Taming TFS - Digitally signing assemblies

By eidias on (tags: tfs, categories: infrastructure)

Signing is a bit more tricky than strong naming. I didn’t want to use delay signing, because that requires additional configuration on development stations, so just like with strong naming – plain old simple build on the development machine and the fancy stuff on the build server.

I already have a certificate for signing but that needs to be in the build users private cert store. That can be achieved by following these steps:

  1. Log in as the user that is used to run the build
  2. Win+r and type in mmc and press “Ok”
  3. Press ctrl+m to add a snap in
  4. Select the certificates snap-in and press “Add”
  5. In the dialog that popped up, select “My user account” and press “Finish”
  6. Press “Ok” on the “Add or remove snap-ins” window
  7. Expand the tree on the left and right click on “Personal” node
  8. Select “All tasks” and then “Import…”
  9. Follow the steps on the wizard. When prompted to select a cert store, select the option stating “Automatically select the certificate store based on the type of the certificate”
  10. Press next, then finish

The certificate is now in the store and can be used to sign files.

Here is the flow I used


I decided to create a template argument that holds a list of files to sign. With the variety of projects, it could get tricky to determine which files to sign, so I went for the manual configuration.

The key activity here is the one called “Sign”. It’s of type InvokeProcess and has the following parameters specified

Param Value
Arguments String.Format("sign /sha1 ""{0}"" /tr ""{1}"" ""{2}""", Thumbprint, TimestampingServer, file)
FileName "signtool.exe"
WorkingDirectory outputDirectory

The rest is left blank.

Note that the user under which the build service is running needs to have a path to signtool in it’s environment variables, or if you’re not happy with that, you can either put a fixed path in it, or parameterize it wit a template argument.
That should be enough to sign files. If you want to check if that went ok, you can run the following command:

   1: signtool verify /a <assembly>

There is a caveat here – only assemblies can be signed with this configuration. If for some reason you’d like to sign something else, you need to adjust this template to suit your requirements.