I need to add certificate signing to my build. Below is a sample of the working script I wrote, however it includes the password to the .pfx file. I can't keep the password in the build script. What are "best practices" or hacks that you would use in this type of situation?
<ItemGroup Label="SignFiles">
<SignFilesInclude="$(FileLocation)\**\*.exe"/>
</ItemGroup>
<Exec Command="$(SignTool) sign /v /ac C:\MSCV-VSClass3.cer /f C:\Certificate.pfx /p Password /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)"/>
After googling, I read in multiple places that once you run the script the first time with the password, the .pfx is stored in the certificate store and the password won't be required in the build script after that. This works, however I want to make sure this is the best way to do it or better yet, there is a way to avoid putting the password in the script.
Import your .pfx-file to Windows Certificate Manager for the user account which is used when building. Then select the correct certificate using signtool's /sha1 switch, and no password is needed.
certmgr.msc12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78signtool sign /sha1 1234567890abcdef1234567890abcdef12345678 /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)And step 8 will not ask for a password.