Announcement: AzureSignTool 6.0.0-beta1

[vcsjones]

Greetings!

This is to announce AzureSignTool's first-ever beta release, and to explain why there is a beta. The short of the reason for the beta is that AzureSignTool v6.0 probably has a breaking change in it for some folks, but I did my best to minimize the potential breaks. If it "just works" for you, great! If not, please file a new issue and let me know about it.

There were a couple of breaking changes for AzureSignTool v6.0

• Provide fully self-contained binaries. Just a plain .exe that works.
• Allow globs for the input path.
• Concurrency

Self-contained

AzureSignTool has historically been distributed as a global tool provided by NuGet. That is not changing in v6, but as an additional option, I have had several folks wish for a fully-contained .NET application. That required some amount of work. Not exhaustively:

1. A new command-line parser was needed. The one that was in use is, more or less, in maintenance mode. It relied heavily on reflection and convention-based members for names. This makes for some pleasant to read code and leaves out a lot of boilerplate. On the downside, this means that it is not Native AoT friendly.

   This release switches the command line parsing to XenoAtom.CommandLine. It has a lot of overlap with handling inputs similar to the old command line arguments, but you may need to adjust the way that you invoke AzureSignTool.

   Overall I am pleased with XenoAtom, as it is simple, and if need be, simple enough that it can be forked.

2. Getting the size to be manageable. .NET native AoT can produce some small executables in the right circumstances. Originally, AzureSignTool as a stand-alone EXE was nearly 30 MB. I was not particularly pleased with this, so it needed to be trimmed down a bit with a combination of settings and removing dependencies. This should not be noticeable to folks, but I may have overlooked something. All of these changes combined got the executable size down to 12-13MB. A tad larger than I was hoping for, but manageable.

Globbing

A lot of folks have asked to be able to do something like this:

azuresigntool -blah1 -blah2 C:\foo\**\*.dll

So they can sign multiple files at once. This is present in 6.0. It, however, may very-well introduce some breaking changes around some of the paths people are providing as inputs.

Concurrency

By far one issue that gets reported that most are failures from excessive concurrency. There are two parts that can result failures from throttling. The first is Azure. Azure limits the number of operations a KeyVault can perform in a given period. The second is timestamping from a Certificate Authority.

There are two changes in this release to help with this.

1. The --max-degree-of-parallelism (-mdop) now defaults to 4, meaning no more than 4 sign operations will happen concurrently. To revert back to the previous behavior, set --max-degree-of-parallelism to 0, or a higher number if you still want some limit on concurrent operations.
2. The signing operation will now retry failed signing operations if the failure was the result of Azure performing throttling.

[vcsjones]

v6.0.0-beta1 is in the process of being published.

1. The NuGet packages are submitted and doing their validation thing.
2. The GitHub Release has self-contained binaries. https://github.com/vcsjones/AzureSignTool/releases/tag/v6.0.0-beta1

[vcsjones]

Note, if you are installing through NuGet, you will need to do one of

1. Specify --prerelease to allow the beta, like dotnet tool install --global AzureSignTool --prerelease
2. Specify an exact version, like dotnet tool install --global AzureSignTool --version 6.0.0-beta1

[vcsjones]

Finally: barring any exceptional feedback, I plan to do a final release of v6.0 October 15th. If another beta is warranted, then a beta 2 will be released instead.

[vcsjones]

v6.0.0 has been published.