Sign ClickOnce manifest on CI server, not on target

We have a .NET application that is being built with TeamCity, it outputs a regular nuget package to the feed which Octo picks up.

Octopus deploys the files to the target server, then I run a script:

$root = "#{InstallDirectory}"
$url = $OctopusParameters["Url"]
$certPassword = $OctopusParameters["CertificatePassword"]
$certFile = "C:\Tools\Certificate.pfx"
$magePath = "C:\Tools\mage.exe"

$providerUrl = "https://" + $url + ""

$appPath = "$root\App.application"

Write-Output "Root: $root"
Write-Output "Application path: $appPath"

$xml = [xml](Get-Content $appPath)
$manifestpath = $xml.assembly.dependency.dependentAssembly.codebase
$applicationWithVersion = $manifestpath.Split('\\')[1]
$manifestPath = "$root\Application Files\" + $applicationWithVersion + "\" + "App.exe.manifest"

Write-Output "Manifest path: $manifestPath"

& $magePath -Update "$appPath" -TimestampUri ""
& $magePath -Sign "$manifestPath" -CertFile $certFile -Password $certPassword

Write-Output "Update ProviderUrl to $providerUrl"

& $magePath -Update "$appPath" -AppManifest "$manifestPath" -ProviderURL "$providerUrl" -TimestampUri ""
& $magePath -Sign "$appPath"

What this does is update the manifest file to set the correct URL, then it signs the application.

But it all does this on the target server. Issue is that code signing certificates are now only allowed to be stored on hardware tokens (or cloud HSM). Meaning that we really can only use a cert on the Octo server.

What would be the correct way to perform these steps not the deployment target, but on the CI/Octopus server?

Hey @rogerversluis , thanks for reaching out! I’m going to take a look at this and get back to you in the next 24 hours with an update (and possibly some more questions). Thanks for your patience!

Sorry for the delay @rogerversluis, have been scratching my head trying to think through how you could get this working in Octopus.

From your note about the hardware tokens, the main thought I had was using a worker with the token installed as the target for your signing activities. Then you could reupload the package to Octopus, and handle your standard deployment from there.

I also noticed that Mage is available as a native dotnet tool, although that doesn’t help when you have to have the hardware device available.

I’m sorry we don’t have a clearer path forward at this time. I’ve raised your use case in our internal discussion channels to surface it, and please feel free to add your +1 and context to this existing UserVocie request if you’d like! ClickOnce is something that comes up every great so often, but every use case is a little bit different.

Please don’t hesitate to reach out if you have any additional questions or concerns around Octopus, we’re happy to help wherever we can.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.