从 github 自动部署到 Azure App Service 时签署二进制文件
Signing binaries while deploying automatically to Azure App Service from github
我想在通过 github(在下面使用 Kudu)部署到 Azure App Service 时签署我的二进制文件。我知道我可以 运行 自定义脚本来构建项目。也许我可以使用这种方法在构建过程中对二进制文件进行签名并部署签名位?我想我可以将我的证书放在 Azure Key Vault 中。我如何在不向 github 签入任何机密的情况下访问它?
有人有这方面的经验吗?
你走在正确的轨道上。自定义部署脚本应该可以做到:
http://blog.amitapple.com/post/38417491924/azurewebsitecustomdeploymentpart1
https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script
在 Kudu 中,您不会安装 Azure PowerShell,因此您必须通过 REST 从 Key Vault 中提取证书。
更新:Azure Functions 确实安装了 Azure RM cmdlet。您可以在 PowerShell 中编写一个函数应用程序,从 Key Vault 中提取证书。使用 Service Principal 到 Login-AzureRmAccount 无人值守。
完成该任务所需的秘密应保存在应用程序设置中。它们在 Kudu 中作为环境变量公开给您:https://azure.microsoft.com/en-gb/documentation/articles/web-sites-configure/
App settings
This section contains name/value pairs that you web app will load on start up.
For .NET apps, these settings are injected into your .NET configuration AppSettings at runtime, overriding existing settings.
PHP, Python, Java and Node applications can access these settings as environment variables at runtime. For each app setting, two environment variables are created; one with the name specified by the app setting entry, and another with a prefix of APPSETTING_. Both contain the same value.
或者,您可以从应用服务商店("My" 商店)提取证书。方法如下:
来自https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/:
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to * in which case all your certificates will be loaded to your web applications personal certificate store.
using System;
using System.Security.Cryptography.X509Certificates;
namespace UseCertificateInAzureWebsiteApp
{
class Program
{
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
}
}
没有为您进行证书验证。您需要通过与应用设置或 Key Vault 中存储的值进行比较来自行实现。
我想在通过 github(在下面使用 Kudu)部署到 Azure App Service 时签署我的二进制文件。我知道我可以 运行 自定义脚本来构建项目。也许我可以使用这种方法在构建过程中对二进制文件进行签名并部署签名位?我想我可以将我的证书放在 Azure Key Vault 中。我如何在不向 github 签入任何机密的情况下访问它?
有人有这方面的经验吗?
你走在正确的轨道上。自定义部署脚本应该可以做到:
http://blog.amitapple.com/post/38417491924/azurewebsitecustomdeploymentpart1
https://github.com/projectkudu/kudu/wiki/Custom-Deployment-Script
在 Kudu 中,您不会安装 Azure PowerShell,因此您必须通过 REST 从 Key Vault 中提取证书。
更新:Azure Functions 确实安装了 Azure RM cmdlet。您可以在 PowerShell 中编写一个函数应用程序,从 Key Vault 中提取证书。使用 Service Principal 到 Login-AzureRmAccount 无人值守。
完成该任务所需的秘密应保存在应用程序设置中。它们在 Kudu 中作为环境变量公开给您:https://azure.microsoft.com/en-gb/documentation/articles/web-sites-configure/
App settings
This section contains name/value pairs that you web app will load on start up. For .NET apps, these settings are injected into your .NET configuration AppSettings at runtime, overriding existing settings.
PHP, Python, Java and Node applications can access these settings as environment variables at runtime. For each app setting, two environment variables are created; one with the name specified by the app setting entry, and another with a prefix of APPSETTING_. Both contain the same value.
或者,您可以从应用服务商店("My" 商店)提取证书。方法如下:
来自https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/:
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to * in which case all your certificates will be loaded to your web applications personal certificate store.
using System;
using System.Security.Cryptography.X509Certificates;
namespace UseCertificateInAzureWebsiteApp
{
class Program
{
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
}
}
没有为您进行证书验证。您需要通过与应用设置或 Key Vault 中存储的值进行比较来自行实现。