Blog Support

Code Signing from Azure Key Vault with SignTool

If you have your Code Signing Certificate on Microsoft Key Vault, you can use Azure Sign Tool to sign your files, code and applications from any Windows computer with internet access. We will go through the process in this tutorial.

Video guide how to sign you executable using AzureSignTool
Play Video

Video guide how to sign you executable using AzureSignTool

This tutorial is for when you already have your Code Signing Certificate in Azure Key Vault and are ready to start signing. For a tutorial on how to generate a Code Signing Certificate and import it into Key Vault, view our other guide: Setup Verokey/DigiCert Code Signing on Microsoft Azure Key Vault

Step 1. Create Microsoft Entra ID Application in Azure

To access the Azure Key Vault Certificate from your computer or VM, we need to create a Secret Key to gain access permissions. This will be done via an Entra ID Application.

So login to your Azure dashboard and find the Microsoft Entra ID service, and click on it.

Microsoft Azure Dashboard

From the Entra ID page, click on App Registrations from the left main menu, then click the New Registration button.

New App Registration page and button

Fill out the app registration form to create your new application.

Azure form to create a new app

You will see the application page now. So let's keep this window open for later and move on to the next step.

Step 2. Download and Install AzureSignTool

Go to the AzureSignTool GitHub page and download the tool:

https://github.com/vcsjones/AzureSignTool

The page will have instructions on downloading, compiling and installing it. Or you can download a pre-compiled package from the releases page: https://github.com/vcsjones/AzureSignTool/releases

AzureSignTool on Github

Step 3. Launch Command Prompt and get command ready

With the AzureSignTool downloaded, put the .exe application somewhere easy to access, such as your desktop. And then launch the Microsoft Command Prompt application via your Microsoft start menu.

Launch Commpand Prompt
Command Prompt program running

I also recommend launching a text editor to write your command to use for signing, as it can be long and has many values we need to paste in. And when it is ready, we can copy and paste it into the command prompt to run

Microsoft Command Prompt and a text editor window open

Below is the command we are going to use with the values we need but have not yet been entered:

shell

azuresigntool.exe sign \
-kvu "VAULT-URI" \
-kvc "CERTIFICATE-NAME" \
-kvi "APPLICATION-CLIENT-ID" \
-kvs "CLIENT-SECRET" \
--azure-key-vault-tenant-id "TENANT-ID" \
-tr http://timestamp.digicert.com \
-td sha256 “PATH-TO-SIGN”

First, we will get our APPLICATION-CLIENT-ID and TENANT-ID.

So, if you go back to the application you created in Azure where from Step 1. You will see the Application (client) ID and the Directory (tenant) ID values. Copy and paste those into your command replacing the placeholders.

Now, you need to create a Client Secret for your application to paste into your command.

So, from the Application Azure portal you're still in, go to Certificates & Secrets in the left menu.

And then, click the New Client Secret button to open the side panel where you enter a name and click Add.

Azure application creating client secret

With the newly created secret, copy the value and paste it into your command, replacing the CLIENT-SECRET placeholder

When that is done, go back to Azure and go to your Key Vault, which has the Certificate you will use for signing. On the Overview page of your Key Vault, you will find the Vault URI you need to copy and paste into your command, replacing the VAULT-URI placeholder.

Copy the Azure Key Vault URI

Still in your Key Vault, go to the Certificates from the left menu. Find your certificate name to copy and paste into your command to replace the CERTIFICATE-NAME placeholder.

We need to give your application access now so it has permission to access the key vault and get the certificate to sign.

So go to the Access Control (IAM) from the left menu. Then, from the Add menu, click Add role assignment.

Key Vault access control add menu

From the new Add Role assignment page, you will need to find a role that has cryptographic operation permissions to sign and certificate permissions to get. You should only limit the permission to what it needs to complete the signing, so I recommend you read through the permissions to see if any more are actually needed.

Assign role permissions

On the Members tab, click the select members link to open the side panel. Search for the application we had previously created from Step 1 and select it. When all is done, review + assign.

Assign member to azure key vault role assignment

With the permissions assigned to the application, you are now ready to sign.

Step 4. Sign your application executable

The command is almost ready with all your values pasted in replacing the placeholders. The last one you need is the path to the executable. So replace the PATH-TO-SIGN placeholder with the exact path to what you want to sign. With the AzureSignTool.exe on my desktop and the executable I want to sign "My Executable.exe" my command looks like the following:

shell

C:\Users\paul\Desktop\AzureSignTool.exe sign \
-kvu "VAULT-URI" \
-kvc "CERTIFICATE-NAME" \
-kvi "APPLICATION-CLIENT-ID" \
-kvs "CLIENT-SECRET" \
--azure-key-vault-tenant-id "TENANT-ID" \
-tr http://timestamp.digicert.com \
-td sha256 "C:\Users\paul\Desktop\My Executable.exe"

Or as a single line:

shell

C:\Users\paul\Desktop\AzureSignTool.exe sign -kvu "VAULT-URI" -kvc "CERTIFICATE-NAME" -kvi "APPLICATION-CLIENT-ID" -kvs "CLIENT-SECRET" --azure-key-vault-tenant-id "TENANT-ID" -tr http://timestamp.digicert.com -td sha256 "C:\Users\paul\Desktop\My Executable.exe"

Because we are signing with a Verokey or DigiCert Code Signing Certificate, we are using the Digicert timestamp server.

So, with your command ready, copy and paste it into your Command Prompt and press Enter to execute it. You should see an out put similar to the following:

shell

info: AzureSignTool.SignCommand [0]
      → File: C:\Users \paul Desktop \My Executable.exe
      Signing file.
info: AzureSignTool.SignCommand[o]
      => File: C:\Users\paul\Desktop\My Executable.exe
      Signing completed successfully.
info: AzureSignTool.SignComfand[o]
      Successful operations: 1
info: AzureSignTool.SignCommand [0]
      Failed operations: 0

If you right-click the executable you signed and then go to Properties in the menu, you will see a tab: Digital Signatures; go to this tab to see if your new signature is there.

View application properties to see digital signature

Your executable/application is now signed and ready to be distributed.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.


Continue reading with these guides you may be interested in...