Code Signing with Azure Key Vault

This guide is applicable only to IV and OV code signing certificates that were issued before June 1, 2023. Starting June 1, 2023, SSL.com’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates have been issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys.

This tutorial will show you how to sign files from the Windows command line with a code signing certificate and private key stored in Azure Key Vault. To follow these instructions you will need:

What is Azure Sign Tool?

Azure Sign Tool is an open-source utility that offers SignTool functionality for certificates and keys stored in Azure Key Vault. You can install Azure Sign Tool with the following command in Windows PowerShell (requires .NET SDK):

dotnet tool install --global AzureSignTool

[/su_note]

Step 1: Register a New Azure Application

First, you’ll need to register a new Azure application so you can connect to your Key Vault for signing.

  1. Sign into the Azure portal.
    Sign into Azure
  2. Navigate to Azure Active Directory. (Click More services if the Azure Active Directory icon isn’t visible.)
    Azure Active Directory
  3. Click App Registrations, in the left column.
    App registrations
  4. Click New Registration.
    New Registration
  5. Give your application a Name and click the Register button. Leave the other settings at their default values.
    Register Application
  6. Your new application has been registered. Copy and save the value shown for Application (client) ID, because you’ll be needing it later.
    Application (client) ID
  7. Click Authentication.
    Authentication
  8. Under Advanced Settings, set Allow public client flows to Yes.
    Allow public client flows
  9. Click Save.
    Save

Step 2: Create a Client Secret

Next, generate a client secret, which will serve as a credential when signing.

  1. Click Certificates & secrets in the left-hand menu.
    Certificates & secrets
  2. Click New client secret.
    New client secret
  3. Give your client secret a Description, set expiry as desired, and click the Add button.
    Add client secret
  4. Copy the Value of your new client secret immediately and save it in a safe place. The next time the page is refreshed this value will be masked and irretrievable.
    copy secret value

Step 3: Enable Access in Key Vault

Now, you’ll need to enable access for your application in Azure Key Vault.

  1. Navigate to the Key Vault containing the certificate you want to use for signing and click the Access policies link.
    Access Policies
  2. Click Add Access Policy.
    Add Access Policy
  3. Under Key Permissions, enable Sign.
    Enable Sign under Key Permissions
  4. Under Certificate permissions, enable Get.
    Enable Get under Certificate permissions
  5. Click the None selected link, under Select principal, then use the search field to locate and select the application you created in the previous section.
    Select principal
  6. Click the Select button.
    Select
  7. Click the Add button.
    Add
  8. Click Save.
    Save
  9. Your access policy is set, and you’re ready to start signing files.
    Finished access policy

Step 4: Sign a File

Now you’re finally ready to sign some code!

  1. You will need the following information available:
    • Your Key Vault URI (available in the Azure portal):
      Key Vault URI
    • The friendly name of your certificate in Key Vault:
      Certificate Name
    • The Application (client) ID value from your Azure application:
      Application (client) ID
    • The client secret you generated above:
      copy secret value
  2. Below is an example command in PowerShell to sign and timestamp a file with Azure Sign Tool. Replace the values in ALL CAPS with your actual information:
    azuresigntool sign -kvu KEY-VAULT-URI -kvc CERTIFICATE-NAME -kvi APPLICATION-CLIENT-ID -kvs CLIENT-SECRET -tr http://ts.ssl.com/ -td sha256 PATH-TO-EXECUTABLE
    Note: By default, SSL.com supports timestamps from ECDSA keys.

    If you encounter this error: The timestamp certificate does not meet a minimum public key length requirement, you should contact your software vendor to permit timestamps from ECDSA keys.

    If there is no way for your software vendor to allow for the normal endpoint to be used, you can use this legacy endpoint http://ts.ssl.com/legacy to get a timestamp from an RSA Timestamping Unit.
  3. If signing is successful, you should see output like the following (unsuccessful signing will produce no output):
    info: AzureSignTool.Program[0]
          => File: test.exe
          Signing file test.exe
    info: AzureSignTool.Program[0]
          => File: test.exe
          Signing completed successfully for file test.exe.
    info
    PS C:\Users\Aaron Russell\Desktop>
  4. Details about the new digital signature will be available in the file properties:
    Digital Signature Details
Note: The author of Azure Sign Tool has also provided a walkthrough for using the tool with Azure DevOps.

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner. With its automated option, eSigner is suitable for enterprise code signing.

ORDER NOW

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.