Codesigning with the certificate in Azure Key Vault (draft)
Using AzureSignTool #
AzureSignTool is made to sign code with a certificate stored in Azure Key Vault. My preferred way to install it is to use it as a dotnet tool. If you have a newver version of .NET installed then it is just a matter of running
dotnet tool install -g azuresigntool
To actually sign a file you need:
- The address of the Key Vault
- The name of the certificate used for signing
- A way to authenticate towards Azure - I will show a version using the Azure CLI, but there are multiple versions
Example: If you are logged into Azure you can get a token the follwing way:
$token=$(az account get-access-token --resource=https://vault.azure.net --query accessToken --output tsv)
And do the actual signing using:
azuresigntool sign -kvu <Key vault URI> --azure-key-vault-accesstoken $token --azure-key-vault-certificate <certifcate name> <file to sign>