Code Signing with Azure DevOps

This tutorial gives an introduction to code signing with Azure DevOps, using a certificate stored in Azure Key Vault. To follow these instructions you will need:

SSL.com’s eSigner cloud code signing service now enables easy integration with popular CI/CD tools, including Azure DevOps, for automated code signing. eSigner lets you conveniently add globally trusted digital signatures and timestamps to your code from anywhere, with no need for USB tokens, HSMs, or other special hardware.

Head over to this article for a guide on how to integrate eSigner with Azure DevOps: Azure DevOps Cloud Signing Integration Guide.

Register an Azure Application

First, you’ll need to register a new Azure application so you can connect to your Key Vault for signing.

  1. Sign into the Azure portal.
    Sign into Azure
  2. Navigate to Azure Active Directory. (Click More services if the Azure Active Directory icon isn’t visible.)
    Azure Active Directory
  3. Click App Registrations, in the left column.
    App Registrations
  4. Click New Registration.
    New Registration
  5. Give your application a Name and click the Register button. Leave the other settings at their default values.
    Register an Application
  6. Your new application has been registered. Copy and save the value shown for Application (client) ID, because you’ll be needing it later.
    Application (client) ID

Create a Client Secret

Next, generate a client secret, which will serve as a credential when signing.

  1. Click Certificates & secrets in the left-hand menu.
    Certificates and Secrets
  2. Click New client secret.
    New Client Secret
  3. Give your client secret a Description, set expiry as desired, and click the Add button.
    Add client secret
  4. Copy the Value of your new client secret immediately and save it in a safe place. The next time the page is refreshed this value will be masked and irretrievable.
    copy secret value

Enable Access in Key Vault

Now, you’ll need to enable access for your application in Azure Key Vault.

  1. Navigate to the Key Vault containing the certificate you want to use for signing and click the Access policies link.
    Access Policies
  2. Click Add Access Policy.
    Access Policies
  3. Under Key Permissions, enable VerifySign, Get, and List.
    Key Permissions
  4. Under Secret permissions, enable Get and List.
    Secret permissions
  5. Under Certificate permissions, enable Get and List.
    Certificate permissions
  6. Click the None selected link, under Select principal, then use the search field to locate and select the application you created in the previous section.
    Select principal
  7. Click the Select button.
    Select button
  8. Click the Add button.
    Add button
  9. Click Save.
    Save
  10. Your access policy is set.
    Access policy

Configure DevOps Build

Now you can configure your build. Open your project in Azure DevOps.

Azure DevOps Project

Store Application Credentials as Variables

You could include your application ID and client secret directly in your YAML pipeline file, but it’s more secure if you store them as variables in DevOps.

  1. Click Pipelines.
    Pipelines
  2. Click Library.
    Library
  3. Click + Variable group.
    Add variable group
  4. Give your variable group a name.
    add name
  5. Click Add.
    Add
  6. Enter a variable name for your application ID, then paste in the value. Click the lock to encrypt the variable when you are finished.
    Application ID variable
  7. Repeat the process to add a variable for your client secret.
    Client secret variable
  8. Click Save.
    Save
  9. Link the variable group in your pipeline. (replace VARIABLE-GROUP with the name of your actual variable group.)
    variables:
     - group: 'VARIABLE-GROUP'

Add Pipeline Step to Install Azure Sign Tool

Azure Sign Tool is an open-source utility that offers SignTool functionality for certificates and keys stored in Azure Key Vault. Add the following step in your pipeline to install Azure Sign Tool:

- task: DotNetCoreCLI@2
  inputs:
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global azuresigntool'
  displayName: Install AzureSignTool

Add Azure Sign Tool Command to Pipeline

  1. Now you can add a task to sign your code to the pipeline. You will need the following information:
    • Your Key Vault URI (available in the Azure Portal):
      Key Vault URI
    • The friendly name of your certificate in Key Vault:
      Certificate Name
    • Your Application ID and Client Secret variable names:
      variable names
  2. Add the Azure Sign Tool call to your pipeline. Replace the values shown in ALL-CAPS with your actual values:
    - task: CmdLine@2
      inputs:
        script: AzureSignTool sign -kvu "KEY-VAULT-URI" -kvi "$(APPLICATION-ID-VAR)" -kvs "$(CLIENT-SECRET-VAR)" -kvc CERTIFICATE-NAME -tr "http://ts.ssl.com" -td sha256 "FILE-TO-SIGN"
      displayName: Sign Code
  3. You should see output like this if signing is successful:
    info: AzureSignTool.Program[0]
          => File: D:\a\1\s\x64\Debug\HelloWorld.exe
          Signing file D:\a\1\s\x64\Debug\HelloWorld.exe
    info: AzureSignTool.Program[0]
          => File: D:\a\1\s\x64\Debug\HelloWorld.exe
          Signing completed successfully for file D:\a\1\s\x64\Debug\HelloWorld.exe.

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner. With its automated option, eSigner is suitable for enterprise code signing.

ORDER NOW

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.