How to Sign an Azure Application with SignTool using KSP Library?

When developing in a cloud-native environment, creating secure software artifacts and delivering applications through DevOps, it is essential to create secure software artifacts.

Code signing allows users and systems to verify that the applications they are using haven’t been altered since they were issued, that they are real, and that they can be trusted.

When you are creating Azure-based applications, you can create a secure signing process by using SignTool to sign your application and a Key Storage Provider (KSP) like DigiCert KeyLocker to store your signing keys securely from view.

This document provides you with guidance on signing your Azure application using SignTool and KSP while also keeping your private key secure from unauthorized access.

Prerequisites

To begin, make sure you have the required components below:

• A Windows operating system
• SignTool installed (via Windows SDK)
• DigiCert KeyLocker client configured
• Access to: Keypair alias and Certificate file or fingerprint
• KSP library configured
• Microsoft Dynamics NAV 2018 (for NavSip.dll dependency)

Configure NavSip.dll (SIP Library)

Certain file types require Signature Interface Package (SIP) to be signed; therefore, to register the NavSip.dll library, follow these steps:

• Download Microsoft Dynamics NAV 2018
• Extract the package
• Locate: Dynamics.110.NA.2468045.DVD\ServiceTier\System64Folder
• Copy NavSip.dll to: C:\Windows\System32
• Register the DLL: regsvr32.exe C:\Windows\System32\navsip.dll

Method 1: Sign Using Certificate File

This method uses your certificate file along with the KSP and keypair alias.

Command:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>

Example:

signtool.exe sign /csp “DigiCert Signing Manager KSP” /kc key1 /f example.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 app.exe

 Key Parameters:

• /csp → Specifies KSP provider
• /kc → Keypair alias
• /f → Certificate file
• /tr → Timestamp server
• /fd & /td → Hash algorithm (SHA256 recommended)

Method 2: Sign Using Certificate Fingerprint

This method uses the certificate stored in the Windows certificate store.

Step 1: Sync Certificates

smctl windows certsync --keypair-alias=<keypair_alias>

Step 2: Retrieve Certificate Thumbprint

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -like "<CERTIFICATE ALIAS>"}

$thumbprint = $cert.Thumbprint

Write-Host($thumbprint)

Step 3: Sign Using Thumbprint

signtool.exe sign /sha1 <certificate_thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>

Example:

signtool.exe sign /sha1 3550ffca3cd652dde30675ce681ea1e01073e647 /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 app.exe

Verify the Signature

Verifying your signed file with the appropriate verification method is integral to confirming that the signing was successful. Verification could be invalid; hence, it is best to also check for any errors after the file was signed.

signtool verify /v /pa <signed_file>

Example:

signtool verify /v /pa app.exe

NOTE: If your test certificates are being used in a temporary verification state, they may generate error messages.

Conclusion

Signing any application in Azure is recommended when using the SignTool in its current form, along with a Keys Signing Provider (KSP). Using DigiCert KeyLocker may help reduce the risks associated with storing your private keys locally, thereby providing a scalable signing solution that meets enterprise-grade quality and specifications.

Search