We have a .NET application that is being built with TeamCity, it outputs a regular nuget package to the feed which Octo picks up.
Octopus deploys the files to the target server, then I run a script:
$root = "#{InstallDirectory}"
$url = $OctopusParameters["Url"]
$certPassword = $OctopusParameters["CertificatePassword"]
$certFile = "C:\Tools\Certificate.pfx"
$magePath = "C:\Tools\mage.exe"
$providerUrl = "https://" + $url + ".site.ca/Installers/App.application"
$appPath = "$root\App.application"
Write-Output "Root: $root"
Write-Output "Application path: $appPath"
$xml = [xml](Get-Content $appPath)
$manifestpath = $xml.assembly.dependency.dependentAssembly.codebase
$applicationWithVersion = $manifestpath.Split('\\')[1]
$manifestPath = "$root\Application Files\" + $applicationWithVersion + "\" + "App.exe.manifest"
Write-Output "Manifest path: $manifestPath"
& $magePath -Update "$appPath" -TimestampUri "http://timestamp.comodoca.com"
& $magePath -Sign "$manifestPath" -CertFile $certFile -Password $certPassword
Write-Output "Update ProviderUrl to $providerUrl"
& $magePath -Update "$appPath" -AppManifest "$manifestPath" -ProviderURL "$providerUrl" -TimestampUri "http://timestamp.comodoca.com"
& $magePath -Sign "$appPath"
What this does is update the manifest file to set the correct URL, then it signs the application.
But it all does this on the target server. Issue is that code signing certificates are now only allowed to be stored on hardware tokens (or cloud HSM). Meaning that we really can only use a cert on the Octo server.
What would be the correct way to perform these steps not the deployment target, but on the CI/Octopus server?