From 52fe5c099b4f97fa43e0e683d704310712adcc2b Mon Sep 17 00:00:00 2001
From: Rob Mensching <rob@firegiant.com>
Date: Thu, 5 Feb 2026 14:52:18 -0800
Subject: Update to latest sign tool and sign command-line requirements

---
 .github/workflows/build.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 554d3c17..2c611356 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -41,7 +41,7 @@ jobs:
       - name: Install sign tool
         if: ${{ env.SignBuild == 'true' }}
         shell: cmd
-        run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.24170.3
+        run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.25330.2
 
       - name: Configure automated logging and crash dumps
         shell: cmd
@@ -63,15 +63,26 @@ jobs:
       #     client-id: ${{ secrets.WIX_SIGNING_CLIENTID }}
       #     tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }}
 
+      - name: Dump GitHub OIDC claims (diagnostic)
+        shell: pwsh
+        run: |
+          $token = Invoke-RestMethod `
+            -Headers @{ Authorization = "Bearer $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN" } `
+            -Uri "$env:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+          $parts = $token.value.Split('.')
+          $claims = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($parts[1] + '=='))
+          Write-Host $claims
+
+
       - name: Build wix7
         shell: cmd
         run: ./src/build_official.cmd
         env:
           RuntimeTestsEnabled: true
+          AZURE_CLIENT_ID: ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_CLIENTID || '' }}
+          AZURE_TENANT_ID: ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_TENANTID || '' }}
+          AZURE_IDENTITY_LOGGING_ENABLED: true
           SigningKeyVaultUri:  ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_VAULTURI || '' }}
-          SigningTenantId:  ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_TENANTID || '' }}
-          SigningClientId:  ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_CLIENTID || '' }}
-          SigningClientSecret:  ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_SECRET || '' }}
           SigningCertName:  ${{ env.SignBuild == 'true' && secrets.WIX_SIGNING_CERTNAME || '' }}
 
       - name: Validate test results
-- 
cgit v1.2.3-55-g6feb