Skip to main content
The Sign action digitally signs Business Central app (.app) files using certificates stored in Azure Key Vault.

Usage

- uses: microsoft/AL-Go/Actions/Sign@main
  with:
    azureCredentialsJson: ${{ secrets.AZURE_CREDENTIALS }}
    pathToFiles: 'output/*.app'

Inputs

azureCredentialsJson
string
required
Azure credentials secret (Base64 encoded) containing the service principal credentials with access to Azure Key Vault.
pathToFiles
string
required
The path to the files to be signed. Supports wildcards (e.g., output/*.app).
timestampService
string
default:"http://timestamp.digicert.com"
The URI of the timestamp server used to timestamp the signature.
digestAlgorithm
string
default:"SHA256"
The digest algorithm to use for signing and timestamping. Common values:
  • SHA256 (recommended)
  • SHA384
  • SHA512
shell
string
default:"powershell"
Shell in which you want to run the action. Options: powershell or pwsh.

Example

Sign apps after building: 
name: Build and Sign
on:
  push:
    branches: [ main ]

jobs:
  build-and-sign:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Build Apps
        run: |
          # Your build steps
      
      - name: Sign Apps
        uses: microsoft/AL-Go/Actions/Sign@main
        with:
          azureCredentialsJson: ${{ secrets.AZURE_CREDENTIALS }}
          pathToFiles: 'output/*.app'
          timestampService: 'http://timestamp.digicert.com'
          digestAlgorithm: 'SHA256'

Azure Credentials Setup

The azureCredentialsJson should contain a Base64-encoded JSON with the following structure: 
{
  "clientId": "<service-principal-client-id>",
  "clientSecret": "<service-principal-secret>",
  "tenantId": "<azure-tenant-id>",
  "subscriptionId": "<azure-subscription-id>",
  "keyVaultName": "<key-vault-name>",
  "certificateName": "<certificate-name>"
}
Code signing helps ensure the authenticity and integrity of your Business Central apps, which is especially important for AppSource apps and enterprise deployments.
Keep your Azure credentials secure by storing them as GitHub encrypted secrets. Never commit credentials directly in your workflow files or repository.
Ensure the service principal has the necessary permissions to access the certificate in Azure Key Vault (typically Key Vault Secrets User and Key Vault Certificates User roles).

Build docs developers (and LLMs) love

Get started for freeTalk to us