How to Code Sign Windows Files With Azure Key Vault Using Command Line

Sign Windows File with Azure Key Vault

Here’s the Quick Guide to Code Sign Windows Files Using Code Signing Certificate Stored Within Azure Key Vault Through Command Line

Azure Sign Tool is an open-source utility with a SignTool feature for storing code signing certificates within Azure Key Vault. Similarly, developers even use Azure Key Vault for code signing windows files.

Hence, if you’re looking to sign windows files from the Windows Command line using a code signing certificate and private key stored within Azure Key Vault, then you’re reading the right article, as we will discuss the same.

But, before you begin code signing, you’ll require to follow certain perquisites, and they’re:

  • An active Azure account
  • A Key Vault
  • A Code Signing certificate from a known certificate authority like DigiCert is installed within Key Vault.
  • Azure Sign tool already installed within the computer that you’ll use for code signing windows file

Once you fulfill the abovementioned perquisites, go through the steps below to code sign a windows file with a code signing certificate stored within an Azure Key Vault.

Register Your New Azure Application

Register a new Azure application so you can further connect it with the Key Vault for code signing it:

  • Sign in to the Microsoft Azure portal:
  • Go to the Azure Active Directory. (If you can’t find then click More Services)
  • From the left column, click App Registrations.
  • Click New Registration
  • Give your Name to your application, and then click the Registration button at the bottom.
  • If you’ve followed the above steps correctly, your new application should get registered. Similarly, copy and paste the Application (client) ID, as you’ll require later on.
  • From the left sidebar, click Authentication.
  • Further, from Advanced Settings, set Yes for Allow public client flows option.
  • Finally, click the Save button.

Client Secret Creation

Now, you’ll require to generate a client secret, which will provide a credential at the time of code signing. For the same, follow the below steps:

  • Click on the left-hand menu option Certificates & secrets
  • Click on the New client secret.
  • Provide a Description for your client secret, set expiry according to your wish, and click the Add button.
  • Copy the Value of the new client secret and save it. Because once you refresh the page, this saved Value will get masked and won’t be visible.

Enable Application Access in Azure Key Vault

Now, you’ll need to enable access to your application within Microsoft Azure Key Vault and for that, follow the below steps:

Go to the Key Vault that contains the code signing certificate you want to use for the code signing windows file. And then click the link named Access policies.

  • At the bottom, click on the Add Access Policy.
  • Select and enable the Sign option under the Key Permissions
  • Enable the Get option under Certificate permissions
  • At the bottom, under Select principal, click the link None selected. Now, search and select the application you’ve created in the above section.
  • Once the application is found, please select it and click the Select button at the bottom.
  • Click on the Add button.
  • Click Save button
  • Lastly, your access policy will get set, and you’ll be ready for code-signing windows files.

Code Sign Windows File

Once you complete the above steps, you can code sign windows file. And for code signing, follow the below-mentioned steps. But before you begin code signing, ensure the below information is readily available:

  • Within the Azure portal, your Key Vault URI
  • The Friendly Name of the code signing certificate within Key Vault:
  • The Application (client) ID value from the Azure application:
  • The client secret that you generated in the above steps:
  • Using the Azure Sign tool, you’ll need to execute the PowerShell command for code signing and timestamping a windows file. Below is an example of the command line. Replace ALL CAPS values with the actual information:
azuresigntool sign -kvu Key-VAULT-URI -kvc CERTIFICATE-NAME -kvi APPLICATION-CLIENT-ID 
-kvs CLIENT-SECRET -tr http://ts.domain.com/ -td sha256 PATH-TO-EXECUTABLE

If your code signing is correct, you’ll be able to see the output like below:

info: AzureSignTool.Program[0]
      ==> File: test.exe
      Signing file test.exe
info: AzureSignTool.Program[0]
      ==> File: test.exe
      Signing completed successfully for file test.exe
info
PS C:\Users\Code Sign\Desktop>

Further, if the code signing process isn’t correct, you’ll not get any output.

Lastly, you’ll be able to see code signing details from the file properties.

Name of ProductValidation NeedsIssuance TimeOur Price
DigiCert OV Code SigningBusiness1-5 Days$369.99/yr
DigiCert EV Code SigningBusiness1-5 Days$499.99/yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.