使用 Azure Key Vault 簽署封裝Sign packages with Azure Key Vault

在 Visual Studio 2019 版本 16.6 預覽版 3 和以後版本中,在開發和測試情境下,可以使用存放在 Azure Key Vault 的憑證,簽署 UWP 和桌面應用程式套件。In Visual Studio 2019 version 16.6 Preview 3 and later versions, you can sign UWP and desktop app packages with a certificate stored in Azure Key Vault for development and test scenarios. 此工具會從 Azure Key Vault 解壓縮您的公開和私密金鑰,將其載入至開發電腦上的憑證存放區,以便使用 SignTool.exe 簽署您的套件。This tool extracts your public and private keys from your Azure Key Vault and loads them in the certificate store on your development computer in order to sign your package with SignTool.exe.

重要

本文中所述的程序僅適用於開發和測試案例。The process described in this article is intended for development and test scenarios only. 此程序並非視為用於發佈私密金鑰的最佳做法。This process is not considered best practice for your private keys used for distribution. 為了確保採取最佳安全做法,供發佈的私密金鑰應當只透過您的持續整合與持續部署 (CI/CD) 平台建議的工具處理。To ensure best security practices, your private keys for distribution should be handled only by the tooling recommended by your Continuous Integration and Continuous Deployment (CI/CD) platform.

必要條件Prerequisites

  • Azure 帳戶。An Azure account. 如果您沒有 Azure 帳戶,請從這裡開始。If you do not already have an Azure account, start here.
  • Azure Key Vault。An Azure Key Vault. 如需詳細資訊,請參閱建立 Key VaultFor more info, see Create a Key Vault.
  • 已匯入 Azure Key Vault 的有效套件簽署憑證。A valid package signing certificate imported into Azure Key Vault. Azure Key Vault 產生的預設憑證不適用於程式碼簽署。The default certificate generated by Azure Key Vault will not work for code signing. 如需如何建立套件簽署憑證的詳細資訊,請參閱建立套件簽署的憑證For details on how to create a package signing certificate, see Create a certificate for package signing.

將憑證匯入至您的 Key VaultImport a certificate to your Key Vault

將憑證新增至您的 Key Vault 非常簡單。Adding a certificate to your Key Vault is very simple. 在此範例中,會新增名為 UwpSigningCert.pfx 的有效 UWP 程式碼簽署憑證。In this example, we add a valid UWP code signing certificate called UwpSigningCert.pfx.

  1. 在 [Key Vault 屬性] 頁面上,選取 [憑證]。On the Key Vault properties pages, select Certificates.
  2. 按一下 [產生/匯入]。Click on Generate/Import.
  3. 在 [建立憑證] 畫面中,選擇以下值:On the Create a certificate screen, choose the following values:
    • [憑證建立方法]:匯入Method of Certificate Creation: Import
    • [憑證名稱]:UwpSigningCertCertificate Name: UwpSigningCert
    • [上傳憑證檔案]:UwpSigningCert.pfxUpload Certificate File: UwpSigningCert.pfx
    • [解密憑證]:如果您的憑證受密碼保護,請在 [密碼] 欄位中提供密碼。Decrypt Certificate: If your certificate is password-protected, provide it in the Password field.
  4. 按一下 [建立]。Click Create.

注意

此自我簽署的憑證不受 Windows 信任,除非已由管理員匯入並信任該憑證。This self-signed certificate will not be trusted by Windows unless it has been imported and trusted by an administrator. 請妥善保護所有憑證,包括自我簽署憑證。Keep all of your certificates secure including self-signed certificates.

設定 Key Vault 的存取原則Configure the access policies for your Key Vault

您可以使用存取原則,控制可存取 Key Vault 內容的對象。You can control who has access to the contents of your Key Vault by using access policies. Key Vault 存取原則會分別對金鑰、祕密和憑證授與權限。Key Vault access policies grant permissions separately to keys, secrets, and certificates. 您只能將使用者權限授與金鑰,而不能將權限授與秘密。You can grant a user access only to keys and not to secrets. 金鑰、祕密和憑證的存取權限是在保存庫層級進行管理。Access permissions for keys, secrets, and certificates are managed at the vault level. 如需詳細資訊,請參閱 Azure Key Vault 安全性For more information, see Azure Key Vault security.

注意

當您在 Azure 訂閱中建立 Key Vault 時,其會自動與訂閱的 Azure Active Directory 租用戶建立關聯。When you create a Key Vault in an Azure subscription, it is automatically associated with the Azure Active Directory tenant of the subscription. 任何人要嘗試管理或擷取 Key Vault 內容,都必須經由 Azure AD 驗證。Anyone trying to manage or retrieve content from a Key Vault must be authenticated by Azure AD.

  1. 在 [Key Vault 屬性] 頁面上,選取 [存取原則]。On the Key Vault properties pages, select Access policies.
  2. 選取 [+ 新增存取原則]。Select + Add Access Policy.
  3. 按一下 [金鑰權限] 下拉式清單,並在 [金鑰管理作業]下,勾選 [取得] 和 [清單] 方塊。Click on the Key permissions dropdown and check the boxes for Get and List under Key Management Operations.
  4. 按一下 [選取主體],搜尋您要授與權限的使用者,並按一下 [選取]。Click on Select principal, search for the user you are granting access to, and click Select.
  5. 按一下 [新增]Click Add.
  6. 請務必按一下 [儲存] 以儲存您的變更。Make sure to save your changes by clicking Save.

注意

不鼓勵讓使用者直接存取金鑰保存庫。Giving users direct access to a key vault is discouraged. 理想情況下,應該將使用者新增至 Azure AD 群組,然後再授與金鑰保存庫的存取權。Ideally, users should be added to an Azure AD group, which is in turn given access to the key vault.

在 Visual Studio 中,從 Key Vault 中選取憑證Select a certificate from your Key Vault in Visual Studio

Visual Studio 中的 [建立應用程式套件] 精靈可讓您選擇要用來簽署應用程式套件的憑證。The Create App Packages wizard in Visual Studio enables you to choose the certificate that will be used to sign your app package. 您可以透過 Azure Key Vault 選擇套件簽署憑證。You can choose the package signing certificate via Azure Key Vault. 您必須提供包含憑證之 Key Vault 的 URI,而且您在 Visual Studio 中驗證的 Microsoft 帳戶必須具有正確的存取權限。You must provide the URI of the Key Vault that contains the certificate, and your Microsoft account authenticated in Visual Studio must have the correct permissions to access it.

  1. 在 Visual Studio 中,開啟 UWP 應用程式專案或桌面 Windows 應用程式封裝專案Open your UWP application project or desktop Windows application packaging project in Visual Studio.
  2. 選取 [發佈] -> [套件] -> [建立應用程式套件...],以開啟 [建立應用程式套件] 精靈。Select Publish -> Package -> Create app packages... to open the Create App Packages wizard.
  3. 在 [選取發佈方法] 頁面中,選取 [側載]。On the Select distribution method page, select Sideloading.
  4. 在 [選取簽署方法] 頁面中,按一下 [從 Azure Key Vault 選取...]。On the Select signing method page, click Select from Azure Key Vault....
  5. 出現 [從 Azure Key Vault 選取憑證] 對話方塊之後,請使用帳戶選擇器來選擇已設定存取原則的帳戶。After the Select a certificate from Azure Key Vault dialog appears, use the account picker to choose the account for which you have configured an access policy.
  6. 輸入 Key Vault 的 URI。Enter the URI of the Key Vault. 您可以在 Key Vault 的 [概觀] 頁面中找到 URI,並以 [DNS 名稱] 加以識別。The URI can be found on the Overview page of the Key Vault and is identified by DNS Name.
  7. 按一下 [檢視中繼資料] 按鈕。Click the View Metadata button.
  8. 憑證完成載入之後,請從清單中選取您想要的憑證 (例如,UwpSigningCert)。After the certificates have finished loading, select the one you want from the list (for example, UwpSigningCert).
  9. 按一下 [確定] 。Click OK.

注意

憑證將會匯入您的本機憑證存放區,以供套件簽署之用。The certificate will be imported to your local certificate store where it will be used for package signing.

使用 Azure Key Vault 的密碼來解密您的憑證Decrypt your certificate with a password from Azure Key Vault

如果您使用本機密碼保護的憑證 (.pfx) 來簽署應用程式套件,可能難以管理用於解密的密碼。If you are using a local password-protected certificate (.pfx) to sign your app package, it can be difficult to manage the password used to decrypt it. 當您在 [建立應用程式套件] 精靈中匯入憑證時,系統會提示您手動輸入密碼。When you are importing the certificate in the Create App Packages wizard, you will be prompted to manually enter the password. 或者也可以選取 Azure Key Vault 的密碼。Alternatively, there is an option to choose the password from Azure Key Vault.

  1. 在 Visual Studio 中,開啟 UWP 應用程式專案或桌面 Windows 應用程式封裝專案Open your UWP application project or desktop Windows application packaging project in Visual Studio.
  2. 選取 [發佈] -> [套件] -> [建立應用程式套件...],以開啟 [建立應用程式套件] 精靈。Select Publish -> Package -> Create app packages... to open the Create App Packages wizard.
  3. 在 [選取發佈方法] 頁面中,選取 [側載]。On the Select distribution method page, select Sideloading.
  4. 在 [選取簽署方法] 頁面中,按一下 [從檔案選取..]。On the Select signing method page, click Select From File...
  5. 在出現 [憑證受密碼保護] 對話方塊之後,按一下 [從 Key Vault 選取密碼]。After the Certificate is password protected dialog appears, click Select Password From Key Vault.
  6. 出現 [從 Azure Key Vault 選取密碼] 對話方塊之後,請使用帳戶選擇器來選擇已設定存取原則的帳戶。After the Select a password from Azure Key Vault dialog appears, use the account picker to choose the account for which you have configured an access policy.
  7. 輸入 Key Vault 的 URI。Enter the URI of the Key Vault. 您可以在 Key Vault 的 [概觀] 頁面中找到 URI,並以 [DNS 名稱] 加以識別。The URI can be found on the Overview page of the Key Vault and is identified by DNS Name.
  8. 按一下 [檢視中繼資料] 按鈕。Click the View Metadata button.
  9. 密碼完成載入之後,請從清單中選取您想要的密碼 (例如,UwpSigningCertPassword)。After the passwords have finished loading, select the one you want from the list (for example, UwpSigningCertPassword).
  10. 按一下 [確定] 。Click OK.