SSL.com

Code Signing with Azure Key Vault

This guide is applicable only to IV and OV code signing certificates that were issued before June 1, 2023. Starting June 1, 2023, SSL.com’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates have been issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys.

This tutorial will show you how to sign files from the Windows command line with a code signing certificate and private key stored in Azure Key Vault. To follow these instructions you will need:

What is Azure Sign Tool?

Azure Sign Tool is an open-source utility that offers SignTool functionality for certificates and keys stored in Azure Key Vault. You can install Azure Sign Tool with the following command in Windows PowerShell (requires .NET SDK):

dotnet tool install --global AzureSignTool

[/su_note]

Step 1: Register a New Azure Application

First, you’ll need to register a new Azure application so you can connect to your Key Vault for signing.

  1. Sign into the Azure portal.
    Sign into Azure
  2. Navigate to Azure Active Directory. (Click More services if the Azure Active Directory icon isn’t visible.)
  3. Click App Registrations, in the left column.
  4. Click New Registration.
  5. Give your application a Name and click the Register button. Leave the other settings at their default values.
  6. Your new application has been registered. Copy and save the value shown for Application (client) ID, because you’ll be needing it later.
  7. Click Authentication.
  8. Under Advanced Settings, set Allow public client flows to Yes.
  9. Click Save.

Step 2: Create a Client Secret

Next, generate a client secret, which will serve as a credential when signing.

  1. Click Certificates & secrets in the left-hand menu.
  2. Click New client secret.
  3. Give your client secret a Description, set expiry as desired, and click the Add button.
  4. Copy the Value of your new client secret immediately and save it in a safe place. The next time the page is refreshed this value will be masked and irretrievable.

Step 3: Enable Access in Key Vault

Now, you’ll need to enable access for your application in Azure Key Vault.

  1. Navigate to the Key Vault containing the certificate you want to use for signing and click the Access policies link.
  2. Click Add Access Policy.
  3. Under Key Permissions, enable Sign.
  4. Under Certificate permissions, enable Get.
  5. Click the None selected link, under Select principal, then use the search field to locate and select the application you created in the previous section.
  6. Click the Select button.
  7. Click the Add button.
  8. Click Save.
  9. Your access policy is set, and you’re ready to start signing files.

Step 4: Sign a File

Now you’re finally ready to sign some code!

  1. You will need the following information available:
    • Your Key Vault URI (available in the Azure portal):
    • The friendly name of your certificate in Key Vault:
    • The Application (client) ID value from your Azure application:
    • The client secret you generated above:
  2. Below is an example command in PowerShell to sign and timestamp a file with Azure Sign Tool. Replace the values in ALL CAPS with your actual information:
    azuresigntool sign -kvu KEY-VAULT-URI -kvc CERTIFICATE-NAME -kvi APPLICATION-CLIENT-ID -kvs CLIENT-SECRET -tr http://ts.ssl.com/ -td sha256 PATH-TO-EXECUTABLE
    Note: By default, SSL.com supports timestamps from ECDSA keys.

    If you encounter this error: The timestamp certificate does not meet a minimum public key length requirement, you should contact your software vendor to permit timestamps from ECDSA keys.

    If there is no way for your software vendor to allow for the normal endpoint to be used, you can use this legacy endpoint http://ts.ssl.com/legacy to get a timestamp from an RSA Timestamping Unit.
  3. If signing is successful, you should see output like the following (unsuccessful signing will produce no output):
    info: AzureSignTool.Program[0]
          => File: test.exe
          Signing file test.exe
    info: AzureSignTool.Program[0]
          => File: test.exe
          Signing completed successfully for file test.exe.
    info
    PS C:\Users\Aaron Russell\Desktop>
  4. Details about the new digital signature will be available in the file properties:
Note: The author of Azure Sign Tool has also provided a walkthrough for using the tool with Azure DevOps.

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner. With its automated option, eSigner is suitable for enterprise code signing.

ORDER NOW

Exit mobile version