SSL.com

Code Signing with Azure DevOps

SSL.com Support Team

This tutorial gives an introduction to code signing with Azure DevOps, using a certificate stored in Azure Key Vault. To follow these instructions you will need:

SSL.com’s eSigner cloud code signing service now enables easy integration with popular CI/CD tools, including Azure DevOps, for automated code signing. eSigner lets you conveniently add globally trusted digital signatures and timestamps to your code from anywhere, with no need for USB tokens, HSMs, or other special hardware.

Head over to this article for a guide on how to integrate eSigner with Azure DevOps: Azure DevOps Cloud Signing Integration Guide.

Register an Azure Application

First, you’ll need to register a new Azure application so you can connect to your Key Vault for signing.

  1. Sign into the Azure portal.
    Sign into Azure
  2. Navigate to Azure Active Directory. (Click More services if the Azure Active Directory icon isn’t visible.)
  3. Click App Registrations, in the left column.
  4. Click New Registration.
  5. Give your application a Name and click the Register button. Leave the other settings at their default values.
  6. Your new application has been registered. Copy and save the value shown for Application (client) ID, because you’ll be needing it later.
Go to top

Create a Client Secret

Next, generate a client secret, which will serve as a credential when signing.

  1. Click Certificates & secrets in the left-hand menu.
  2. Click New client secret.
  3. Give your client secret a Description, set expiry as desired, and click the Add button.
  4. Copy the Value of your new client secret immediately and save it in a safe place. The next time the page is refreshed this value will be masked and irretrievable.

Go to top

Enable Access in Key Vault

Now, you’ll need to enable access for your application in Azure Key Vault.

  1. Navigate to the Key Vault containing the certificate you want to use for signing and click the Access policies link.
  2. Click Add Access Policy.
  3. Under Key Permissions, enable VerifySign, Get, and List.
  4. Under Secret permissions, enable Get and List.
  5. Under Certificate permissions, enable Get and List.
  6. Click the None selected link, under Select principal, then use the search field to locate and select the application you created in the previous section.
  7. Click the Select button.
  8. Click the Add button.
  9. Click Save.
  10. Your access policy is set.
Go to top

Configure DevOps Build

Now you can configure your build. Open your project in Azure DevOps.

Store Application Credentials as Variables

You could include your application ID and client secret directly in your YAML pipeline file, but it’s more secure if you store them as variables in DevOps.

  1. Click Pipelines.
  2. Click Library.
  3. Click + Variable group.
  4. Give your variable group a name.
  5. Click Add.
  6. Enter a variable name for your application ID, then paste in the value. Click the lock to encrypt the variable when you are finished.
  7. Repeat the process to add a variable for your client secret.
  8. Click Save.
  9. Link the variable group in your pipeline. (replace VARIABLE-GROUP with the name of your actual variable group.) 
    variables:
 - group: 'VARIABLE-GROUP'
Go to top

Add Pipeline Step to Install Azure Sign Tool

Azure Sign Tool is an open-source utility that offers SignTool functionality for certificates and keys stored in Azure Key Vault. Add the following step in your pipeline to install Azure Sign Tool:

- task: DotNetCoreCLI@2
  inputs:
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global azuresigntool'
  displayName: Install AzureSignTool
Go to top

Add Azure Sign Tool Command to Pipeline

  1. Now you can add a task to sign your code to the pipeline. You will need the following information:
    • Your Key Vault URI (available in the Azure Portal):
    • The friendly name of your certificate in Key Vault:
    • Your Application ID and Client Secret variable names:
  2. Add the Azure Sign Tool call to your pipeline. Replace the values shown in ALL-CAPS with your actual values: 
    - task: CmdLine@2
  inputs:
    script: AzureSignTool sign -kvu "KEY-VAULT-URI" -kvi "$(APPLICATION-ID-VAR)" -kvs "$(CLIENT-SECRET-VAR)" -kvc CERTIFICATE-NAME -tr "http://ts.ssl.com" -td sha256 "FILE-TO-SIGN"
  displayName: Sign Code
  3. You should see output like this if signing is successful: 
    info: AzureSignTool.Program[0]
      => File: D:\a\1\s\x64\Debug\HelloWorld.exe
      Signing file D:\a\1\s\x64\Debug\HelloWorld.exe
info: AzureSignTool.Program[0]
      => File: D:\a\1\s\x64\Debug\HelloWorld.exe
      Signing completed successfully for file D:\a\1\s\x64\Debug\HelloWorld.exe.

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner. With its automated option, eSigner is suitable for enterprise code signing.

ORDER NOW

Exit mobile version