azure - Azure 构建管道：是否可以使用存储在 Key Vault 中的代码签名证书在 VSBuild 任务中对 MSIX 进行签名？

I was able to solve this by installing the MSIX Packaging extension to my Azure subscription, as referenced here: https://docs.microsoft.com/en-us/windows/msix/desktop/msix-packaging-extension?tabs=yaml

This extension is extremely useful because, much like the Azure Sign Tool (AST), which seems to be the only alternative to this method, it handles the converting of the code signing certificate string to base64 and then signing the package. Obviously, there is a lot going on under the hood. You will need to configure your build pipeline to have access to the key vault. However, unlike the AST, this extension is far easier to use because it does not require all of the configurations that the AST requires. This is because the AST handles the task of retrieving the code signing certificate from the key vault whereas in my implementation I just use the Azure Key Vault task to pull the file into my build pipeline, which is also fairly easy to setup and implement. From my perspective, AST is too complicated to be useful.

Below is the full implementation that I use, which also parameterizes the Key Vaults that store the various code signing certificates by our subscriptions/environments.

trigger:
  branches:
    include:
    - refs/heads/main
    - refs/heads/demo
    - refs/heads/develop
# The following is for testing purposes only. For now we disable automatically building for commits to feature branches in develop.
#    - refs/heads/feature*

pool:
  vmImage: 'windows-latest'

# Variable Declaration(s)
# Note: We must use the name/value combination because we are (dynamically) mixing in variable groups.
variables:
- name: buildPlatform
  value: 'x64'
- name: buildConfiguration
  value: 'Release'
- name: major
  value: 1
- name: minor
  value: 0
- name: build
  value: 0
- name: revision
  value: $[counter('rev', 0)]
# Set conditional variable group based off of the trigger branch (see trigger section above).
# Note: If we use SourceBranch then it will append `refs/heads/` to the SourceBranchName.
- ${{ if eq(variables['build.SourceBranch'], 'refs/heads/main') }}:
  - group: PROD
- ${{ if eq(variables['build.SourceBranch'], 'refs/heads/qa') }}:
  - group: QA
- ${{ if eq(variables['build.SourceBranch'], 'refs/heads/develop') }}:
  - group: DEV
# The following is for testing purposes only.
# Note: If you want to run for a feature branch in develop then you must uncomment this line. Otherwise, you will get an error that the pipeline is not valid.
#       "Step AzureKeyVault input ConnectedServiceName references service connection $(azureSubscription) which could not be found."
- ${{ if contains(variables['Build.SourceBranch'], 'refs/heads/feature') }}:
  - group: DEV

steps: 
# Update the AppXManifest file's major, minor, build, and revision parameters with the current values.
# Note: We use the day's build counter to determine the revision number.
#       By rule, this counter is limited to 255 values per day and will start over at 1!
- powershell: |
   [Reflection.Assembly]::LoadWithPartialName("System.Xml.Linq")
   $path = "SomeAppName.MsixInstaller/Package.appxmanifest";
   $doc = [System.Xml.Linq.XDocument]::Load($path);
   $xName = [System.Xml.Linq.XName]::Get("{http://schemas.microsoft.com/appx/manifest/foundation/windows10}Identity");
   $doc.Root.Element($xName).Attribute("Version").Value = "$(major).$(minor).$(build).$(revision)";
   $doc.Save($path);
  displayName: 'Version the Package Manifest'
  
# Retrieve the code signing certificate from the Key Vault.
# Note: 20211008 - Ignore the errors because the values are correct.
- task: AzureKeyVault@2
  displayName: 'Azure Key Vault: Retrieve Variable(s)'
  inputs:
    azureSubscription: '$(azureSubscription)'
    KeyVaultName: '$(keyVaultName)'
    SecretsFilter: 'SomeCertName'
    RunAsPreJob: false

# Specify the minimum version of NuGet that we want to use to restore the solution's NuGet packages.
- task: NuGetToolInstaller@1
  displayName: 'NuGet: Use v5.11.0'
  inputs:
    versionSpec: 5.11.0
    checkLatest: true

# Run NuGet restore to download the NuGet packages before building the solution.
- task: NuGetCommand@2
  displayName: 'NuGet: Run restore'
  inputs:
    command: 'restore'
    restoreSolution: '**/*.sln'

# Build the MSIX package.
# Note: Set AppxPackageSigningEnabled=false to avoid a build error (i.e., missing thumbprint). We will sign the package in a subsequent step.
- task: VSBuild@1
  displayName: 'VSBuild: Build the MSIX package'
  inputs:
    clean: true
    configuration: '$(buildConfiguration)'
    platform: '$(buildPlatform)'
    restoreNugetPackages: false  #adding this because we're doing an explicit restore above, lets skip the implicit restore.
    solution: '**/*.sln'
    msbuildArgs: '
      /p:AppInstallerUri="$(appServiceUri)"
      /p:AppxPackageDir="$(Build.ArtifactStagingDirectory)/" 
      /p:AppxBundle=Never 
      /p:AppxBundlePlatforms="$(buildPlatform)" 
      /p:UapAppxPackageBuildMode=SideLoadOnly 
      /p:GenerateAppInstallerFile=true
      /p:AppxPackageSigningEnabled=false
      '

# Sign the MSIX package with the code signing certificate from the Key Vault.
- task: MsixSigning@1
  displayName: 'Code Sign MSIX Package'
  inputs:
    package: '$(Build.ArtifactStagingDirectory)\**\*.msix'
    certificateType: 'base64'
    encodedCertificate: '$(DeveloperCodeSigningCertFile)'
    continueOnError: true

# Publish the MSIX package in preparation for deployment. This will be consumed by the Release Pipeline.
- task: PublishBuildArtifacts@1
  displayName: 'Publish ArtifactName: drop'
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'drop'
    publishLocation: 'Container'
    
# Run tests (if any).
# Note: This tests sources that are found matching the given filter '**\*test*.dll,!**\*TestAdapter.dll,!**\obj\**
- task: VSTest@2
  displayName: 'VSTest: Run Tests (if any)'
  inputs:
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'