code signing - How do I securely store a .pfx password to use in MSBuild?

Question

I need to add certificate signing to my build. Below is a sample of the working script I wrote, however it includes the password to the .pfx file. I can't keep the password in the build script. What are "best practices" or hacks that you would use in this type of situation?

<ItemGroup Label="SignFiles">
  <SignFilesInclude="$(FileLocation)***.exe"/>
</ItemGroup>

<Exec Command="$(SignTool) sign /v /ac C:MSCV-VSClass3.cer /f C:Certificate.pfx /p Password /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)"/>

After googling, I read in multiple places that once you run the script the first time with the password, the .pfx is stored in the certificate store and the password won't be required in the build script after that. This works, however I want to make sure this is the best way to do it or better yet, there is a way to avoid putting the password in the script.

Answer 1

Import your .pfx-file to Windows Certificate Manager for the user account which is used when building. Then select the correct certificate using signtool's /sha1 switch, and no password is needed.

1. Log in as the build user
2. Run certmgr.msc
3. Right-click Certificates - Current User / Personal / Certificates, and select All Tasks / Import...
4. Select your .pfx file, enter the password, and click Next and Finish
5. Double-click on the imported certificate
6. In the Details page, the thumbprint algorithm should be sha1
7. Copy the thumbprint, it looks something like 12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78
8. signtool /sha1 1234567890abcdef1234567890abcdef12345678 /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)

And step 8 will not ask for a password.