使用 Azure Key Vault 为包签名Sign packages with Azure Key Vault

在 Studio 2019 版本 16.6 预览版 3 及更高版本中,可在开发和测试场景中使用 Azure Key Vault 中存储的证书对通用 Windows 平台 (UWP) 和桌面应用包进行签名。In Visual Studio 2019 version 16.6 Preview 3 and later versions, you can sign UWP and desktop app packages with a certificate stored in Azure Key Vault for development and test scenarios. 该工具会从 Azure Key Vault 中提取公钥和私钥,并将它们加载到开发计算机上的证书存储中,以便通过 SignTool.exe 对包进行签名。This tool extracts your public and private keys from your Azure Key Vault and loads them in the certificate store on your development computer in order to sign your package with SignTool.exe.

重要

本文所述的流程仅适用于开发和测试场景。The process described in this article is intended for development and test scenarios only. 就用于分发的私钥而言,该流程不被认为是最佳做法。This process is not considered best practice for your private keys used for distribution. 要确保最佳安全做法,用于分发的私钥应仅由连续集成和持续部署 (CI/CD) 平台推荐的工具进行处理。To ensure best security practices, your private keys for distribution should be handled only by the tooling recommended by your Continuous Integration and Continuous Deployment (CI/CD) platform.

先决条件Prerequisites

  • 一个 Azure 帐户。An Azure account. 如果还没有 Azure 帐户,请在此处开始。If you do not already have an Azure account, start here.
  • 一个 Azure Key Vault。An Azure Key Vault. 有关详细信息,请参阅创建 Key VaultFor more info, see Create a Key Vault.
  • 一个导入到 Azure Key Vault 的有效包签名证书。A valid package signing certificate imported into Azure Key Vault. Azure Key Vault 生成的默认证书不能用于代码签名。The default certificate generated by Azure Key Vault will not work for code signing. 要详细了解如何创建包签名证书,请参阅为包签名创建证书For details on how to create a package signing certificate, see Create a certificate for package signing.

将证书导入 Key VaultImport a certificate to your Key Vault

将证书添加到 Key Vault 非常简单。Adding a certificate to your Key Vault is very simple. 在本例中,我们添加一个名为 UwpSigningCert.pfx 的有效 UWP 代码签名证书。In this example, we add a valid UWP code signing certificate called UwpSigningCert.pfx.

  1. 在 Key Vault 属性页上,选择“证书”。On the Key Vault properties pages, select Certificates.
  2. 单击“生成/导入”。Click on Generate/Import.
  3. 在“创建证书”屏幕上,选择以下值:On the Create a certificate screen, choose the following values:
    • 证书创建方法:导入Method of Certificate Creation: Import
    • 证书名称:UwpSigningCertCertificate Name: UwpSigningCert
    • 上传证书文件:UwpSigningCert.pfxUpload Certificate File: UwpSigningCert.pfx
    • 解密证书:如果证书受密码保护,请在“密码”字段提供。Decrypt Certificate: If your certificate is password-protected, provide it in the Password field.
  4. 单击“创建”。Click Create.

备注

Windows 将不信任该自签名证书,除非该证书已导入且受到管理员的信任。This self-signed certificate will not be trusted by Windows unless it has been imported and trusted by an administrator. 确保所有证书(包括自签名证书)安全。Keep all of your certificates secure including self-signed certificates.

为 Key Vault 配置访问策略Configure the access policies for your Key Vault

可使用访问策略控制谁有权访问 Key Vault 的内容。You can control who has access to the contents of your Key Vault by using access policies. Key Vault 访问策略分别授予对密钥、机密和证书的权限。Key Vault access policies grant permissions separately to keys, secrets, and certificates. 可仅授权用户访问密钥,但禁止访问机密。You can grant a user access only to keys and not to secrets. 密钥、机密和证书的访问权限在保管库级别进行管理。Access permissions for keys, secrets, and certificates are managed at the vault level. 有关详细信息,请参阅 Azure Key Vault 安全性For more information, see Azure Key Vault security.

备注

在 Azure 订阅中创建 Key Vault 时,它会自动与订阅的 Azure Active Directory 租户相关联。When you create a Key Vault in an Azure subscription, it is automatically associated with the Azure Active Directory tenant of the subscription. 任何尝试管理或检索 Key Vault 中的内容的用户都必须经过 Azure AD 授权。Anyone trying to manage or retrieve content from a Key Vault must be authenticated by Azure AD.

  1. 在 Key Vault 属性页上,选择“访问策略”。On the Key Vault properties pages, select Access policies.
  2. 选择“+添加访问策略”。Select + Add Access Policy.
  3. 单击“密钥权限”下拉列表,然后勾选“密钥管理操作”下的“获取”和“列出”框 。Click on the Key permissions dropdown and check the boxes for Get and List under Key Management Operations.
  4. 单击“选择主体”,搜索要向其授予访问权限的用户,然后单击“选择” 。Click on Select principal, search for the user you are granting access to, and click Select.
  5. 单击“添加”。Click Add.
  6. 请确保单击“保存”来保存所作的更改。Make sure to save your changes by clicking Save.

备注

建议不要授权用户直接访问 Key Vault。Giving users direct access to a key vault is discouraged. 理想情况是,应将用户添加到 Azure AD 组,转而向该组授予对 Key Vault 的访问权限。Ideally, users should be added to an Azure AD group, which is in turn given access to the key vault.

从 Visual Studio 中的 Key Vault 选择一个证书Select a certificate from your Key Vault in Visual Studio

通过 Visual Studio 中的“创建应用包”向导,可选择要用于对应用包进行签名的证书。The Create App Packages wizard in Visual Studio enables you to choose the certificate that will be used to sign your app package. 可通过 Azure Key Vault 选择包签名证书。You can choose the package signing certificate via Azure Key Vault. 必须提供包含该证书的 Key Vault 的 URI,而且 Visual Studio 中授权的 Microsoft 帐户必须具有访问它的适当权限。You must provide the URI of the Key Vault that contains the certificate, and your Microsoft account authenticated in Visual Studio must have the correct permissions to access it.

  1. 在 Visual Studio 中打开“UWP 应用程序”项目或“Windows 应用程序打包项目”桌面 。Open your UWP application project or desktop Windows application packaging project in Visual Studio.
  2. 选择“发布” -> “包” -> “创建应用包…”,打开“创建应用包”向导 。Select Publish -> Package -> Create app packages... to open the Create App Packages wizard.
  3. 在“选择分发方法”页面上,选择“旁加载” 。On the Select distribution method page, select Sideloading.
  4. 在“选择签名方法”页面上,单击“从 Azure Key Vault 中选择…” 。On the Select signing method page, click Select from Azure Key Vault....
  5. 在“从 Azure Key Vault 选择证书”对话框出现后,使用帐户选取器选择已为其配置访问策略的帐户。After the Select a certificate from Azure Key Vault dialog appears, use the account picker to choose the account for which you have configured an access policy.
  6. 输入 Key Vault 的 URI。Enter the URI of the Key Vault. URI 可在 Key Vault 的“概述”页面上找到,它通过 DNS 名称进行标识 。The URI can be found on the Overview page of the Key Vault and is identified by DNS Name.
  7. 单击“查看元数据”按钮。Click the View Metadata button.
  8. 证书加载完毕后,从列表中选择所需的证书,例如 UwpSigningCert。After the certificates have finished loading, select the one you want from the list (for example, UwpSigningCert).
  9. 单击“确定”。Click OK.

备注

该证书将导入到你的本地证书存储中,它将在此处用于包签名。The certificate will be imported to your local certificate store where it will be used for package signing.

使用 Azure Key Vault 中的密码来解密证书Decrypt your certificate with a password from Azure Key Vault

如果使用受本地密码保护的证书 (.pfx) 来签名应用包,则可能很难管理用来解密它的密码。If you are using a local password-protected certificate (.pfx) to sign your app package, it can be difficult to manage the password used to decrypt it. 在“创建应用包”向导中导入证书时,系统将提示你手动输入密码。When you are importing the certificate in the Create App Packages wizard, you will be prompted to manually enter the password. 此外,也可选择 Azure Key Vault 中的密码。Alternatively, there is an option to choose the password from Azure Key Vault.

  1. 在 Visual Studio 中打开“UWP 应用程序”项目或“Windows 应用程序打包项目”桌面 。Open your UWP application project or desktop Windows application packaging project in Visual Studio.
  2. 选择“发布” -> “包” -> “创建应用包…”,打开“创建应用包”向导 。Select Publish -> Package -> Create app packages... to open the Create App Packages wizard.
  3. 在“选择分发方法”页面上,选择“旁加载” 。On the Select distribution method page, select Sideloading.
  4. 在“选择签名方法”页面上,单击“从文件中选择…” 。On the Select signing method page, click Select From File...
  5. 在“证书受密码保护”对话框出现后,单击“从 Key Vault 中选择密码” 。After the Certificate is password protected dialog appears, click Select Password From Key Vault.
  6. 在“从 Azure Key Vault 选择密码”对话框出现后,使用帐户选取器选择已为其配置访问策略的帐户。After the Select a password from Azure Key Vault dialog appears, use the account picker to choose the account for which you have configured an access policy.
  7. 输入 Key Vault 的 URI。Enter the URI of the Key Vault. URI 可在 Key Vault 的“概述”页面上找到,它通过 DNS 名称进行标识 。The URI can be found on the Overview page of the Key Vault and is identified by DNS Name.
  8. 单击“查看元数据”按钮。Click the View Metadata button.
  9. 密码加载完毕后,从列表中选择所需的密码,例如 UwpSigningCertPassword。After the passwords have finished loading, select the one you want from the list (for example, UwpSigningCertPassword).
  10. 单击“确定”。Click OK.