What value should be provided for the Description and Description-Url parameters?

[floyd-chan]

I am developing a Business Central app that requires code signing with Azure Key Vault as described here in Microsoft Learn:

https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-sign-extension#steps-for-signing-your-app-file-with-azure-key-vault

I am going to be signing with a service principal, so this is the sample code provided on that page:

sign code azure-key-vault --azure-key-vault-url "https://MyKeyvault.vault.azure.net/" --azure-key-vault-certificate "NameOfMyCertificate" --azure-key-vault-client-id "ClientIdOfServicePrincipal" --azure-key-vault-client-secret "ClientSecretOfServicePrincipal" --azure-key-vault-tenant-id "MicrosoftEntraId" --description "Some Description" --description-url "" --verbosity Information "C:/Path/To/File(s)"

It is unclear to me what should be provided to the Description and Description-Url parameters; there is no clear documentation for this.

How should I proceed?

[floyd-chan]

I just read in this post that these two parameters can be set to $null:

https://github.com/dotnet/sign/issues/642#issuecomment-2148378970

I've tried this, and I get this error:

Option '-u' is required.

I am still stuck and I cannot determine what to do. Help?

[dtivel]

@floyd-chan, the values for --description and --description-url apply to Authenticode signatures. Here is signtool.exe's description for those values:

Command	Description
/d Desc	Specifies a description of the signed content.
/du URL	Specifies a URL for the expanded description of the signed content.

BTW, I recommend that you look at using a federated identity instead of a client secret when connecting with either GitHub Actions or Azure DevOps pipelines. In these cases, you'd use the --azure-key-vault-managed-identity parameter instead. Then, you wouldn't need to have a secret in your pipeline. @clairernovotny, can you link to samples for this?

[clairernovotny]

Hi @floyd-chan,

Sign CLI supports secret-less authentication using Workload Identity Federation for GitHub Actions and Azure Pipelines.

Here are a couple samples:

• GitHub: https://github.com/dotnet/sign/blob/main/docs/gh-build-and-sign.yml#L37-L91
• Azure Pipelines: https://github.com/NuGetPackageExplorer/NuGetPackageExplorer/blob/main/azure-pipelines.yml#L219-L243

Docs on setting up the Workload Identity Federation are here:

• GitHub: https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#set-up-azure-login-with-openid-connect-authentication
• Azure Pipelines: https://learn.microsoft.com/en-us/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops

[dlemstra]

The --description and --description-url options were made optional in this pull request: #718.