Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure trusted signing with service connection #8803

Open
erijo opened this issue Jan 24, 2025 · 3 comments
Open

Azure trusted signing with service connection #8803

erijo opened this issue Jan 24, 2025 · 3 comments

Comments

@erijo
Copy link
Contributor

erijo commented Jan 24, 2025

The requirement to set AZURE environment variables interferes with the use of service connection to connect to the service from a devops pipeline (similar to this example).

I've gotten it to work by:

  1. First running the AzureCLI@2 task to access the service connection and export the three environment variables.
  2. Use az in a separate step to log in using the variables from step 1.
  3. Run electron-builder with the environment variables set as this:

  • AZURE_TENANT_ID=$(ARM_TENANT_ID)

  • AZURE_CLIENT_ID='dummy'

  • AZURE_CLIENT_SECRET='dummy'

    and this in azureSignOptions:

  • "ExcludeEnvironmentCredential": "-Debug"

That will use the AzureCliCredentials. If the environment variables weren't required I think I wouldn't have to give dummy values nor pass the -ExcludeEnvironmentCredential flag to Invoke-TrustedSigning.
@mmaietta
Copy link
Collaborator

Hmmm, this is very interesting. Is there a way to determine that the az login was successful and credentials are valid for Invoke-TrustedSigning?
If there is, then we can hopefully relax the current implementation to detect it instead of relying solely on Env vars. If no easy way to access that data (similar to how azureOptions.publisherName is required since it can't be preemptively fetched), then the Env vars are the only logic flow on which I can rely.

@erijo
Copy link
Contributor Author

erijo commented Jan 25, 2025

AFAIK there's no way to know that az is logged in except trying to use the credentials.

Wouldn't it be better to just mention the different ways that authentication can be done and leave it to the invoked command to try the different methods? Since the default method can use a number of different methods it's hard to check them all

@mmaietta
Copy link
Collaborator

Can you run az account show while logged in and paste the stdout here? (with all values redacted) Just need to understand the structure of the response and what keys exist to see if I can detect and leverage that for checking before env vars need to be checked/enforced.

If not logged in, the stderr I receive is this, which I can definitely detect against:

$ az account show
Please run 'az login' to setup account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erijo @mmaietta