5 files changed, 38 insertions, 48 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47297ac5..4d10017e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,9 @@ jobs:
  build:
    name: Build
    runs-on: windows-2022
+    permissions:
+      packages: write
+      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
@@ -34,6 +37,11 @@ jobs:
      #   shell: cmd
      #   run: ./src/vs_config.cmd
+      - name: Install sign tool
+        if: (github.ref == 'refs/heads/master')
+        shell: cmd
+        run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.23356.1
      - name: Configure automated logging and crash dumps
        shell: cmd
        run: |
@@ -46,13 +54,22 @@ jobs:
          reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f
          reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1
+      - name: 'Az CLI login'
+        if: (github.ref == 'refs/heads/master')
+        uses: azure/login@v1
+        with:
+          allow-no-subscriptions: true
+          client-id: ${{ secrets.WIX_SIGNING_CLIENTID }}
+          tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }}
+          subscription-id: ${{ secrets.WIX_SIGNING_SUBSCRIPTIONID }}
      - name: Build wix4
        shell: cmd
        run: ./src/build_official.cmd
        env:
          RuntimeTestsEnabled: true
-          SigningUser:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_USER || '' }}
+          SigningVaultUri:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_VAULTURI || '' }}
-          SigningSecret:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_SECRET || '' }}
+          SigningCertName:  ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_CERTNAME || '' }}
      - name: Validate test results
        shell: cmd
diff --git a/src/Directory.Build.targets b/src/Directory.Build.targets
index 0dd56353..74a381ba 100644
--- a/src/Directory.Build.targets
+++ b/src/Directory.Build.targets
@@ -4,9 +4,9 @@
 <Project>
  <PropertyGroup>
    <SigningToolFolder>$(ToolsFolder)</SigningToolFolder>
-    <SigningToolExe>$(SigningToolFolder)\SignClient.exe</SigningToolExe>
+    <SigningToolExe>$(SigningToolFolder)\sign.exe</SigningToolExe>
-    <SigningFilelist>$(SigningToolFolder)\empty-filelist.txt</SigningFilelist>
+    <SigningFilelist>$(MSBuildThisFileDirectory)signing-empty-file-list.txt</SigningFilelist>
-    <SigningConfiguration>$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), signing.json))\signing.json</SigningConfiguration>
+    <SigningConfiguration>--description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-managed-identity true --azure-key-vault-url "$(SigningVaultUri)" --azure-key-vault-certificate "$(SigningCertName)"</SigningConfiguration>
  </PropertyGroup>
  <PropertyGroup Condition=" '$(IsWixTestSupportProject)'=='true' ">
@@ -113,47 +113,39 @@
    </ItemGroup>
  </Target>
-  <Target Name="_GetSignClient"
+  <Target Name="SignOutput" AfterTargets="AfterBuild"
-          Condition=" !Exists('$(SigningToolExe)') ">
+          Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' and 
-    <WriteLinesToFile File='$(SigningFilelist)' Lines='do-not-sign-files-in-nupkg' Overwrite='true' />
-    <Exec Command='dotnet.exe tool install --tool-path "$(SigningToolFolder)" SignClient' IgnoreExitCode='true' />
-  </Target>
-  <Target Name="SignOutput" DependsOnTargets="_GetSignClient" AfterTargets="AfterBuild"
-          Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' and 
                      ('$(MSBuildProjectExtension)'=='.csproj' or ('$(MSBuildProjectExtension)'=='.vcxproj' and '$(ConfigurationType)'!='StaticLibrary'))">
-    <Message Importance="high" Text="Signing file: $(TargetPath) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing file: $(TargetPath)" />
-    <Exec Command='"$(SigningToolExe)" sign -i $(TargetPath) -c "$(SigningConfiguration)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault $(TargetPath) $(SigningConfiguration)'
          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
  </Target>
-  <Target Name="SignNupkg" DependsOnTargets="_GetSignClient" AfterTargets="Pack;PackNative"
+  <Target Name="SignNupkg" AfterTargets="Pack;PackNative"
-          Condition=" '$(SigningUser)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
+          Condition=" '$(SigningCertName)'!='' and '@(NuGetPackOutput)'!='' and '$(SignNupkg)'!='false' ">
    <ItemGroup>
      <SigningNupkgs Include="@(NuGetPackOutput)" Condition=" '%(Extension)'=='.nupkg' " />
    </ItemGroup>
-    <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing nupkg: @(SigningNupkgs->&apos;%(Identity)&apos;)" />
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SigningNupkgs->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SigningNupkgs->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
  </Target>
-  <Target Name="SignBundleEngine" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
+  <Target Name="SignBundleEngine" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
-    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing bundle engine: @(SignBundleEngine->&apos;%(Identity)&apos;)" />
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundleEngine->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundleEngine->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
  </Target>
-  <Target Name="SignBundle" DependsOnTargets="_GetSignClient" Condition=" '$(SigningUser)'!='' and '$(SignOutput)'!='false' ">
+  <Target Name="SignBundle" Condition=" '$(SigningCertName)'!='' and '$(SignOutput)'!='false' ">
-    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;) using configuration from: $(SigningConfiguration)" />
+    <Message Importance="high" Text="Signing bundle: @(SignBundle->&apos;%(Identity)&apos;)" />
-    <Exec Command='"$(SigningToolExe)" sign -i "@(SignBundle->&apos;%(Identity)&apos;)" -c "$(SigningConfiguration)" -f "$(SigningFilelist)" -n "WiX Toolset" -d "WiX Toolset" -u https://wixtoolset.org/ -r "$(SigningUser)" -s "$(SigningSecret)"'
+    <Exec Command='"$(SigningToolExe)" code azure-key-vault "@(SignBundle->&apos;%(Identity)&apos;)" $(SigningConfiguration)'
          WorkingDirectory="$(MSBuildProjectDirectory)" EchoOff="true" />
  </Target>
diff --git a/src/internal/SetBuildNumber/SetBuildNumber.proj b/src/internal/SetBuildNumber/SetBuildNumber.proj
index cf98234e..9ff4e7c3 100644
--- a/src/internal/SetBuildNumber/SetBuildNumber.proj
+++ b/src/internal/SetBuildNumber/SetBuildNumber.proj
@@ -22,8 +22,7 @@
      GitThisAssembly;
      SetGlobalJson;
      SetDirectoryPackagesProps;
-      SetOverallWixVersions;
+      SetOverallWixVersions
-      InstallSigningClient
    </SetBuildNumbersDependsOn>
    <GlobalJsonPath>$([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json))</GlobalJsonPath>
@@ -106,12 +105,6 @@
  </Target>
-  <Target Name="InstallSigningClient"
-          DependsOnTargets="_GetSignClient"
-          Condition=" '$(SigningUser)'!='' ">
-  </Target>
  <Target Name="SetBuildNumbers"
          DependsOnTargets="$(SetBuildNumbersDependsOn)"
          BeforeTargets="AfterBuild" />
diff --git a/src/signing-empty-file-list.txt b/src/signing-empty-file-list.txt
new file mode 100644
index 00000000..246cc9b6
--- /dev/null
+++ b/src/signing-empty-file-list.txt
@@ -0,0 +1 @@
+this-file-prevents-files-from-being-signed-in-nupkgs
+\ No newline at end of file
diff --git a/src/signing.json b/src/signing.json
deleted file mode 100644
index fe1c8c9b..00000000
--- a/src/signing.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  "SignClient": {
-    "AzureAd": {
-      "AADInstance": "https://login.microsoftonline.com/",
-      "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
-      "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
-    },
-    "Service": {
-      "Url": "https://codesign.dotnetfoundation.org/",
-      "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
-    }
-  }
-}