ALOps App Sign¶

Sign Business Central .app files using PFX certificates or HSM (Azure Key Vault / Trusted Signing).

Property	Value
Task name (Azure DevOps)	`ALOpsAppSign@3`
Action name (GitHub)	`alops-appsign`
Version	`3.0.0`
Category	Utility
OS requirement	Windows
Preview	yes

Sign Business Central .app files with a code-signing certificate. Supports PFX file-based signing (local or URL), Azure Key Vault HSM, and Trusted Signing. Batch signing of all compiled apps is supported via the ALOPS_COMPILE_ARTIFACT_ARRAY variable.

Inputs¶

signing¶

Name	Type	Required	Default	Platform	Description
`signmethod`	PickList	yes	`PFX`	Both	Signing method: PFX for file-based certificate signing, HSM for hardware security module signing (Azure Key Vault or Trusted Signing). Options: `PFX`, `HSM`.
`usedocker`	Boolean	no	`false`	Both	Run signing inside a Docker container. The app and PFX are copied into the container, signed, and copied back.
`fixed_tag`	Text	no	(empty)	Both	Fixed container label. When set, uses this value to locate the Docker container instead of the build ID.
`timestamp_uri`	Text	no	(empty)	Both	Time-stamping authority URL. Defaults to http://timestamp.digicert.com if empty.
`hsmmethod`	PickList	no	`KEYVAULT`	Both	HSM signing method: KEYVAULT for Azure Key Vault, TRUSTED for Azure Trusted Signing. Options: `KEYVAULT`, `TRUSTED`.
`hsm_description`	Text	no	(empty)	Both	Description text embedded in the digital signature.
`hsm_description_url`	Text	no	(empty)	Both	URL embedded in the digital signature description.
`hsm_digestalgorithm`	Text	no	`sha256`	Both	Hash algorithm for digest and timestamp. Default: sha256.

source¶

Name	Type	Required	Default	Platform	Description
`batchsigncompiledapps`	Boolean	no	`false`	Both	Sign all apps from the ALOPS_COMPILE_ARTIFACT_ARRAY variable (set by ALOpsAppCompiler).
`artifact_path`	Text	no	(empty)	Both	Path to the folder containing .app files to sign. Leave empty to scan the workspace directory.
`nav_artifact_app_filter`	Text	no	`*.app`	Both	Glob filter for .app files to sign.
`publish_artifact`	Boolean	no	`true` (alt: `true`)	Azure DevOps only	Upload signed .app files as build artifacts.

pfx¶

Name	Type	Required	Default	Platform	Description
`pfx_path`	Text	no	(empty)	Both	Path or URL to the PFX certificate file. If a URL is provided, the file is downloaded automatically.
`pfx_password`	Secret	no	(empty)	Both	Password for the PFX certificate. Store this in a pipeline secret variable.

hsm_trusted¶

Name	Type	Required	Default	Platform	Description
`hsm_signing_endpoint`	Text	no	(empty)	Both	Azure Trusted Signing endpoint URL.
`hsm_signing_account`	Text	no	(empty)	Both	Azure Trusted Signing account name.
`hsm_trusted_certificateprofile`	Text	no	(empty)	Both	Certificate profile name for Azure Trusted Signing.

hsm_keyvault¶

Name	Type	Required	Default	Platform	Description
`hsm_keyvault_name`	Text	no	(empty)	Both	Azure Key Vault name (just the name, not the full URL).
`hsm_keyvault_certificate_name`	Text	no	(empty)	Both	Certificate name in the Azure Key Vault.
`hsm_tenantid`	Text	no	(empty)	Both	Azure AD tenant ID for service principal authentication. Leave empty for managed identity.
`hsm_clientid`	Text	no	(empty)	Both	Azure AD application (client) ID for service principal authentication. Leave empty for managed identity.
`hsm_client_secret`	Secret	no	(empty)	Both	Azure AD client secret for service principal authentication. Store this in a pipeline secret variable.

Outputs¶

Name	Description
`signed_artifact_path`	Path to the last signed .app file.
`signed_artifact_paths`	Comma-separated list of all signed .app file paths.

Usage¶

Azure DevOpsGitHub Actions

- task: ALOpsAppSign@3
  displayName: 'ALOps App Sign'
  inputs:
    signmethod: PFX                       # Signing method: PFX for file-based certificate signing, HSM for hardware security module signing (Azure Key Vault or Trusted Signing). $(signmethod)
    usedocker: False                      # Run signing inside a Docker container. The app and PFX are copied into the container, signed, and copied back. $(usedocker)
    fixed_tag:                            # Fixed container label. When set, uses this value to locate the Docker container instead of the build ID. $(fixed_tag)
    timestamp_uri:                        # Time-stamping authority URL. Defaults to http://timestamp.digicert.com if empty. $(timestamp_uri)
    hsmmethod: KEYVAULT                   # HSM signing method: KEYVAULT for Azure Key Vault, TRUSTED for Azure Trusted Signing. $(hsmmethod)
    hsm_description:                      # Description text embedded in the digital signature. $(hsm_description)
    hsm_description_url:                  # URL embedded in the digital signature description. $(hsm_description_url)
    hsm_digestalgorithm: sha256           # Hash algorithm for digest and timestamp. Default: sha256. $(hsm_digestalgorithm)
    batchsigncompiledapps: False          # Sign all apps from the ALOPS_COMPILE_ARTIFACT_ARRAY variable (set by ALOpsAppCompiler). $(batchsigncompiledapps)
    artifact_path:                        # Path to the folder containing .app files to sign. Leave empty to scan the workspace directory. $(artifact_path)
    nav_artifact_app_filter: *.app        # Glob filter for .app files to sign. $(nav_artifact_app_filter)
    publish_artifact: True                # Upload signed .app files as build artifacts. $(publish_artifact)
    pfx_path:                             # Path or URL to the PFX certificate file. If a URL is provided, the file is downloaded automatically. $(pfx_path)
    pfx_password:                         # Password for the PFX certificate. Store this in a pipeline secret variable. $(pfx_password)
    hsm_signing_endpoint:                 # Azure Trusted Signing endpoint URL. $(hsm_signing_endpoint)
    hsm_signing_account:                  # Azure Trusted Signing account name. $(hsm_signing_account)
    hsm_trusted_certificateprofile:       # Certificate profile name for Azure Trusted Signing. $(hsm_trusted_certificateprofile)
    hsm_keyvault_name:                    # Azure Key Vault name (just the name, not the full URL). $(hsm_keyvault_name)
    hsm_keyvault_certificate_name:        # Certificate name in the Azure Key Vault. $(hsm_keyvault_certificate_name)
    hsm_tenantid:                         # Azure AD tenant ID for service principal authentication. Leave empty for managed identity. $(hsm_tenantid)
    hsm_clientid:                         # Azure AD application (client) ID for service principal authentication. Leave empty for managed identity. $(hsm_clientid)
    hsm_client_secret:                    # Azure AD client secret for service principal authentication. Store this in a pipeline secret variable. $(hsm_client_secret)

- name: ALOps App Sign
  uses: HodorNV/ALOps-V3/alops-appsign@v3   <!-- TODO: confirm action repo path -->
  with:
    signmethod: 'PFX'
    usedocker: 'false'
    fixed_tag: ''
    timestamp_uri: ''
    hsmmethod: 'KEYVAULT'
    hsm_description: ''
    hsm_description_url: ''
    hsm_digestalgorithm: 'sha256'
    batchsigncompiledapps: 'false'
    artifact_path: ''
    nav_artifact_app_filter: '*.app'
    pfx_path: ''
    pfx_password: ''
    hsm_signing_endpoint: ''
    hsm_signing_account: ''
    hsm_trusted_certificateprofile: ''
    hsm_keyvault_name: ''
    hsm_keyvault_certificate_name: ''
    hsm_tenantid: ''
    hsm_clientid: ''
    hsm_client_secret: ''