Code Signing using Azure Key-Vault and Azure Signtool

May 30, 2024

Introduction

The following article provides step-by-step instructions for Using Code Signing Certificate with Azure KeyVault. Note: If this is not the solution you are looking for, please search for your solution in the search bar above.

The CA and Browser Forum’s has new BR guidelines that affect code signing certificates. Private Keys and Code Signing Certificates needs to be stored on a Cloud HSM, Physical HSM, or security token. The token or HSM must be compliant with FIPS 140 Level 2 or 3.  

After these new guidelines, conventional way of signing builds using a PFX file is obsolete, and developers are facing issues related to Signing executables. This article will help you in Signing Windows Executables using GlobalSign’s Code Signing Certificate, Azure Key Vault and Azure SignTool. 

Pre-requisites: 
 
  • A Microsoft Azure account. If you do not already have an Azure account, start here
  • An Azure Key Vault. For more info, see Create a Key Vault
  • A Code Signing certificate from a Public certificate authority like GlobalSign. Click here to get GlobalSign’s CodeSigning Certificate. 
  • Download Azure Signtool to sign your Executables.

Step 1: Register Your New Azure Application
 

Register a new Azure application so you can further connect it with the Key Vault for code signing: - 
 
  • Sign in to the Microsoft Azure portal.
  • Go to the Azure Active Directory (Now Microsoft Entra ID). (If you can’t find then click More Services).
     

    01.png
     
  • From the left column, click App Registrations.
     
  • Click New Registration.
     

02.png
 

  •  Give a Name to your application, and then click on the Register button
     

03.png
 

  • Once your Application is registered, Copy and Paste the Application (client) ID and Tenant ID somewhere as you will need it later in the process of Code Signing. 

     

04.png
 

  • From the left sidebar, click Authentication
     
  • Further, from Advanced Settings, set Yes for Allow public client flows option and click on the Save button. ​​​​​
     

05.png


Step 2: Client Secret Creation 
 

Now, generate a client-secret, which will provide a credential at the time of code signing. For the same, follow the below steps: 

 

  • Click on the left-hand menu option Certificates & Secrets 
     
  • Click on the New client secret. 
     
  •  Provide a Description for your client secret, set expiry as per your need and then click the Add button. 

     

06.png
 

Note:-  Copy the Value of the new client secret and save it somewhere safely. Because it is available only once and then it is masked because of the security reasons. 

 

07.png

Step 3: Enable Application Access in Azure Key Vault 

 

Now, you need to enable the Access to your application within Microsoft Azure Key-vault:-
 
  • Go to the Key Vault that contains the code signing certificate you want to use for the code signing windows file. And then click on Access policies
     
  • Now Create Access Policies by Clicking on “Create
     

08.png
 

  •   Add the following permissions : - 
     

•Select and enable the Sign option under the Key Permissions.

• Enable the Get option under Certificate permissions.
 

09.png
 

  • After adding permissions, go to “Principal” tab. Now, search and select the application  you’ve created in the above section. 
     
  • Once the application is found, please select and click the Select button at the bottom. 
     
  • Click on the Next button.
     
  • Click on the Create button at the end of the page. 
     

10.png
 

► Now, your access policies are created and you are ready for code-signing windows files.
 

Step 4: Get & Import GlobalSign’s Codesigning Certificate in Azure Key-Vault:

 

Get a HSM based Code Signing Certificate from GlobalSign (Standard or EV) and then follow the below support article to generate & import GlobalSign’s Code Signing certificate on Key Vault. 

 

https://support.globalsign.com/digital-certificates/digital-certificate-installation/Code-Signing-certificate-setup-in-Azure-Key-vault
 

Step 5: Install Azure Signtool: 

 

To install the Azure Signtool make sure to have the latest .NET SDK installed, then open Administrator PowerShell and use the following command: 

dotnet tool install --global AzureSignTool
 

Note:- If in case you are getting the below error while downloading Azure Signtool  then follow the subsequent steps

Error - Nuget package not found while running (dotnet tool install --global AzureSignTool)

Try these below steps to install Nuget Package

dotnet nuget add source https://api.nuget.org/v3/index.json -n http://nuget.org 
 

Step 6: Now Sign your Executables:

 

Once you complete the above steps, you can sign your windows based executable files. But before you begin code signing, ensure the below information is readily available: 

 
  • Within the Azure portal, your Key Vault URI 
     

11.png
 

  •  The Friendly Name of the code signing certificate within Key Vault: 

     

12.png
 

  • The Application (client) ID & Tenant ID value from Step 1:
     

  • The client-Secret value that you generated in the Step 2: 
     

  • Using the Azure Sign tool, you’ll need to execute the following command for code signing and timestamping your Windows based executable. Replace all Quoted values in the below command with your Credentials generated in the above steps:
     

azuresigntool sign -kvu "KEY-VAULT-URI" -kvc CERTIFICATE-NAME -kvi "APPLICATION-CLIENT-ID" -kvs "CLIENT-SECRET" --azure-key-vault-tenant-id "tenant-ID" -tr http://timestamp.globalsign.com/tsa/advanced -td sha256 “PATH-TO-EXECUTABLE”
 

  • If you have followed the above steps correctly, you’ll be able to see the following output: -
     

info: AzureSignTool.Program[0] 

      ==> File: test.exe 

      Signing file test.exe 

info: AzureSignTool.Program[0] 

      ==> File: test.exe 

      Signing completed successfully for file test.exe 
 

13.png
 

Note:  These steps are for signing exe, for each code command line may vary look for Microsoft article

              If in case you are getting error while downloading Azure Signtool follow below steps:
 
Error - Nuget package not found while running (dotnet tool install --global AzureSignTool)
 

Solution - Install Nuget package with below command

dotnet nuget add source https://api.nuget.org/v3/index.json -n http://nuget.org

 

  Related articles 

https://learn.microsoft.com/en-us/windows/msix/desktop/cicd-keyvault 

https://dotnet.microsoft.com/en-us/download/dotnet/5.0  

​​​​​​https://support.globalsign.com/digital-certificates/digital-certificate-installation/Code-Signing-certificate-setup-in-Azure-Key-vault

 

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support