From 1fff21a63e504da92e8826ec1fcaa2762b98239d Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Tue, 12 Dec 2023 09:48:16 -0500
Subject: [PATCH] Fixes based on actual secret names and signtool insights

---
 .github/workflows/deployment-hsm-testing.yml | 15 +++++++++++----
 script/sign-hsm.bat                          |  2 +-
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deployment-hsm-testing.yml b/.github/workflows/deployment-hsm-testing.yml
index d88c1472a..e9080e384 100644
--- a/.github/workflows/deployment-hsm-testing.yml
+++ b/.github/workflows/deployment-hsm-testing.yml
@@ -87,9 +87,16 @@ jobs:
             # TimestampDigest
             # TimestampRfc3161
           } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
+      # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json
+      # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
+      # 
+      # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
       - name: Build release binaries
         shell: bash
         env:
+          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI }}
+          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_TENANT_ID }}
           DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
           METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
           TAG_NAME: ${{ inputs.tag_name }}
@@ -130,9 +137,9 @@ jobs:
       - name: Sign .msi release binaries
         uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
         with:
-            azure-tenant-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_TENANT_ID }}
-            azure-client-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_CLIENT_ID }}
-            azure-client-secret: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO }}
+            azure-tenant-id: ${{ secrets.SPN_GITHUB_CLI_TENANT_ID }}
+            azure-client-id: ${{ secrets.SPN_GITHUB_CLI_CLIENT_ID }}
+            azure-client-secret: ${{ secrets.SPN_GITHUB_CLI }}
             endpoint: https://wus.codesigning.azure.net/
             code-signing-account-name: GitHubInc
             certificate-profile-name: GitHubInc
@@ -148,4 +155,4 @@ jobs:
           retention-days: 7
           path: |
             dist/*.zip
-            dist/*.msi
\ No newline at end of file
+            dist/*.msi
diff --git a/script/sign-hsm.bat b/script/sign-hsm.bat
index 7d0347178..2a2d7d1ee 100644
--- a/script/sign-hsm.bat
+++ b/script/sign-hsm.bat
@@ -11,4 +11,4 @@ if "%METADATA_PATH%" == "" (
 )
 
 REM For more information on signtool, see https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
-.\script\signtool sign /fd sha256 /td sha256 /tr http://timestamp.acs.microsoft.com /v /dlib "%DLIB_PATH%" /dmdf "%METADATA_PATH%" "%1"
\ No newline at end of file
+"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool" sign /fd sha256 /td sha256 /tr http://timestamp.acs.microsoft.com /v /dlib "%DLIB_PATH%" /dmdf "%METADATA_PATH%" "%1"