How do I obtain the following data

[MikeWilliams-UK]

We (Chem4Word) have been using the Sign Client to succesfully sign our deployable artifacts for several years (since 2018) I would like to transition to the new service as soon as possible

I think I have been able to establish most of the required command line attributes so that we can continue to use the Azure Key Vault store which has been set up for us

I am struggling to find out these required parameters.

--azure-key-vault-certificate "$(SignKeyVaultCertificate)" --azure-key-vault-url "$(SignKeyVaultUrl)"

@clairernovotny - You provided us with the credentials via a shared lastPass file/folder "shared-chem4word"

[MikeWilliams-UK]

Forgot to add do the description and description-url need to be specific to our certificate in the Key Vault or are they still free form as in the previous Sign Client?

[dtivel]

Hi, @MikeWilliams-UK. I can't provide specific values for you, but I can show you where to find them, provided you have access to your Azure Key Vault's web site.

The value for --azure-key-vault-certificate is the value shown in the Name column of the Azure Key Vault's Certificates page.

The value for --azure-key-vault-url is the value shown in Azure Key Vault Essentials section:

The --description and --description-url options should be the same as the previous sign client.

[MikeWilliams-UK]

Unfortunatly the Key Vault Store is locked down so I don't have access to this page.

I suspect that only @clairernovotny may be able to help here as they created the keys in the tenancy codesign.dotnetfoundation.org

[dtivel]

I understand. Sorry I couldn't help here.

[MikeWilliams-UK]

No Worries, thanks for trying

[clairernovotny]

@ChrisSfanos has that info

[clairernovotny]

@ChrisSfanos has that info

[MikeWilliams-UK]

@ChrisSfanos can you please send it to me via email to mike at doublewide dot co dot uk

[ChrisSfanos]

sent just now - thanks

[MikeWilliams-UK]

Thanks I will got it a try next week.

[MikeWilliams-UK]

After entering the details given to me by @ChrisSfanos from a CMD prompt

sign code azure-key-vault ^
        "Setup.msi" ^
        --timestamp-url "http://timestamp.digicert.com" ^
        --publisher-name "Chem4Word" ^
        --description "Chem4Word installer" ^
        --description-url "https://www.chem4word.co.uk" ^
        --azure-key-vault-tenant-id "**********" ^
        --azure-key-vault-client-id "***********" ^
        --azure-key-vault-client-secret "********" ^
        --azure-key-vault-certificate "******" ^
        --azure-key-vault-url "https://********.vault.azure.net/"

I am getting this error message. fail: Sign.Core.Signer[0] ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '*****-

sign code azure-key-vault ^
        "Setup.msi" ^
        --timestamp-url "http://timestamp.digicert.com" ^
        --publisher-name "Chem4Word" ^
        --description "Chem4Word installer" ^
        --description-url "https://www.chem4word.co.uk" ^
        --azure-key-vault-tenant-id "**********" ^
        --azure-key-vault-client-id "***********" ^
        --azure-key-vault-managed-identity "*******@dotnetfoundation.org" ^
        --azure-key-vault-client-secret "********" ^
        --azure-key-vault-certificate "******" ^
        --azure-key-vault-url "https://********.vault.azure.net/"

Adding the user id given to me by @clairernovotny in 2018 (which still works for the old sign client) I then get this

Unrecognized command or argument '****@dotnetfoundation.org'.

Am I doing something wrong?

Not sure if this is relevant, but when I log on to https://codesign.dotnetfoundation.org/ in a browser with the credentials given in 2018 I am asked to set up 2FA, (I have skipped this)

[dtivel]

Make sure the client secret is correct. Unlike the tenant ID and client ID, the client secret is not a GUID. Also, you want the client secret value not the client secret ID. If I pass client secret ID instead of value I get the same error as you.

This screenshot is from my "App registrations" | \<App Name> | "Certificates & secrets" page in Azure Portal. (The values shown here are just for the screenshot. They won't work for you or anyone else.)

Also, Sign CLI supports two methods of authenticating to Azure Key Vault:

• using a tenant ID, client ID, and client secret tuple --- pass the --azure-key-vault-tenant-id, --azure-key-vault-client-id, and --azure-key-vault-client-secret options
• using a managed identity --- pass the --azure-key-vault-managed-identity option. This is a flag option. When the option isn't passed, it's false. When it's passed (with no value), it's true. (See sign code azure-key-vault --help.) Passing a value of ********@dotnetfoundation.org is invalid because it's a valueless option.

You should use either tenant ID+client ID+client secret OR managed identity.

[ChrisSfanos]

Hi @MikeWilliams-UK - there are some steps that aren't complete for you. I'm going to work on that right now and I'll send you an email. As a note we post the client secret value in LastPass, so I will need an email to use for sharing the item from there. You can email me directly with that info - thanks

[MikeWilliams-UK]

@ChrisSfanos please use the same email mike at doublewide dot co dot uk, the same one I used for the lastpass account I set up for @clairernovotny to use in 2018

[ChrisSfanos]

Shared via LastPass and also emailed you the AppID

[MikeWilliams-UK]

Thanks @ChrisSfanos SignTool now working via CMD prompt.