2020/05/how-to-use-azuresigntool-to-sign-files-with-azure-devops-using-a-certificate-in-azure-keyvault/

[SeanKilleen]

https://seankilleen.com/2020/05/how-to-use-azuresigntool-to-sign-files-with-azure-devops-using-a-certificate-in-azure-keyvault/

[SeanKilleen]

Historical Comments

2020-07-02, Disqus user Chris:

The text is a bit unclear on where I can find the signingURL, where did you find that?

2020-07-02, Me responding to Chris:

Hi Chris -- Great feedback, thanks! You're right, that's unclear. I called it the "SigningURL", but it's really the "Description URL". In this case, it didn't need to be secret; I used a web site that describes the tool, i.e https://SeanKilleen.com would be fine.

I'll see if I can get this page and screenshots updated to reflect that: #495

2020-10-29, Disqus user Eric Lafnitzegger:

I was able to perform these steps with no issues! Thanks for the guidance.
Now I am faced with performing the same actions against UWP and ClickOnce apps. I can tell msbuild not to sign either using build parameters as the build requires the file and getting EV pfx files out of key vault seems to be impossible. Is there an approach that would allow me to successfully sign a UWP or ClickOnce package AFTER build using a similar approach?
Greatly appreciate your guidance in advance.

And a follow-up:

It appears that I only need to sign the .appxbundle file in the UWP build. I will use the /p:AppxPackageSigningEnabled=false parameter in the build, then use AzureSignTool to sign the .appxbundle as I would a stand alone exe. Would this be the approach?

2020-12-17, Disqus User KK:

Hi Sean,
The steps you mentioned are for the pfx certificates. Wondering how can we achieve this for EV certificates, where private key is available on HSM?

2021-04-28, Disqus User Faith Kaplan, responding to KK's 2020-12-17 comment:

If it helps, the steps are similar. We recently implemented this in our pipelines with an EV certificate from Digicert. Couple things to note are:

• Azure Key vault needs to be Key vault Premium.
• Azuresigntool failed to sign our first certificate that used Elliptical Curve crypto. We ended up replacing it with RSA-2048, which worked.

2021-02-21, Disqus user soumya:

Hi Sean,

##[error]Cmd.exe exited with code '-2147024894'

Do you have any idea about above specified error.

• task: CmdLine@2
  inputs:
  script: AzureSignTool sign -kvu "$(SigningVaultURL)" -kvi "$(SigningClientID)" -kvs "$(SigningClientSecret)" -kvc "$(DigiCertiName)" -v > "'$(Build.ArtifactStagingDirectory)\xxx\xx.*.dll'"
  workingDirectory: '$(Build.ArtifactStagingDirectory)'

I have Specified this as my script in Azure Pipeline.

please let me know if i went wrong anywhere!

2021-06-21, Disqus user Scott Steesy:

I followed the steps here and in a very similar posting else where. Have double and triple checked everything. But I also get the error result code -2147024894 causing the build to fail. Our Azure DevOps is on-premise, so the tools was installed in a path I could find. I tried the same command line from a command prompt and saw no output. Tried it in PowerShell with same result, but in PowerShell if I show the values of $LASTEXITCODE I get the same -2147024894, and if I show $Error[0] is says:
Exception calling "CompleteInput" with "4" argument(s): "Value cannot be null.
Parameter name: key"
I've played with the command line a lot and either get the above code and message, or it shows a message telling me the command line is incorrect ... implying I have it correct but something is failing.
Does anyone have any ideas?

And then:

If I add a -vkt parameter tot he command line, even though my azure account is single tenant, then the error code returned changes to -2147024809. Nothing else I've done seems to change anything, except when obvious things, like dropping 'sign' from the parameters, in which case it the command outputs the usage/help.

Disregard that error message, I don't know where it came from ... appears the PowerShell keeps adding to the $error array. After using the '$error.Clear()' command to clear it it then stays empty for repeated runs of AzureSignTool with various parameter values. But the error code value is always returned.

And then:

Note, I'm not using build variables yet until I have it working, so all my values are right in the command. I have now tried purposely make each value wrong, one at a time, and the error code and message never changes. Which implies to me something is failing before it even attempts to contact the key vault. Yet running AzureSignTool with '-h' or 'sign -h' works to show me the appropriate help, so I know it can at least load and parse the command line.

[saarnetzer]

How one can sign compressed file (zip etc) files using azuresigntool?

[NielsUll]

A bit late to the party, but..
Do you know how to do this with Key Vault Managed HSM? We need to sign our code using an EV Certificate, and those must be stored in a Key Vault Managed HSM. I cannot get azuresigntool to work with that? I always get "Failed to retrieve certificate codesign from Azure Key Vault. Please verify the name of the certificate and the permissions to the certificate. Error message: Not Found"

[Lettumika]

Azure Active Directory is now called Microsoft Entra ID. makes it easier to find nowdays ...

[bertstomphorst]

Thank you for writing this tutorial, helped me a lot!

One thing to add: when using RBAC (Role based access control) in your Azure Key Vault, it seems to be required to add your app registration with role Key Vault Administrator to get access.
I tried several other (combined) roles, like Key Vault Certificate User, Key Vault Certificate Officer, Key Vault Reader, but they all resulted in a 'forbidden':

 Status code 403,
  {"error":
    {"code":"Forbidden","message":
       "Caller is not authorized to perform action on resource.\r\n
        If role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\n
        Caller: name=AzureDatabricks;appid=xxxxxxxxxxxxxxxxxxxxxx;oid=xxxxxxxxxxxxxx;iss=https://sts.windows.net/xxxxxxxxxxxxxxxxxxx9945/\r\n
        Action: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\n
        Resource: '/subscriptions/6b60a61d-3e92-4501-8794-fd7725066113/resourcegroups/streamproject/providers/microsoft.keyvault/vaults/azkv*/secrets/clientsecret'\r\n
        Assignment: (not found)\r\n
        DecisionReason: 'DeniedWithNoValidRBAC' \r\n
        Vault: azkv*;location=eastus\r\n",
      "innererror":{"code":"ForbiddenByRbac"}
    }
  }```


Only using role `Key Vault Administrator` resulted in a working solution.

[rwb196884]

You also need to tell the pipeline to use the library like this

variables:
  - group: azuresigntool

And you cannot use the locked variables because they don't appear in the pipeline.
And all the variable values are printed in the pipeline output.
So you might as well just hard code the values into the csproj.