{"id":51061154,"url":"https://github.com/continuous-delphi/delphi-codesign-azure","last_synced_at":"2026-06-23T02:01:54.069Z","repository":{"id":363712597,"uuid":"1264560061","full_name":"continuous-delphi/delphi-codesign-azure","owner":"continuous-delphi","description":"Azure artifact signing orchestration for Delphi (or likely any) binaries","archived":false,"fork":false,"pushed_at":"2026-06-10T03:50:37.000Z","size":80,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-10T04:21:01.372Z","etag":null,"topics":["azure","azure-artifact-signing","continuous-delphi","delphi","powershell","pwsh","tooling"],"latest_commit_sha":null,"homepage":"https://github.com/continuous-delphi","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/continuous-delphi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-10T01:51:36.000Z","updated_at":"2026-06-10T03:55:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/continuous-delphi/delphi-codesign-azure","commit_stats":null,"previous_names":["continuous-delphi/delphi-codesign-azure"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/continuous-delphi/delphi-codesign-azure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/continuous-delphi%2Fdelphi-codesign-azure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/continuous-delphi%2Fdelphi-codesign-azure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/continuous-delphi%2Fdelphi-codesign-azure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/continuous-delphi%2Fdelphi-codesign-azure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/continuous-delphi","download_url":"https://codeload.github.com/continuous-delphi/delphi-codesign-azure/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/continuous-delphi%2Fdelphi-codesign-azure/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34672250,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-23T02:00:07.161Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-artifact-signing","continuous-delphi","delphi","powershell","pwsh","tooling"],"created_at":"2026-06-23T02:01:53.194Z","updated_at":"2026-06-23T02:01:54.064Z","avatar_url":"https://github.com/continuous-delphi.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# delphi-codesign-azure\n\n![delphi-codesign-azure logo](https://continuous-delphi.github.io/assets/logos/delphi-codesign-azure-480x270.png)\n\n[![Delphi](https://img.shields.io/badge/delphi-red)](https://www.embarcadero.com/products/delphi)\n[![CI](https://github.com/continuous-delphi/delphi-codesign-azure/actions/workflows/ci.yml/badge.svg)](https://github.com/continuous-delphi/delphi-codesign-azure/actions/workflows/ci.yml)\n[![GitHub Release](https://img.shields.io/github/v/release/continuous-delphi/delphi-codesign-azure?display_name=release)](https://github.com/continuous-delphi/delphi-codesign-azure/releases)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/continuous-delphi/delphi-codesign-azure)\n[![Continuous Delphi](https://img.shields.io/badge/org-continuous--delphi-red)](https://github.com/continuous-delphi)\n\n\nA PowerShell utility for Authenticode code signing and verification\nusing [Azure Artifact Signing](https://learn.microsoft.com/en-us/azure/artifact-signing/) and `signtool.exe`.\n\n---\n\n## Quick Start\n\n```powershell\n# Sign an executable\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe -EnvFile .env -Format text\n\n# Sign multiple files\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe,lib.bpl -EnvFile .env -Format text\n\n# Verify a signed executable\npwsh -File source/delphi-codesign-azure.ps1 -Verify -FilePath app.exe -Format text\n\n# Version info\npwsh -File source/delphi-codesign-azure.ps1 -Version -Format text\n```\n\n---\n\n## Commands\n\n### `-Sign`\n\nSigns one or more files using Azure Trusted Signing via\n`signtool.exe sign` with SHA256 digest and RFC 3161 timestamping.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `-Sign` | switch | yes | Select the sign command |\n| `-Files` | string[] | yes | One or more file paths to sign |\n| `-SignToolPath` | string | no | Explicit path to `signtool.exe`. Auto-discovered from the Windows SDK if omitted |\n| `-DlibPath` | string | no | Path to `Azure.CodeSigning.Dlib.dll`. Defaults to `%LOCALAPPDATA%\\Microsoft\\MicrosoftTrustedSigningClientTools\\` |\n| `-MetadataPath` | string | no | Path to `metadata.json`. Defaults to the `source/` directory |\n| `-EnvFile` | string | no | `.env` file with Azure credentials (see Prerequisites) |\n| `-Format` | string | no | Output format: `object` (default), `text`, `json` |\n\n**Prerequisites:**\n\n- `signtool.exe` from the Windows SDK\n- `Azure.CodeSigning.Dlib.dll` -- install via `winget install -e --id \nMicrosoft.Azure.TrustedSigningClientTools`\n- `metadata.json` with Azure Trusted Signing endpoint, account name, and certificate profile\n- Azure credentials: `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET` (via environment or `-\nEnvFile`)\n\nSee [docs/machine_setup.md](docs/machine_setup.md) for first-time setup instructions.\n\n**Exit codes:**\n\n| Code | Meaning |\n|------|---------|\n| 0 | All files signed successfully |\n| 2 | Partial failure (some files failed) |\n| 3 | Fatal error (prerequisites missing, no files signed) |\n\n**Examples:**\n\n```powershell\n# Sign a single file\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe -EnvFile .env -Format text\n\n# Sign multiple files\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe,lib.bpl -EnvFile .env -Format text\n\n# JSON output for CI\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe -EnvFile .env -Format json\n\n# Pipeline use\n$result = \u0026 source/delphi-codesign-azure.ps1 -Sign -Files app.exe -EnvFile .env\n$result.ok              # $true if all signed\n$result.result.signed   # count of signed files\n$result.result.failed   # count of failed files\n```\n\n### `-Verify`\n\nVerifies the Authenticode signature on a file using `signtool.exe verify /pa /v`.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `-Verify` | switch | yes | Select the verify command |\n| `-FilePath` | string | yes | Path to the file to verify |\n| `-SignToolPath` | string | no | Explicit path to `signtool.exe`. Auto-discovered from the Windows SDK if omitted |\n| `-Format` | string | no | Output format: `object` (default), `text`, `json` |\n\n**Exit codes:**\n\n| Code | Meaning |\n|------|---------|\n| 0 | Signature is valid |\n| 1 | Signature is invalid or file is not signed |\n| 3 | Fatal error (file not found, signtool not found) |\n\n**Examples:**\n\n```powershell\n# Verify a signed executable (text output)\npwsh -File source/delphi-codesign-azure.ps1 -Verify -FilePath app.exe -Format text\n\n# JSON output for CI consumption\npwsh -File source/delphi-codesign-azure.ps1 -Verify -FilePath app.exe -Format json\n\n# Pipeline use (object output, default)\n$result = \u0026 source/delphi-codesign-azure.ps1 -Verify -FilePath app.exe\n$result.ok            # $true if signed\n$result.result.signed # $true if signed\n\n# Explicit signtool path\npwsh -File source/delphi-codesign-azure.ps1 -Verify -FilePath app.exe -SignToolPath \"C:\\path\\to\\signtool.exe\"\n```\n\n**signtool.exe discovery:**\n\nWhen `-SignToolPath` is not specified, the tool searches\n`C:\\Program Files (x86)\\Windows Kits\\10\\bin` for the latest x64\nversion of `signtool.exe`. Install the Windows SDK if it is not found:\nhttps://developer.microsoft.com/en-us/windows/downloads/windows-sdk/\n\n### `-Version`\n\nDisplays tool name and version.\n\n| Parameter | Type | Required | Description |\n|-----------|------|----------|-------------|\n| `-Version` | switch | yes | Select the version command |\n| `-Format` | string | no | Output format: `object` (default), `text`, `json` |\n\n**Examples:**\n\n```powershell\n# Text format\npwsh -File source/delphi-codesign-azure.ps1 -Version -Format text\n# =\u003e delphi-codesign-azure 0.1.0\n\n# JSON format\npwsh -File source/delphi-codesign-azure.ps1 -Version -Format json\n# =\u003e {\"ok\":true,\"command\":\"version\",\"tool\":{\"name\":\"delphi-codesign-azure\",\"version\":\"0.1.0\"}}\n```\n\n---\n\n## metadata.json\n\nThe `-Sign` command requires a `metadata.json` file that tells Azure\nTrusted Signing which endpoint, account, and certificate profile to use.\n\n```json\n{\n  \"Endpoint\": \"https://eus.codesigning.azure.net/\",\n  \"CodeSigningAccountName\": \"yourAccountName\",\n  \"CertificateProfileName\": \"yourCertificateProfileName\"\n}\n```\n\nSee [docs/metadata.json](docs/metadata.json) for an example.\n\n### Fields\n\n| Field | Description |\n|-------|-------------|\n| `Endpoint` | Azure Trusted Signing regional endpoint URL. Use `eus` (East US), `wus` (West US), `neu` (North Europe), or `weu` (West Europe) |\n| `CodeSigningAccountName` | Name of the Trusted Signing account in the Azure portal |\n| `CertificateProfileName` | Name of the certificate profile under the signing account |\n\n### Location\n\nBy default the tool looks for `metadata.json` in the same directory as\nthe script (`source/`). Override with `-MetadataPath`:\n\n```powershell\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe -MetadataPath path/to/metadata.json\n```\n\n### Obtaining the values\n\n1. **Endpoint**: Azure portal \u003e Trusted Signing account \u003e Overview \u003e Account URI\n2. **CodeSigningAccountName**: Azure portal \u003e Trusted Signing account \u003e Overview \u003e Name\n3. **CertificateProfileName**: Azure portal \u003e Trusted Signing account \u003e Certificate profiles \u003e Profile name\n\n---\n\n## Azure Credentials\n\nThe `-Sign` command requires three Azure environment variables for\nauthentication with Azure Trusted Signing:\n\n| Variable | Description |\n|----------|-------------|\n| `AZURE_TENANT_ID` | Entra ID tenant ID |\n| `AZURE_CLIENT_ID` | Application (client) ID of the app registration |\n| `AZURE_CLIENT_SECRET` | Client secret value (not the secret ID) |\n\n### Setting credentials in the shell\n\nPowerShell:\n\n```powershell\n$env:AZURE_TENANT_ID = 'your-tenant-id'\n$env:AZURE_CLIENT_ID = 'your-client-id'\n$env:AZURE_CLIENT_SECRET = 'your-client-secret'\n```\n\nBatch:\n\n```batch\nset AZURE_TENANT_ID=your-tenant-id\nset AZURE_CLIENT_ID=your-client-id\nset AZURE_CLIENT_SECRET=your-client-secret\n```\n\n### Using a .env file\n\nFor local development, credentials can be stored in a `.env` file and\nloaded via the `-EnvFile` parameter:\n\n```powershell\npwsh -File source/delphi-codesign-azure.ps1 -Sign -Files app.exe -EnvFile .env -Format text\n```\n\nSee [docs/.env.example](docs/.env.example) for the file format.\n\n**Format rules:**\n\n- One `KEY=VALUE` pair per line\n- Lines starting with `#` are comments\n- Blank lines are ignored\n- Existing environment variables are **not** overwritten -- the `.env`\n  file only fills in values that are not already set\n\n**Security:** The `.env` file contains secrets and should not be\ncommitted. Add it to `.gitignore`.\n\n### Obtaining credentials from Azure\n\n1. **AZURE_TENANT_ID**: Azure portal \u003e Entra ID \u003e Overview \u003e Tenant ID\n2. **AZURE_CLIENT_ID**: Azure portal \u003e Entra ID \u003e App registrations \u003e your app \u003e Application (client) ID\n3. **AZURE_CLIENT_SECRET**: Azure portal \u003e Entra ID \u003e App registrations \u003e your app \u003e Certificates \u0026 secrets \n\u003e New client secret \u003e copy the **Value** (not the Secret ID)\n\nIf the client secret has expired, create a new one in the portal.\n\n---\n\n## Output Formats\n\nThe `-Format` parameter controls output across all commands:\n\n| Format | Description |\n|--------|-------------|\n| `object` | Default. Returns a `PSCustomObject` for pipeline use |\n| `text` | Human-readable text to the console |\n| `json` | Single-line compressed JSON for CI/scripting |\n\n### JSON Envelope\n\nSuccess:\n\n```json\n{\n  \"ok\": true,\n  \"command\": \"verify\",\n  \"tool\": { \"name\": \"delphi-codesign-azure\", \"version\": \"0.1.0\" },\n  \"result\": {\n    \"filePath\": \"C:/path/to/file.exe\",\n    \"signed\": true,\n    \"signtoolExitCode\": 0,\n    \"signtoolOutput\": [\"...\"]\n  }\n}\n```\n\nError:\n\n```json\n{\n  \"ok\": false,\n  \"command\": \"verify\",\n  \"tool\": { \"name\": \"delphi-codesign-azure\", \"version\": \"0.1.0\" },\n  \"error\": { \"code\": 3, \"message\": \"File not found: missing.exe\" }\n}\n```\n\n---\n\n## Running Tests\n\nRequires PowerShell 7+, Pester 5.7+, and PSScriptAnalyzer.\n\n```powershell\n./tests/run-tests.ps1\n```\n\n---\n\n## Continuous-Delphi\n\nThis tool is part of the [Continuous-Delphi](https://github.com/continuous-delphi)\necosystem, focused on strengthening Delphi's continued success.\n\n![continuous-delphi logo](https://continuous-delphi.github.io/assets/logos/continuous-delphi-480x270.png)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontinuous-delphi%2Fdelphi-codesign-azure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontinuous-delphi%2Fdelphi-codesign-azure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontinuous-delphi%2Fdelphi-codesign-azure/lists"}