fbpx
  1. Home
  2. Knowledge Base
  3. Code Signing Guides
  4. How to sign files with Azure Sign Tool

Signing files with Azure Sign Tool

Azure Sign Tool is a open source command line tool which can be used to digitally sign files using codesign certificates stored in Azure Key Vault. The usage is similar to Microsoft Sign Tool and can be used with many of the same commands. The tool can be used to sign with both standard and EV codesign certificates stored in Azure Key Vault.

Note: The tool is not developed by Microsoft, but by independent developer Kevin Jones.

Prerequisites

  • Azure Key Vault
  • Standard or EV codesign certificate stored in Azure Key Vault

(Please see the following link for a guide on this subject: How to Set Up, Install, and Use an EV Code Signing Certificate (Azure)💡 (trustzone.com)

Installing Azure Sign Tool

If you wish to build the tool from source or take a look at the sourcecode the github repository which can be found on this link: vcsjones/AzureSignTool: SignTool Library and Azure Key Vault Support (github.com)

The tool can also be installed with the dotnet command which is part of the .NET SDK.

The .NET SDK can be downloaded from this link Download .NET (Linux, macOS, and Windows) (microsoft.com)

When the SDK has been installed the following command can be used to install the tool:

dotnet tool install --global AzureSignTool

The tool can then be used in a PowerShell prompt by using the command:

azuresigntool

Registering Azure Sign Tool as a Azure Application

To ensure that Azure Sign Tool can connect to your Azure Key Vault it has to be registered as an application in Azure. Then the credentials needed for the tool to authenticate has to be generated and the correct access needs to be set on the Key Vault.

  • Log into your Azure portal and navigate to Azure Active Directory
  • Click on App Registrations in the action bar to the left
  • Click on New registration
New registration

  • Name the application and click Register (fx. azuresigntool)
App Registrations

  • Copy the Application (client) ID
Copy the Application

  • Select Certificates & secrets in the action bar to the left
Select Certificates & secrets in the action bar to the left
  • Click a + New client secret. Then add a description and select an expiration for the secret. When the secret expires a new one has to be generated to use the Azure Sign Tool.
New client secret
  • Copy the value field of the secret to a secure location
Copy the value field of the secret to a secure location

Note: You will be unable to access the client secret when you navigate away from the site, so make sure to copy it.

Configure Access Policy in Azure Policy

After the application has been configured. An Access Policy needs to be configured in the Azure Key Vault where the codesign certificate is stored, so that the application can access the certificate

  • Navigate to the Azure Key Vault where your certificate is located.
  • Select Access policies in the action to the left
  • Then Click + Add Access Policy
Configure Access Policy in Azure Policy
  • Set Key permissions and Certificate permissions to Get on you new access policy
Add access policy
  • Then click on None selected to select the correct principal
Click on None selected
  • Search for the application created in the earlier steps. Then click on the application to select it and press the Select button to confirm it
Search for the application created in the earlier steps
  • Remember to Save your access policy afterwards
Save your access policy afterwards

Signing with Azure Sign Tool

When the application has been registered and the access policy configured you can start signing your files.

To sign you will need the following information:

  • Key Vault URI
Key Vault URI
  • Friendly Name of your codesign certificate
Name of your codesign certificate
  • Application (client) ID from the Azure Application set up earlier
Application (client) ID from the Azure Application set up earlier
  • Client secret, which you (hopefully) copied to a secure location
Client secret

With these four pieces of information you can now use Azure Sign Tool on your local device to sign your files using the following command:

azuresigntool sign -kvu Key_Vault_URI -kvc Friendly_Name -kvi Application_ID -kvs Client_Secret -tr http://timestamp.globalsign.com/tsa/r6advanced1 -td sha256 file_to_be_signed

Was this article helpful?