Code Sign With Azure DevOps Using a Code Signing Certificate Stored Within Azure Key Vault

Code Signing with Azure DevOps

Quick Guide to Sign Your Software Using Code Signing Certificate Stored Within Azure Key Vault

Microsoft Azure DevOps helps collaborate culture and many processes that bring developers, project managers, and contributors to develop software.

Similarly, it offers Azure Code Signing as a service that enables software developers and IT Professionals to minimize the friction while code signing the software.

Hence, developers often like to use this fully managed end-to-end service Microsoft Azure DevOps for code signing their software.

Azure Key Vault DigiCert

Nonetheless, if you need to learn how to code sign with Azure DevOps using a code signing certificate stored within Azure Key Vault, then go through this guide that explains the complete process.

Quick Tutorial to Code Sign Your Software With Azure DevOps

Before you start the process, ensure you’ve:

  • An active Microsoft Azure Account
  • Azure DevOps Project
  • A Key Vault
  • A Code Signing certificate from a known certificate authority installed within your Key Vault

Let’s get into the details.

Register Your Azure Application

Before you start, you’ll need to register a new Azure application that you can connect with the Azure Key Vault for code signing.

Step 1: Sign in into your Microsoft Azure portal

Login to Microsoft Azure

Step 2: Go to the Azure Active Directory. And if you need help finding it or it isn’t visible, click on More services.

Azure Active Directory

Step 3: Click on the App Registrations from the left side column:

Step 4: Click the New Registrations

New Registration Azure Active Directory

Step 5: In the Name section, give the name of your application and click the below button called Register. Similarly, keep other settings unchanged with their default values.

Register an App in Azure

Step 6: Once the application you want to code sign is registered, copy & save the values shown for Application (client) ID, as you’ll require later on.

Application Client ID Azure

Generate a Client Secret

Now, you’ll need to generate a client secret that serves as a credential at the time of code signing. To generate a client secret, follow the below steps:

Step 1: From the left side menu, click Certificates & secrets

Step 2: Click on the New client secret

New Client Secret Azure

Step 3: Set the Description and expiry date for the client secret and click on the button Add.

Add Client Secret

Step 4: Now, copy the Value of the new client secret and save it safely. Because once the page is refreshed, this value will get masked and not be retrievable.

Copy Value AZure Certificate & Secret

Make Key Vault Accessible

Now, you’ll require to provide access to an application in Azure Key Vault:

Step 1: Go to the Key Vault containing the code signing certificate you want to use and click on the Access policies link.

Step 2: Click on the option Add Access Policy

Azure Access Policy

Step 3: Go under Key Permissions and enable Verify, Sign, Get & List.

Step 4: Further, under Secret Permissions, enable Get & List

Step 5: Under Certificate permissions, too, you’ll need to enable Get & List.

Create Access Policy Azure

Step 6: Under Select principal, click the None selected link and then search to find and select the application you built in the earlier section.

Select Application Access Policy Azure

Step 7: Once the application is located, click on the Select button from the bottom left side.

Step 8: Once you complete the steps mentioned above, your access policy will get set.

Configure Your DevOps Build

Now you’ll need to configure your build. And for that, open your project in Azure DevOps

Store Application Credentials Like Variables

You can store the application ID and client secret directly within the YAML pipeline file if you want. But it’s recommended and more secure if you store them like variables within DevOps.

For storing them as variables, follow the below steps:

Step 1: Click on the Pipelines

Step 2: Click on the Library

Step 3: Click on the option +Variable group

Step 4: Give a name to the variable group

Step 5: At the bottom, click the +Add

Azure Pipeline Variable Group

Step 6: Submit the variable name for your application ID and then paste the value. Now, click the lock to encrypt the variable once you have finished.

Azure Variable Group Name

Step 7: Once again, repeat the process and add a variable for your client’s secret.

Step 8: Click on the Save.

Step 9: Now, link the variable group within your pipeline.

Note: Replace VARIABLE-GROUP with your actual variable group name.

Replace Variable Group Name

Adding Pipeline Step for Installing Azure Sign Tool

Azure Sign Tool is one of the open-source utilities that gives you the functionality of SignTool for certificates and keys that are stored within Azure Key Vault.

- task: DotNetCoreCLI@2
    command: 'custom'
    custom: 'tool'
    arguments: 'install --global azuresigntool'
  displayName: Install AzureSignTool

Add the below step within your pipeline for installing Azure Sign Tool:

Adding Azure Sign Tool Command in Pipeline

Add a task for signing your code to the pipeline. For that, you’ll require the following:

Step 1: Key Vault URI (It’s available within Azure Portal)

Key Vault URI

Step 2: Add name of your certificate in Key Vault:

Azure Key Vault Certificate Name

Step 3: Application ID & Client Secret variable names:

Application ID Client ID

Step 4: Now add the Azure SignTool call within the pipeline. And replace the shown value within ALL-CAPS with the actual values:

Now, you should be able to see the output like below if it’s signed correctly:

info: AzureSignTool.Program[0]
      => File: D:\a\1\s\x64\Debug\Hello.exe
      Signing file D:\a\1\s\x64\Debug\Hello.exe
info: AzureSignTool.Program[0]
      => File: D:\a\1\s\x64\Debug\Hello.exe
      Signing completed successfully for file D:\a\1\s\x64\Debug\Hello.exe.

Get DigiCert EV Code Signing at Just $499.99/yr

Protect your Signed Code with Azure Key Vault and a HSM based code signing certificate from DigiCert EV Code Signing Certificate.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.