile_type = "PublicTrustTest"
+```
+
+5) Apply again to create the certificate profile:
+
+```pwsh
+cd terraform-infrastructure
+terraform validate
+terraform apply -auto-approve
+```
+
+## Azure DevOps (Terraform-managed)
+
+This repo can also create the Azure DevOps project/repo/pipeline/service-connection using the Terraform `azuredevops` provider.
+
+1) Create a PAT in Azure DevOps with permissions to manage projects/repos/pipelines/service connections.
+
+2) Set env vars (PowerShell):
+
+```pwsh
+$env:AZDO_ORG_SERVICE_URL = "https://dev.azure.com/<your-org>"
+$env:AZDO_PERSONAL_ACCESS_TOKEN = "<your-pat>"
+```
+
+3) In `terraform-infrastructure/terraform.tfvars`, set:
+
+```hcl
+ado_enabled = true
+ado_org_service_url = "https://dev.azure.com/<your-org>"
+```
+
+4) Apply. Terraform will:
+- create the Azure DevOps project + repo + YAML pipeline
+- create the AzureRM service connection using Workload Identity Federation (WIF)
+- read the generated WIF Issuer/Subject and create the Entra federated credential
+
+Notes:
+- The `WorkloadIdentityFederation` auth scheme requires your org feature to be enabled. If your org can’t use it yet, set `ado_service_endpoint_authentication_scheme = "ServicePrincipal"` and also set `TF_VAR_ado_service_principal_client_secret` for the service principal secret.
+- Terraform creates an empty repo. You still need to push this repo’s code into the Azure DevOps repo (Terraform will output the clone URL).
+
+## Pipeline
+
+- [azure-pipelines.yml](azure-pipelines.yml) builds `SigningDemo.exe`, installs the required signing components via NuGet extraction, then signs using the official SignTool + `/dlib` flow.
+- Configure pipeline variables:
+  - `artifactSigningEndpoint` (Terraform output `artifact_signing_endpoint`)
+  - `artifactSigningAccountName` (Terraform output `artifact_signing_account_name`)
+  - `artifactSigningCertificateProfileName` (your profile name)
+  - Service connection name in YAML: update `azureSubscription` if you didn't name it `sc-artifact-signing`.
+
+### Optional: use Azure Key Vault for pipeline variables
+
+If you enable Key Vault (`keyvault_enabled=true`) Terraform will:
+- create an RBAC-enabled Key Vault
+- grant your current identity **Key Vault Secrets Officer** (so you can set secrets)
+- grant the Azure DevOps service principal **Key Vault Secrets User** (so the pipeline can read secrets)
+
+Then create secrets in Key Vault with these names:
+- `artifactSigningEndpoint`
+- `artifactSigningAccountName`
+- `artifactSigningCertificateProfileName`
+
+The pipeline will automatically load them (it runs `AzureKeyVault@2` when `keyVaultName` is non-empty).
+
+If signing fails with 403, validate:
+- Endpoint matches region
+- Service connection identity has `Artifact Signing Certificate Profile Signer` at the certificate profile scope
+
+## Azure Portal link
+
+After `terraform apply`, open the resource group:
+https://portal.azure.com/#view/HubsExtension/BrowseResourceGroups

SigningDemo/Program.cs

@@ -0,0 +1,3 @@
+using System;
+
+Console.WriteLine("Hello from SigningDemo at " + DateTimeOffset.UtcNow.ToString("u"));

SigningDemo/SigningDemo.csproj

@@ -0,0 +1,10 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+</Project>

azure-pipelines.yml

@@ -0,0 +1,111 @@
+trigger:
+- main
+
+pool:
+  vmImage: 'windows-latest'
+
+variables:
+  buildConfiguration: 'Release'
+  runtimeIdentifier: 'win-x64'
+
+  # Update if your service connection name differs.
+  azureServiceConnection: 'sc-artifact-signing'
+
+  # Set these as pipeline variables or in a variable group.
+  # If you set keyVaultName (or Terraform provides it via variable group),
+  # the AzureKeyVault@2 task below will populate the artifactSigning* variables.
+  keyVaultName: ''
+  artifactSigningEndpoint: ''
+  artifactSigningAccountName: ''
+  artifactSigningCertificateProfileName: ''
+
+steps:
+- task: DotNetCoreCLI@2
+  displayName: Publish (unsigned)
+  inputs:
+    command: publish
+    projects: '**/SigningDemo.csproj'
+    arguments: '-c $(buildConfiguration) -r $(runtimeIdentifier) --self-contained false'
+
+- task: AzureKeyVault@2
+  displayName: Load signing variables from Key Vault
+  condition: and(succeeded(), ne(variables['keyVaultName'], ''))
+  inputs:
+    azureSubscription: '$(azureServiceConnection)'
+    KeyVaultName: '$(keyVaultName)'
+    SecretsFilter: 'artifactSigningEndpoint,artifactSigningAccountName,artifactSigningCertificateProfileName'
+    RunAsPreJob: false
+
+- task: AzureCLI@2
+  displayName: Sign with Azure Artifact Signing (SignTool + dlib)
+  inputs:
+    azureSubscription: '$(azureServiceConnection)'
+    scriptType: ps
+    scriptLocation: inlineScript
+    inlineScript: |
+      $ErrorActionPreference = 'Stop'
+
+      if ([string]::IsNullOrWhiteSpace("$(artifactSigningEndpoint)")) { throw "Missing variable: artifactSigningEndpoint" }
+      if ([string]::IsNullOrWhiteSpace("$(artifactSigningAccountName)")) { throw "Missing variable: artifactSigningAccountName" }
+      if ([string]::IsNullOrWhiteSpace("$(artifactSigningCertificateProfileName)")) { throw "Missing variable: artifactSigningCertificateProfileName" }
+
+      az account show --output table
+
+      $tempRoot = Join-Path "$(Agent.TempDirectory)" "artifact-signing"
+      New-Item -ItemType Directory -Force -Path $tempRoot | Out-Null
+
+      $nugetExe = Join-Path $tempRoot "nuget.exe"
+      Invoke-WebRequest -Uri https://dist.nuget.org/win-x86-commandline/latest/nuget.exe -OutFile $nugetExe
+
+      $sdkOut = Join-Path $tempRoot "sdk"
+      & $nugetExe install Microsoft.Windows.SDK.BuildTools -x -OutputDirectory $sdkOut | Out-Host
+
+      $signtool = Get-ChildItem -Path $sdkOut -Recurse -Filter signtool.exe | Where-Object { $_.FullName -match "\\x64\\signtool\\.exe$" } | Select-Object -First 1
+      if (-not $signtool) {
+        $signtool = Get-ChildItem -Path $sdkOut -Recurse -Filter signtool.exe | Where-Object { $_.FullName -match "\\x64\\signtool\\.exe" } | Select-Object -First 1
+      }
+      if (-not $signtool) { throw "signtool.exe not found after extracting Microsoft.Windows.SDK.BuildTools" }
+
+      $dlibOut = Join-Path $tempRoot "dlib"
+      & $nugetExe install Microsoft.ArtifactSigning.Client -x -OutputDirectory $dlibOut | Out-Host
+
+      $dlib = Get-ChildItem -Path $dlibOut -Recurse -Filter Azure.CodeSigning.Dlib.dll | Where-Object { $_.FullName -match "\\x64\\Azure\\.CodeSigning\\.Dlib\\.dll$" } | Select-Object -First 1
+      if (-not $dlib) {
+        $dlib = Get-ChildItem -Path $dlibOut -Recurse -Filter Azure.CodeSigning.Dlib.dll | Select-Object -First 1
+      }
+      if (-not $dlib) { throw "Azure.CodeSigning.Dlib.dll not found after extracting Microsoft.ArtifactSigning.Client" }
+
+      $metadataPath = Join-Path $tempRoot "metadata.json"
+      $metadata = @{
+        Endpoint               = "$(artifactSigningEndpoint)"
+        CodeSigningAccountName = "$(artifactSigningAccountName)"
+        CertificateProfileName = "$(artifactSigningCertificateProfileName)"
+        CorrelationId          = "build-$(Build.BuildId)"
+      } | ConvertTo-Json -Depth 4
+
+      $metadata | Out-File -FilePath $metadataPath -Encoding utf8
+
+      $unsigned = "$(Build.SourcesDirectory)\SigningDemo\bin\$(buildConfiguration)\net8.0\$(runtimeIdentifier)\publish\SigningDemo.exe"
+      if (-not (Test-Path $unsigned)) { throw "Unsigned binary not found at $unsigned" }
+
+      $signedDir = "$(Build.ArtifactStagingDirectory)"
+      New-Item -ItemType Directory -Force -Path $signedDir | Out-Null
+      $signed = Join-Path $signedDir "SigningDemo.signed.exe"
+      Copy-Item $unsigned $signed -Force
+
+      Write-Host "Using signtool: $($signtool.FullName)"
+      Write-Host "Using dlib: $($dlib.FullName)"
+
+      & $signtool.FullName sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "$($dlib.FullName)" /dmdf "$metadataPath" "$signed"
+
+- powershell: |
+    $ErrorActionPreference = 'Stop'
+    $signed = "$(Build.ArtifactStagingDirectory)\SigningDemo.signed.exe"
+    Get-AuthenticodeSignature $signed | Format-List
+  displayName: Verify signature
+
+- task: PublishBuildArtifacts@1
+  displayName: Publish signed artifact
+  inputs:
+    pathToPublish: '$(Build.ArtifactStagingDirectory)'
+    artifactName: 'signed-drop'