Web Analytics

Code Signing with Azure Key Vault

This tutorial will show you how to sign files from the Windows command line with a code signing certificate and private key stored in Azure Key Vault. To follow these instructions you will need:

These instructions are for use with standard (OV/IV) code signing certificates. SSL.com does not support issuance of EV code signing certificates for use with Azure Key Vault.

What is Azure Sign Tool?

Azure Sign Tool is an open-source utility that offers SignTool functionality for certificates and keys stored in Azure Key Vault. You can install Azure Sign Tool with the following command in Windows PowerShell (requires .NET SDK):

dotnet tool install --global AzureSignTool

Step 1: Register a New Azure Application

First, you’ll need to register a new Azure application so you can connect to your Key Vault for signing.

  1. Sign into the Azure portal.
    Sign into Azure
  2. Navigate to Azure Active Directory. (Click More services if the Azure Active Directory icon isn’t visible.)
    Azure Active Directory
  3. Click App Registrations, in the left column.
    App registrations
  4. Click New Registration.
    New Registration
  5. Give your application a Name and click the Register button. Leave the other settings at their default values.
    Register Application
  6. Your new application has been registered. Copy and save the value shown for Application (client) ID, because you’ll be needing it later.
    Application (client) ID
  7. Click Authentication.
  8. Under Advanced Settings, set Allow public client flows to Yes.
    Allow public client flows
  9. Click Save.

Step 2: Create a Client Secret

Next, generate a client secret, which will serve as a credential when signing.

  1. Click Certificates & secrets in the left-hand menu.
    Certificates & secrets
  2. Click New client secret.
    New client secret
  3. Give your client secret a Description, set expiry as desired, and click the Add button.
    Add client secret
  4. Copy the Value of your new client secret immediately and save it in a safe place. The next time the page is refreshed this value will be masked and irretrievable.
    copy secret value

Step 3: Enable Access in Key Vault

Now, you’ll need to enable access for your application in Azure Key Vault.

  1. Navigate to the Key Vault containing the certificate you want to use for signing and click the Access policies link.
    Access Policies
  2. Click Add Access Policy.
    Add Access Policy
  3. Under Key Permissions, enable Sign.
    Enable Sign under Key Permissions
  4. Under Certificate permissions, enable Get.
    Enable Get under Certificate permissions
  5. Click the None selected link, under Select principal, then use the search field to locate and select the application you created in the previous section.
    Select principal
  6. Click the Select button.
  7. Click the Add button.
  8. Click Save.
  9. Your access policy is set, and you’re ready to start signing files.
    Finished access policy

Step 4: Sign a File

Now you’re finally ready to sign some code!

  1. You will need the following information available:
    • Your Key Vault URI (available in the Azure portal):
      Key Vault URI
    • The friendly name of your certificate in Key Vault:
      Certificate Name
    • The Application (client) ID value from your Azure application:
      Application (client) ID
    • The client secret you generated above:
      copy secret value
  2. Below is an example command in PowerShell to sign and timestamp a file with Azure Sign Tool. Replace the values in ALL CAPS with your actual information:
    azuresigntool sign -kvu KEY-VAULT-URI -kvc CERTIFICATE-NAME -kvi APPLICATION-CLIENT-ID -kvs CLIENT-SECRET -tr http://ts.ssl.com/ -td sha256 PATH-TO-EXECUTABLE
  3. If signing is successful, you should see output like the following (unsuccessful signing will produce no output):
    info: AzureSignTool.Program[0]
          => File: test.exe
          Signing file test.exe
    info: AzureSignTool.Program[0]
          => File: test.exe
          Signing completed successfully for file test.exe.
    PS C:\Users\Aaron Russell\Desktop>
  4. Details about the new digital signature will be available in the file properties:
    Digital Signature Details
Note: The author of Azure Sign Tool has also provided a walkthrough for using the tool with Azure DevOps.

SSL.com’s Code Signing certificates are an economical way to protect your code from unauthorized tampering and compromise, and are available for as little as $64.50 per year.


Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com and stay informed of the latest changes about digital identity and encryption that can impact and enhance your life.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.