Got a question regarding click once signing.
I have a server with Jenkins on it, which handles building a WPF application with ClickOnce as a deployment option. I have used a set of commands for MSBuild and mage.exe to produce an application file with deployment and application manifests signed by a provided *.pfx file.
Now the decision was made that the pfx file will not be provided. Instead, all keys were moved to the Azure Key Vault.
My question is - what will be a correct flow to make manifest signing for the ClickOnce application work with Azure Key Vault? I just don't understand how to execute the mage -update correctly with no path to provide as -certfile argument.
Thank's in advance.
I have used the code here:
https://github.com/davici-code/AzureSignToolClickOnce
to succesfully sign ClickOnce applications in Azure DevOps with a certificate stored in Azure Key Vault.
It signs all the required executables and manifest files. Internally AzureSignTool is used to sign the executables and the mage code signs the manifest with Authenticode.
https://www.davici.nl/blog/clickonce-signing-from-azure-devops-via-azure-key-vault
For Jenkins it would also work.