Simplified App Signing with Secure Files in Azure Devops

James Montemagno

One thing I never want to worry about when building my apps is needing to remember where I stored my provisioning profiles, certificates, and keystores. Thanks to Azure DevOps (formerly VSTS), I no longer have to when I set up a full production pipeline with the new Secure File storage feature. In previous posts, I showed how easy it is to set up Continuous Integration for iOS and Android applications in VSTS and Team Foundation Server (TFS). In the past we had to store certificates in blob storage or check it into source control. Now, we can simply upload our certificates and install them temporarily on the build machine to sign our applications. Let’s take a look at this new feature below.

Uploading Certificates

In VSTS under Build & Release is a new section called Library. You can think of this area of VSTS as a place to create shared variables between all of your build definitions. Variable groups enable you to create a full set of shared public and private variables that can be used everywhere. This is nifty when you want to secure and encrypt passwords for your certificates or other API keys. The second section is secure files, which is where we can upload any files we need for signing our applications. In this case, I’m building an iOS and Android application, so let’s upload our keystore, p12 certificate, and mobile provisioning profile.

iOS Signing

There are two new tasks that we can add to any build definition to install our certificate and our provisioning profile. These two tasks are special and will always run before any other task runs. For consistency, I added them to the top of my build definition.

We simply need to select the correct file to use and fill in the password in each task:

With these two tasks in place, we can now remove the old signing information from the Xamarin.iOS build task:

^^Leave these blank^^

Android Signing

Included in our build definition for Android is an Android Sign and ZipAlign task. We must upgrade this task to version 2.0 to use the new Secure File feature:

After that, we can select the keystore from the dropdown. That’s it! Our build is complete and our apps will continue to build without ever having to wonder where our certs are again.

Learn More

To learn more about Visual Studio Team Services and how you can start building out a full continuous integration, test, and deployment pipeline for any application, head over to For a complete overview of Secure Files, head over to the official Microsoft Documentation.

Discuss this post on the forums!


Discussion is closed.

Feedback usabilla icon