From 8866be8f98743cca92ece6858d2de404d221499f Mon Sep 17 00:00:00 2001
From: Zdenek Strach <ZdenekS@kentico.com>
Date: Thu, 29 Feb 2024 13:43:40 +0100
Subject: [PATCH 1/6] KX-11391 - SignFile replaced with AzureSignTool

---
 .azuredevops/pipelines/build-and-release.yaml | 25 +++++++++++++++++--
 Directory.Build.props                         |  1 +
 Directory.build.targets                       |  4 +--
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/.azuredevops/pipelines/build-and-release.yaml b/.azuredevops/pipelines/build-and-release.yaml
index 050daaf..0900683 100644
--- a/.azuredevops/pipelines/build-and-release.yaml
+++ b/.azuredevops/pipelines/build-and-release.yaml
@@ -16,7 +16,7 @@ parameters:
 
 variables:
   - name: SIGN_FILE
-    value: true
+    value: false
 
 stages:
   - stage: Build
@@ -31,7 +31,19 @@ stages:
               - Agent.Name -equals ${{ parameters.AgentName }}
 
         variables:
-          - group: 14.0 Authenticode signature parameters
+          - group: Code Sign KV Auth
+
+          - name: AuthenticodeKeyVaultUrl
+            value: https://kxdevopsvstsagents.vault.azure.net/
+
+          - name: AuthenticodeTenantId
+            value: e4fb6bec-b1f4-46dc-9ab8-c67549adc56d
+
+          - name: AuthenticodeCertificateName
+            value: code-signing
+
+          - name: AuthenticodeClientId
+            value: 783c0e5e-5065-4afe-a128-2d91f7a8d3f8
 
           - name: Configuration
             value: Release
@@ -43,6 +55,13 @@ stages:
             value: src/Kentico.Xperience.Algolia/Kentico.Xperience.Algolia.csproj
 
         steps:
+          - task: DotNetCoreCLI@2
+            displayName: Install AzureSignTool
+            inputs:
+              command: custom
+              custom: tool
+              arguments: install --global azuresigntool
+
           - task: PowerShell@2
             displayName: Set Node.js version from package.json
             inputs:
@@ -82,6 +101,8 @@ stages:
               projects: ${{ variables.ProjectFilePath }}
               configuration: ${{ variables.Configuration }}
               arguments: --no-restore
+            env:
+              AuthenticodeClientSecret: $(AuthenticodeClientSecret)
 
           - task: DotNetCoreCLI@2
             displayName: Create NuGet package
diff --git a/Directory.Build.props b/Directory.Build.props
index 16b0953..33e3c7d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -31,6 +31,7 @@
     <CopyDebugSymbolFilesFromPackages>true</CopyDebugSymbolFilesFromPackages>
     <NoWarn>$(NoWarn);1591;S3267</NoWarn>
     <EnableDefaultEmbeddedResourceItems>false</EnableDefaultEmbeddedResourceItems>
+    <TimestampServerUrl>http://timestamp.digicert.com</TimestampServerUrl>
   </PropertyGroup>
 
   <PropertyGroup Condition=" $(Configuration) == 'Release' ">
diff --git a/Directory.build.targets b/Directory.build.targets
index e42ebd6..94efefa 100644
--- a/Directory.build.targets
+++ b/Directory.build.targets
@@ -8,7 +8,7 @@
             <AssemblyToSign Include="$(TargetPath)" />
             <AssemblyToSign Include="$(XmlSerializersTargetPath)" Condition="Exists('$(XmlSerializersTargetPath)')" />
         </ItemGroup>
-
-        <!--<SignFile CertificateThumbprint="$(AuthenticodeCertificateThumbprint)" TimestampUrl="http://time.certum.pl" SigningTarget="%(AssemblyToSign.Identity)" />-->
+        
+        <Exec Command="AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-tenant-id $(AuthenticodeTenantId) --azure-key-vault-client-id $(AuthenticodeClientId) --azure-key-vault-client-secret $(AuthenticodeClientSecret) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" />
     </Target>
 </Project>
\ No newline at end of file

From 59d8797d461b57faed8c27260a1e04938b839f04 Mon Sep 17 00:00:00 2001
From: Zdenek Strach <ZdenekS@kentico.com>
Date: Thu, 29 Feb 2024 13:50:16 +0100
Subject: [PATCH 2/6] KX-11391 - AzureSignTool task moved in pipeline

---
 .azuredevops/pipelines/build-and-release.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.azuredevops/pipelines/build-and-release.yaml b/.azuredevops/pipelines/build-and-release.yaml
index 0900683..265fdf7 100644
--- a/.azuredevops/pipelines/build-and-release.yaml
+++ b/.azuredevops/pipelines/build-and-release.yaml
@@ -55,13 +55,6 @@ stages:
             value: src/Kentico.Xperience.Algolia/Kentico.Xperience.Algolia.csproj
 
         steps:
-          - task: DotNetCoreCLI@2
-            displayName: Install AzureSignTool
-            inputs:
-              command: custom
-              custom: tool
-              arguments: install --global azuresigntool
-
           - task: PowerShell@2
             displayName: Set Node.js version from package.json
             inputs:
@@ -86,6 +79,13 @@ stages:
               packageType: sdk
               useGlobalJson: true
 
+          - task: DotNetCoreCLI@2
+            displayName: Install AzureSignTool
+            inputs:
+              command: custom
+              custom: tool
+              arguments: install --global azuresigntool
+
           - task: DotNetCoreCLI@2
             displayName: Restore dependencies
             inputs:

From ab953fef6f598d03cdbfba3079d55e803ef63ee8 Mon Sep 17 00:00:00 2001
From: Zdenek Strach <ZdenekS@kentico.com>
Date: Thu, 29 Feb 2024 14:25:12 +0100
Subject: [PATCH 3/6] KX-11391 - AzureSignTool installed via dotnet tools

---
 .azuredevops/pipelines/build-and-release.yaml |  5 +++--
 .config/dotnet-tools.json                     | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 .config/dotnet-tools.json

diff --git a/.azuredevops/pipelines/build-and-release.yaml b/.azuredevops/pipelines/build-and-release.yaml
index 265fdf7..4f82893 100644
--- a/.azuredevops/pipelines/build-and-release.yaml
+++ b/.azuredevops/pipelines/build-and-release.yaml
@@ -80,11 +80,12 @@ stages:
               useGlobalJson: true
 
           - task: DotNetCoreCLI@2
-            displayName: Install AzureSignTool
+            displayName: Restore dotnet tools
             inputs:
               command: custom
               custom: tool
-              arguments: install --global azuresigntool
+              arguments: restore
+              workingDirectory: $(System.DefaultWorkingDirectory)
 
           - task: DotNetCoreCLI@2
             displayName: Restore dependencies
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
new file mode 100644
index 0000000..708a45c
--- /dev/null
+++ b/.config/dotnet-tools.json
@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "azuresigntool": {
+      "version": "4.0.1",
+      "commands": [
+        "azuresigntool"
+      ]
+    }
+  }
+}
\ No newline at end of file

From 2e4fc2cddc40554cb4b14744e8d26d31ef9c7efc Mon Sep 17 00:00:00 2001
From: Zdenek Strach <ZdenekS@kentico.com>
Date: Mon, 4 Mar 2024 21:58:32 +0100
Subject: [PATCH 4/6] KX-11391 - Sign config simplified

---
 .azuredevops/pipelines/build-and-release.yaml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/.azuredevops/pipelines/build-and-release.yaml b/.azuredevops/pipelines/build-and-release.yaml
index 4f82893..c32178b 100644
--- a/.azuredevops/pipelines/build-and-release.yaml
+++ b/.azuredevops/pipelines/build-and-release.yaml
@@ -33,18 +33,6 @@ stages:
         variables:
           - group: Code Sign KV Auth
 
-          - name: AuthenticodeKeyVaultUrl
-            value: https://kxdevopsvstsagents.vault.azure.net/
-
-          - name: AuthenticodeTenantId
-            value: e4fb6bec-b1f4-46dc-9ab8-c67549adc56d
-
-          - name: AuthenticodeCertificateName
-            value: code-signing
-
-          - name: AuthenticodeClientId
-            value: 783c0e5e-5065-4afe-a128-2d91f7a8d3f8
-
           - name: Configuration
             value: Release
 

From c625d2603944790cdf5ab2c0dd876ea47208c5d0 Mon Sep 17 00:00:00 2001
From: Zdenek Strach <ZdenekS@kentico.com>
Date: Tue, 5 Mar 2024 12:10:21 +0100
Subject: [PATCH 5/6] KX-11391 - Signing enabled

---
 .azuredevops/pipelines/build-and-release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.azuredevops/pipelines/build-and-release.yaml b/.azuredevops/pipelines/build-and-release.yaml
index c32178b..0c7a7f0 100644
--- a/.azuredevops/pipelines/build-and-release.yaml
+++ b/.azuredevops/pipelines/build-and-release.yaml
@@ -16,7 +16,7 @@ parameters:
 
 variables:
   - name: SIGN_FILE
-    value: false
+    value: true
 
 stages:
   - stage: Build

From 792db6376d37ea999c672766d1ea6e9fbfc69d9e Mon Sep 17 00:00:00 2001
From: Zdenek Strach <zdenek.strach@gmail.com>
Date: Wed, 6 Mar 2024 09:33:27 +0100
Subject: [PATCH 6/6] KX-11391 - Update Directory.build.targets

---
 Directory.build.targets | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Directory.build.targets b/Directory.build.targets
index 94efefa..fec5935 100644
--- a/Directory.build.targets
+++ b/Directory.build.targets
@@ -9,6 +9,6 @@
             <AssemblyToSign Include="$(XmlSerializersTargetPath)" Condition="Exists('$(XmlSerializersTargetPath)')" />
         </ItemGroup>
         
-        <Exec Command="AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-tenant-id $(AuthenticodeTenantId) --azure-key-vault-client-id $(AuthenticodeClientId) --azure-key-vault-client-secret $(AuthenticodeClientSecret) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" />
+        <Exec Command="dotnet AzureSignTool sign --azure-key-vault-url $(AuthenticodeKeyVaultUrl) --azure-key-vault-tenant-id $(AuthenticodeTenantId) --azure-key-vault-client-id $(AuthenticodeClientId) --azure-key-vault-client-secret $(AuthenticodeClientSecret) --azure-key-vault-certificate $(AuthenticodeCertificateName) --timestamp-rfc3161 $(TimestampServerUrl) --skip-signed %(AssemblyToSign.Identity)" />
     </Target>
-</Project>
\ No newline at end of file
+</Project>