Code Signing in 2024

Introduction

Coding and publishing CentralQ Chat to AppSource was a fantastic experience that taught me many new things. However, this journey also presented its challenges, particularly when it came to app signing with a code signing certificate. This task, which once seemed straightforward, has evolved with new rules introduced in 2023. This blog post is my adventure in navigating these changes and finding the best solution for signing AppSource apps in 2024.

The Challenge of Code Signing in 2024

My old certificate turned out to be unusable because I had lost the private key (lesson learned). So, I needed to get a new one. But when I started looking into it, I quickly realized that things had changed in 2023. The updated rules meant that I couldn’t just buy a new certificate and easily export it as a PFX file for signing my app.

The options available were:

  1. HSM Code Signing Certificate: This physical USB drive option was secure but not suitable for my needs.
  2. Cloud Solutions from Sectigo and DigitalCert: These companies offered cloud storage of the certificate and a script for CI/CD scenarios – connect to their cloud and sign remotely. However, they were expensive and limited to 1000 signs per year.

Neither option was appealing, and it seemed like a dead end until I discovered another pathway through Azure Key Vault, thanks to Steven Endow‘s suggestion.

The Ideal Solution: Azure Key Vault

After extensive research, I found that ordering a new code signing certificate from GlobalSign and implementing it with Azure Key Vault was the most efficient and cost-effective method. Here’s a step-by-step guide on how I did it

1. Ordering the Certificate

I ordered a new code signing certificate from GlobalSign. Their online support was helpful, and their documentation was clear and straightforward. Importantly, their prices were significantly lower than DigitalCert.

Here is their full article on the process, just make sure you purchase “HSM Implementation” with Azure KeyVault option.

2. Verification Process

I was quite worried that the verification phase would turn into a long and difficult process. The last time I went through verification with Sectigo, it stretched out for an exhausting four months! But to my surprise, this time it was different.

The verification with GlobalSign was swift and efficient, completed within just a 1 day! through a simple phone call. 

3. Generating CSR from Azure Vault HSM

When it came to generating a CSR (Certificate Signing Request) from Azure Vault HSM, I found that the guidelines from GlobalSign were a bit outdated. They didn’t take into account the new rules that had come into play. So, to help you navigate this with the latest information, here are the updated steps:

  • Create a premium Azure Vault: This is the first step. Setting up a premium vault ensures that you have access to all the necessary features.
  • Create a new certificate and set advanced properties: This is a crucial step. You need to make sure that ‘Exportable Private Key’ is set to ‘No’, and select ‘RSA-HSM’ as the Key Type. This aligns with the new requirements and ensures your setup is compliant.
  • Download CSR: Once you have your certificate settings in place, the next step is to download the CSR. This will be used in the certificate generation process.

You need to see this screen with the notification. Don’t close it! Click on the notification.

Download CSR from Certificate Operation

Open the CSR file with text editor, copy full text and paste it into the GlobalSign page (you will receive the instructions and link by verified email).

  • Once the Certificate is issued, click the Merge Signed Request button.
  • Then, select the Certificate you downloaded from the GlobalSign Certificate Center (GCC) portal
  • Now, your Certificate is stored in your Key Vault and ready for use..

4. Using the Certificate in CI/CD

With the certificate in place, I integrated it into my CI/CD process. I use GitHub AL-Go. Thanks to Freddy I was able to figure out how to make it.

The latest version of Al-Go supports new certificates in the Sign step.

5. Updating AL-Go for Code Signing

If you’re using AL-Go for your CI/CD pipeline, it’s important to ensure that it’s up-to-date, especially to accommodate the new code signing process.

Following this guide you will make sure that AL-Go files are updated.

In the GitHub Repo (Your App Repo), go to Actions and run Update AL-Go System Files 

6. Setting Up Azure Key Vault for AL-GO

For AL-GO to run its app signing script and sign apps with the certificate stored in Azure Key Vault, specific setup steps are needed. Here’s how to configure Azure Key Vault for this purpose:

  • Register an Azure AAD Application: First, you need to register an application in Azure Active Directory (AAD). This application will interact with Azure Key Vault to access and use the certificate.
  • Add a Client Secret: After registering the application, create and save a client secret. This secret acts as a password that allows your application to authenticate with Azure AAD securely.
  • Configure Azure Key Vault Access:

    • Go to your Azure Key Vault in the Azure portal.
    • Set the ‘Permission model’ to ‘Vault access policy’.
    • Assign ‘Get’ and ‘Sign’ permissions for the certificate. This allows the registered application to retrieve the certificate and use it to sign applications.
  • Create an Access Policy:

    • In the Azure Key Vault, create a new access policy.
    • Assign the access policy to the registered Azure AAD application.

This step grants the application the necessary permissions to get and sign with the certificate stored in the Key Vault.

7. Adding ALGoOrgSettings to GitHub Variables

To ensure that your app can be signed during the AL-Go build process, you need to configure GitHub Variables appropriately.

  • Access Your GitHub Organization/Repository: Navigate to the organization/repository where your project is hosted on GitHub, depending on how global the configuration should be.

  • Go to Organization/Repository Settings: Find the ‘Settings’ tab in your organization/repository.

  • Locate ‘Secrets and Variables’ Section: Within settings, find the section named ‘Secrets and variables’ > Actions. This is where you can add secret keys that your GitHub Actions workflows can use.

  • Create a New Variable: Click on New Organization Variable or New Repository Variable. Name this variable ALGoOrgSettings.

  • Configure Variable: The value of this secret should be a JSON object that contains the necessary details for AL-Go to connect with Azure Key Vault. Here is a format of what the value might look like:

				
					{
  "keyVaultCodesignCertificateName": "YourCertificateName",
  "keyVaultName": "YourKeyVaultName"
}

				
			
  • keyVaultCodesignCertificateName is the name of the certificate in Azure Key Vault.
  • keyVaultName is the name of your Azure Key Vault.

8. Adding Azure_Credentials to GitHub Secrets

To establish a connection between GitHub and Azure, you need to configure GitHub Secrets.

  • Create a New Secret: Click on New Organization Secret or New Repository Secret. Name this secret Azure_Credentials.

  • Configure Secret Value: The value of this secret should be a compressed JSON that contains the necessary details for AL-Go to connect with Azure Application.  Here is format of what the value looks like:

				
					{"clientId":"YourAzureAADAplicationId","clientSecret":"YourAzureAADApplicationSecretValue","subscriptionId":"YourAzureSubscriptionId","tenantId":"YourAzureTenantId"}

				
			

tenantId, clientId, clientSecret and subscriptionId are the details from your Azure AAD application. This allows GitHub to authenticate and interact with your Azure resources.

9. Rerunning Your Build Action

  • Trigger a New Build: Go back to the main page of your GitHub repository and trigger a new build action. This can typically be done by pushing a new commit or manually triggering the workflow in the ‘Actions’ tab.

  • Monitor the Build Process: Watch the build process to ensure it progresses without any issues. Pay special attention to the step where AL-Go signs the app.

  • Verify Successful Signing: If everything is set up correctly, your build action should now successfully sign your app with the new certificate from Azure Key Vault.

Conclusion

The journey to get and use a code signing certificate for AppSource apps in 2024 turned out to be quite different from what it used to be in the past years. It felt like uncharted territory at first, with all the new rules and steps to follow. But, by using Azure Key Vault and getting my certificate from GlobalSign, I found a way through. It was a bit like piecing together a puzzle – challenging, but satisfying when everything clicked into place. 

Once again, thanks Freddy and Steve for pointing me to the right directions.

Share Post:

Leave a Reply

About Me

DMITRY KATSON

A Microsoft MVP, Business Central architect and a project manager, blogger and a speaker, husband and a twice a father. With more than 15 years in business, I went from developer to company owner. Having a great team, still love to put my hands on code and create AI powered Business Central Apps that just works.

Follow Me

Recent Posts

Tags