Update to latest signing infrastructure

Fixes 7546

5 files changed, 37 insertions, 48 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3b32174c..69d3929e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -28,6 +28,8 @@ jobs:
   build:
     name: Build
     runs-on: windows-2022
+    permissions:
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -38,6 +40,11 @@ jobs:
       #   shell: cmd
       #   run: ./src/vs_config.cmd
 
+      - name: Install sign tool
+        if: (github.ref == 'refs/heads/master')
+        shell: cmd
+        run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.23356.1
+
       - name: Configure automated logging and crash dumps
         shell: cmd
         run: |
@@ -50,13 +57,22 @@ jobs:
           reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f
           reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1
 
+      - name: 'Az CLI login'
+        if: (github.ref == 'refs/heads/master')
+        uses: azure/login@v1
+        with:
+          allow-no-subscriptions: true
+          client-id: ${{ secrets.WIX_SIGNING_CLIENTID }}
+          tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }}
+          subscription-id: ${{ secrets.WIX_SIGNING_SUBSCRIPTIONID }}
+
       - name: Build wix4
         shell: cmd
         run: ./src/build_official.cmd
         env:
           RuntimeTestsEnabled: true
-          SigningUser:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_USER || '' }}
-          SigningSecret:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_SECRET || '' }}
+          SigningVaultUri:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_VAULTURI || '' }}
+          SigningCertName:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_CERTNAME || '' }}
 
       - name: Validate test results
         shell: cmd
diff --git a/src/Directory.Build.targets b/src/Directory.Build.targets
index 0dd56353..74a381ba 100644
--- a/src/Directory.Build.targets
+++ b/src/Directory.Build.targets
@@ -4,9 +4,9 @@
 <Project>
   <PropertyGroup>
     <SigningToolFolder>$(ToolsFolder)</SigningToolFolder>
-    <SigningToolExe>$(SigningToolFolder)\SignClient.exe</SigningToolExe>
-    <SigningFilelist>$(SigningToolFolder)\empty-filelist.txt</SigningFilelist>
-    <SigningConfiguration>$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), signing.json))\signing.json</SigningConfiguration>
+    <SigningToolExe>$(SigningToolFolder)\sign.exe</SigningToolExe>
+    <SigningFilelist>$(MSBuildThisFileDirectory)signing-empty-file-list.txt</SigningFilelist>
+    <SigningConfiguration>--description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-managed-identity true --azure-key-vault-url "$(SigningVaultUri)" --azure-key-vault-certificate "$(SigningCertName)"</SigningConfiguration>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(IsWixTestSupportProject)'=='true' ">
@@ -113,47 +113,39 @@
     </ItemGroup>
   </Target>
 
-  <Target Name="_GetSignClient"
-          Condition=" !Exists('$(SigningToolExe)') ">
-
-    <WriteLinesToFile File='$(SigningFilelist)' Lines='do-not-sign-files-in-nupkg' Overwrite='true' />
-
-    <Exec Command='dotnet.exe tool install --tool-path "$(SigningToolFolder)" SignClient' IgnoreExitCode='true' />
-  </Target>
-
-  <Target Name="SignOutput" DependsOnTargets="_GetSignClient" AfterTargets="AfterBuild"
-          Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' and 
+  <Target Name="SignOutput" AfterTargets="AfterBuild"
+          Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' and 
                       ('$(MSBuildProjectExtension)'=='.csproj' or ('$(MSBuildProjectExtension)'=='.vcxproj' and '$(ConfigurationType)'!='StaticLibrary'))">
 
-    <Message Importance="high" Text="Signing file: $(TargetPath) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing file: $(TargetPath)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i $(TargetPath) -c "$(SigningConfiguration)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault $(TargetPath) $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
-  <Target Name="SignNupkg" DependsOnTargets="_GetSignClient" AfterTargets="Pack;PackNative"
-          Condition=" '$(SigningUser)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
+  <Target Name="SignNupkg" AfterTargets="Pack;PackNative"
+          Condition=" '$(SigningCertName)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
     <ItemGroup>
       <SigningNupkgs Include="@(NuGetPackOutput)" Condition=" '%(Extension)'=='.nupkg' " />
     </ItemGroup>
 
-    <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SigningNupkgs->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SigningNupkgs->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
-  <Target Name="SignBundleEngine" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
-    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+  <Target Name="SignBundleEngine" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
+    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundleEngine->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundleEngine->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
-  <Target Name="SignBundle" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
-    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+  <Target Name="SignBundle" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
+    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;)" />
 
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundle->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundle->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
           WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
   </Target>
 
diff --git a/src/internal/SetBuildNumber/SetBuildNumber.proj b/src/internal/SetBuildNumber/SetBuildNumber.proj
index 5e5bf564..6f101118 100644
--- a/src/internal/SetBuildNumber/SetBuildNumber.proj
+++ b/src/internal/SetBuildNumber/SetBuildNumber.proj
@@ -22,8 +22,7 @@
       GitThisAssembly;
       SetGlobalJson;
       SetDirectoryPackagesProps;
-      SetOverallWixVersions;
-      InstallSigningClient
+      SetOverallWixVersions
     </SetBuildNumbersDependsOn>
 
     <GlobalJsonPath>$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json))</GlobalJsonPath>
@@ -106,12 +105,6 @@
   </Target>
 
 
-  <Target Name="InstallSigningClient"
-          DependsOnTargets="_GetSignClient"
-          Condition=" '$(SigningUser)'!='' ">
-  </Target>
-
-
   <Target Name="SetBuildNumbers"
           DependsOnTargets="$(SetBuildNumbersDependsOn)"
           BeforeTargets="AfterBuild" />
diff --git a/src/signing-empty-file-list.txt b/src/signing-empty-file-list.txt
new file mode 100644
index 00000000..246cc9b6
--- /dev/null
+++ b/src/signing-empty-file-list.txt
@@ -0,0 +1 @@
+this-file-prevents-files-from-being-signed-in-nupkgs
\ No newline at end of file
diff --git a/src/signing.json b/src/signing.json
deleted file mode 100644
index fe1c8c9b..00000000
--- a/src/signing.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  "SignClient": {
-    "AzureAd": {
-      "AADInstance": "https://login.microsoftonline.com/",
-      "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
-      "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
-    },
-    "Service": {
-      "Url": "https://codesign.dotnetfoundation.org/",
-      "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
-    }
-  }
-}