Feb 17, 2025
The following article provides step-by-step instructions for Using Code Signing Certificate with Azure KeyVault. Note: If this is not the solution you are looking for, please search for your solution in the search bar above.
The CA and Browser Forum’s has new BR guidelines that affect code signing certificates. Private Keys and Code Signing Certificates needs to be stored on a Cloud HSM, Physical HSM, or security token. The token or HSM must be compliant with FIPS 140 Level 2 or 3.
After these new guidelines, conventional way of signing builds using a PFX file is obsolete, and developers are facing issues related to Signing executables. This article will help you in Signing Windows Executables using GlobalSign’s Code Signing Certificate, Azure Key Vault and Azure SignTool.
Go to the Azure Active Directory (Now Microsoft Entra ID). (If you can’t find then click More Services).
From the left column, click App Registrations.
Click New Registration.
Give a Name to your application, and then click on the Register button.
Once your Application is registered, Copy and Paste the Application (client) ID and Tenant ID somewhere as you will need it later in the process of Code Signing.
From the left sidebar, click Authentication.
Further, from Advanced Settings, set Yes for Allow public client flows option and click on the Save button.
Click on the left-hand menu option Certificates & Secrets
Click on the New client secret.
Provide a Description for your client secret, set expiry as per your need and then click the Add button.
Note: Copy the Value of the new client secret and save it somewhere safely. Because it is available only once and then it is masked because of the security reasons.
Now, you need to enable the Access to your application within Microsoft Azure Key-vault:
Go to the Key Vault that contains the code signing certificate you want to use for the code signing windows file. And then click on Access policies.
Now Create Access Policies by Clicking on “Create”.
Add the following permissions:
Select and enable the Sign option under the Key Permissions.
Enable the Get option under Certificate permissions.
After adding permissions, go to Principal tab. Then, search and select the application you’ve created in the above section.
Once the application is found, please select and click the Select button at the bottom.
Get a HSM based Code Signing Certificate from GlobalSign (Standard or EV) and then follow the below support article to generate & import GlobalSign’s Code Signing certificate on Key Vault:
info: AzureSignTool.Program[0]
==> File: test.exe
Signing file test.exe
info: AzureSignTool.Program[0]
==> File: test.exe
Signing completed successfully for file test.exe
Note: These steps are for signing exe, for each code command line may vary look for Microsoft article.
If in case you are getting error while downloading Azure Signtool follow below steps:
Error - Nuget package not found while running (dotnet tool install --global AzureSignTool)
Solution: Install Nuget package with below command
dotnet nuget add source https://api.nuget.org/v3/index.json -n http://nuget.org
https://learn.microsoft.com/en-us/windows/msix/desktop/cicd-keyvault
https://dotnet.microsoft.com/en-us/download/dotnet/5.0
Check your certificate installation for SSL issues and vulnerabilities.