.github/workflows/pr.yml

@@ -1,5 +1,8 @@
 name: Pull Request
 
+permissions:
+  contents: read
+
 on:
   pull_request:
 
@@ -13,3 +16,14 @@ jobs:
       with:
         dotnet-version: '8.0'
     - run: dotnet test
+
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      name: Checkout
+    - uses: actions/dependency-review-action@v4
+      name: Dependency Review
+      with:
+        allow-licenses: MIT, Apache-2.0, BSD-2-Clause
+        fail-on-scopes: development, runtime, unknown

Directory.Packages.props

@@ -1,11 +1,11 @@
 <Project>
   <ItemGroup>
-    <PackageVersion Include="Azure.Identity" Version="1.12.0" />
-    <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
-    <PackageVersion Include="Azure.Security.KeyVault.Keys" Version="4.6.0" />
+    <PackageVersion Include="Azure.Identity" Version="1.13.1" />
+    <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.7.0" />
+    <PackageVersion Include="Azure.Security.KeyVault.Keys" Version="4.7.0" />
     <PackageVersion Include="Microsoft.Extensions.FileSystemGlobbing" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Logging" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Logging" Version="8.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="8.0.1" />
 
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
@@ -14,8 +14,8 @@
     <PackageVersion Include="XenoAtom.CommandLine" Version="1.0.1" />
     <PackageVersion Include="MinVer" Version="6.0.0" />
 
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
-    <PackageVersion Include="xunit.v3" Version="0.4.0-pre.20" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.0-pre.35" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageVersion Include="xunit.v3" Version="1.0.0" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.0" />
   </ItemGroup>
 </Project>

README.md

@@ -1,7 +1,7 @@
 Azure Sign Tool
 ===============
 
-The below README is based on functionality in `main` which may not be the same as the latest released version of AzureSignTool. For README information about released versions, please see the README for the version's associated tag. The README for the current release can [be found here](https://github.com/vcsjones/AzureSignTool/blob/v5.0.0/README.md).
+The below README is based on functionality in `main` which may not be the same as the latest released version of AzureSignTool. For README information about released versions, please see the README for the version's associated tag. The README for the current release can [be found here](https://github.com/vcsjones/AzureSignTool/blob/v6.0.0/README.md).
 
 Azure Sign Tool is similar to `signtool` in the Windows SDK, with the major difference being that it uses
 Azure Key Vault for performing the signing process. The usage is like `signtool`, except with a limited set
@@ -27,6 +27,48 @@ The `--help` or `sign --help` option provides more detail about each parameter.
 
 [A walk-through is available](WALKTHROUGH.md) if you're interested on getting set up from scratch.
 
+## Installation
+
+AzureSignTool can be installed in a couple of ways.
+
+### NuGet Tool
+
+You can install AzureSignTool from NuGet using
+
+```powershell
+dotnet tool install --global --version 6.0.0 AzureSignTool
+AzureSignTool.exe
+```
+
+It is recommended to specify an exact version such as 6.0.0, or a latest major-minor, like 6.0.* so that major versions, which often include a breaking change, are not automatically picked up.
+
+### Single-file Download
+
+AzureSignTool provides self-contained executables on the GitHub release. For example, to download the v6.0.0 ARM64 installer:
+
+```powershell
+Invoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/download/v6.0.0/AzureSignTool-arm64.exe -OutFile AzureSignTool.exe
+.\AzureSignTool.exe
+```
+
+See [latest release](https://github.com/vcsjones/AzureSignTool/releases/latest) for available downloads.
+
+### WinGet
+
+AzureSignTool can be install with the WinGet package manager.
+
+```PowerShell
+winget install vcsjones.azuresigntool
+```
+
+The WinGet package manager installs the same binary this is available from the Single-file Download on the GitHub release. It does not require .NET to be installed.
+
+### Which to use?
+
+The NuGet tool offers smaller downloads that will install faster, however requires the .NET 8 SDK to be present on the system. The NuGet tool supports x64, x86, and ARM64.
+
+The single-file downloads do not require .NET to be installed on the system at all, only to be run on a supported version of Windows. They are entirely stand-alone binaries. This makes them useful in places that .NET is not installed at all, such as a CI pipeline that is not .NET-centric or desired. Single-file currently supports x64 and ARM64. If x86 support is needed, the NuGet tool is required.
+
 ## Parameters
 
 * `--azure-key-vault-url` [short: `-kvu`, required: yes]: A fully qualified URL of the key vault with
@@ -54,9 +96,7 @@ The `--help` or `sign --help` option provides more detail about each parameter.
 	Azure.
 
 * `--azure-key-vault-managed-identity` [short: `-kvm`, required: possibly]: Use the ambiant Managed Identity to authenticate to Azure. This
-	can be used instead of the `--azure-key-vault-accesstoken`, `--azure-key-vault-client-id` and `--azure-key-vault-client-secret` options. This is useful
-	if AzureSignTool is being used on a VM/service/CLI that is configured for managed identities to
-	Azure. Important to mention is that this option leverages the [DefaultAzureCredential](https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) class which is trying to get a token via multiple options including Visual Studio Credentials and Interactive Browser Authentication.
+	can be used instead of the `--azure-key-vault-accesstoken`, `--azure-key-vault-client-id` and `--azure-key-vault-client-secret` options. This option uses a combination of authentication mechanisms listed under [DefaultAzureCredential Class](https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet#definition). Beside Managed Identity, this also allows you to use existing sessions in the Azure CLI or PowerShell. It also supports Visual Studio Credentials, Interactive Browser Authentication and others.
 
 * `--description` [short: `-d`, required: no]: A description of the signed content. This parameter serves the same purpose
 	as the `/d` option in the Windows SDK `signtool`. If this parameter is not supplied, the signature will not contain a

SECURITY.md

@@ -8,11 +8,11 @@ AzureSignTool and AzureSign.Core currently only support the latest version. Use
 
 ### GitHub
 
-Security issues or vulnerabilties should be reported privately using GitHub's vulnerability reporting. This option is available on the "Security" section in this repository. Additional information is available on the [GitHub Documentation](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+Security issues or vulnerabilities should be reported privately using GitHub's vulnerability reporting. This option is available on the "Security" section in this repository. Additional information is available on the [GitHub Documentation](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
 
 ### E-mail
 
-If using GitHub reports is not preferred or you do not have a GitHub account, email at kevin@vcsjones.dev is acceptable. If neccessary, email content can be encrypted using [age](https://filippo.io/age) using the following recipient key:
+If using GitHub reports is not preferred or you do not have a GitHub account, email at kevin@vcsjones.dev is acceptable. If necessary, email content can be encrypted using [age](https://filippo.io/age) using the following recipient key:
 
 ```plain
 age1jns778dpwkxta0e6tjv3345jy6dfr8a8mq9xznge7muyz6nu0v5sg7x6wn

WALKTHROUGH.md

@@ -1,13 +1,16 @@
-# Walkthrough: Using AzureSignTool to sign files with Azure DevOps
+# Walkthroughs
 
-*Note*: Sean Killeen has an expanded version of this on his blog, [How to: Use AzureSignTool to sign files with Azure DevOps using a certificate in Azure Key Vault
-][1].
-
-A lightweight guide on how to use this tool in context.
+The following basic preparations are required for all guides:
 
 * Obtain a certificate.
 * Within your Azure subscription, create an Azure KeyVault. Note the URL of the KeyVault; this will be your input to `-kvu` later.
 * Upload your certificate into the KeyVault, giving it a name.
+
+## Using AzureSignTool to sign files with Azure DevOps
+
+*Note*: Sean Killeen has an expanded version of this on his blog, [How to: Use AzureSignTool to sign files with Azure DevOps using a certificate in Azure Key Vault
+][1].
+
 * Do you have service connection with service principal authentication(or ready to create one)?
   * Yes - Much simpler [option A](#a--using-existing-service-connection-with-service-principal-authentication) is for you
   * No - Use [option B](#b--using-custom-application-principal)
@@ -18,11 +21,11 @@ A lightweight guide on how to use this tool in context.
 * Create an access policy that applies to your connection service principal.
 * For the access policy, set the below permissions:
 
-| Area | Permissions |
-| ---- | ----------- |
-| Key | Verify, Sign, Get, List |
-| Secret | Get, List |
-| Certificate | Get, List |
+  | Area | Permissions |
+  | ---- | ----------- |
+  | Key | Verify, Sign, Get, List |
+  | Secret | Get, List |
+  | Certificate | Get, List |
 
 * In your Azure DevOps build configuration, add a step to install the global tool:
 
@@ -59,11 +62,11 @@ A lightweight guide on how to use this tool in context.
 * Create an access policy that applies to your registered application, e.g. if the app you registered in AD was called `MyApp`, this policy should apply to the `MyApp` user.
 * For the access policy, set the below permissions:
 
-| Area | Permissions |
-| ---- | ----------- |
-| Key | Verify, Sign, Get, List |
-| Secret | Get, List |
-| Certificate | Get, List |
+  | Area | Permissions |
+  | ---- | ----------- |
+  | Key | Verify, Sign, Get, List |
+  | Secret | Get, List |
+  | Certificate | Get, List |
 
 * In your Azure DevOps build configuration, add a step to install the global tool:
 
@@ -85,7 +88,81 @@ A lightweight guide on how to use this tool in context.
     script: AzureSignTool sign -du "[YOUR_URL]" -kvu "https://[VAULT_ID].vault.azure.net" -kvi "[REDACTED_APPLICATION_ID]" -kvt "[REDACTED_DIRECTORY_ID]" -kvs "[REDACTED_APPLICATION_CLIENT_SECRET]" -kvc "[REDACTED_CERT_NAME]" -v [FILES_YOU_WANT_TO_SIGN]
 ```
 
-At this point, the build should be able to run and sign the files you have listed.
+## Using AzureSignTool to sign files with GitLab CI
+
+### A) Using service principal authentication
+
+* Go to KeyVault's the `Access Policies` section.
+* Create an access policy that applies to your service principal.
+* For the access policy, set the below permissions:
+
+  | Area | Permissions |
+  | ---- | ----------- |
+  | Key | Verify, Sign, Get, List |
+  | Secret | Get, List |
+  | Certificate | Get, List |
+
+* In your GitLab build configuration, add a job to install and execute the AzureSignTool:
+
+```yml
+sign:
+  stage: deploy
+  image: mcr.microsoft.com/dotnet/sdk:8.0-windowsservercore-ltsc2019 # If docker on windows is used.
+  before_script:
+    - Invoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/latest/download/AzureSignTool-x64.exe -OutFile AzureSignTool.exe
+  script:
+    - >
+        .\AzureSignTool.exe sign 
+        --azure-key-vault-url https://example.vault.azure.net/
+        --azure-key-vault-client-id $AZURE_CLIENT_ID
+        --azure-key-vault-client-secret $AZURE_CLIENT_SECRET
+        --azure-key-vault-tenant-id $AZURE_TENANT_ID
+        --azure-key-vault-certificate example-certificate
+        --verbose 
+        example.exe
+  artifacts:
+    paths:
+      - example.exe
+```
+
+### B) Using JWT Tokens authentication (OIDC)
+
+* Configure a [federated identity for GitLab](https://docs.gitlab.com/ee/ci/cloud_services/azure/#create-azure-ad-federated-identity-credentials) in your service principal.
+* Go to KeyVault's the `Access Policies` section.
+* Create an access policy that applies to your service principal.
+* For the access policy, set the below permissions:
+
+  | Area | Permissions |
+  | ---- | ----------- |
+  | Key | Verify, Sign, Get, List |
+  | Secret | Get, List |
+  | Certificate | Get, List |
+
+
+* In your GitLab build configuration, add a step to install and execute the AzureSignTool:
+
+```yml
+sign:
+  stage: deploy
+  image: mcr.microsoft.com/dotnet/sdk:8.0-windowsservercore-ltsc2019 # If docker on windows is used.
+  id_tokens:
+    GITLAB_OIDC_TOKEN:
+      aud: 'https://gitlab.com'
+  before_script:
+    - az login --service-principal -u $AZURE_CLIENT_ID --tenant $AZURE_TENANT_ID --federated-token $GITLAB_OIDC_TOKEN
+    - Invoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/latest/download/AzureSignTool-x64.exe -OutFile AzureSignTool.exe
+  script:
+    - >
+      .\\AzureSignTool.exe sign 
+      --azure-key-vault-url https://example.vault.azure.net/
+      --azure-key-vault-managed-identity
+      --azure-key-vault-certificate example-certificate
+      --verbose 
+      example.exe
+  artifacts:
+    paths:
+      - example.exe
+```
 
 Happy signing!
 

src/AzureSignTool/AuthorityHostNames.cs

@@ -12,7 +12,9 @@ internal static class AuthorityHostNames
             StringComparer.OrdinalIgnoreCase,
             [
                 KeyValuePair.Create("gov", AzureAuthorityHosts.AzureGovernment),
+#pragma warning disable CS0618
                 KeyValuePair.Create("germany", AzureAuthorityHosts.AzureGermany),
+#pragma warning restore CS0618
                 KeyValuePair.Create("china", AzureAuthorityHosts.AzureChina),
                 KeyValuePair.Create("public", AzureAuthorityHosts.AzurePublicCloud),
             ]);

src/AzureSignTool/Program.cs

@@ -30,6 +30,12 @@ public static Task<int> Main(string[] args)
                 return Task.FromResult(E_PLATFORMNOTSUPPORTED);
             }
 
+            if (!OperatingSystem.IsWindowsVersionAtLeast(10))
+            {
+                Console.Error.WriteLine("Azure Sign Tool requires Windows 10 or later.");
+                return Task.FromResult(E_PLATFORMNOTSUPPORTED);
+            }
+
             var app = new CommandApp("azuresigntool")
             {
                 new VersionOption(version: GetVersion(), prototype: "version"),