Introduction
Ensuring the security and authenticity of your windows applications is vital in today’s digital landscape. Code signing your executables with a trusted certificate helps prevent unauthorized modifications and builds trust with users. Microsoft Azure Key Vault offers a robust and secure way to manage cryptographic keys and certificates, making it an ideal solution for signing app files. This guide explores how to leverage AzureSign Tool to sign your Windows-based applications with Azure Key Vault.
Prerequisites
Before proceeding, ensure you have the following:
- AzureSignTool: Download and install AzureSignTool.
- Access to Microsoft Azure Portal.
- A registered application in Microsoft Entra ID (Azure Active Directory).
- A Key Vault containing the code signing certificate.
- Proper access permissions to the Key Vault.
💡 Having these in place will make the signing process smooth and secure!
Step 1: Register an Application in Microsoft Entra ID
- Sign in to the Azure Portal
- Navigate to Azure Active Directory → Microsoft Entra ID
- Click New Registration and enter your application details
- Save the Application (client) ID & Tenant ID for later use
- Under Authentication, enable Allow public client flows and click Save
📌 This step ensures your application can authenticate with Azure services.
Step 2: Configure Certificates & Secrets
- Navigate to Certificates & Secrets
- Click New Client Secret
- Provide a description and set an expiration period
- Click Add and securely store the generated client secret
💡 This acts as your authentication key when signing applications. Store it securely!
Client secret creation in Key Vault
Step 3: Configure Access Policies in Azure Key Vault
- Navigate to the Key Vault containing the code signing certificate
- Click on Access policies and add the necessary permissions:
● Key Permissions: Sign
● Secret Permissions: Get
● Certificate Permissions: Get - Under the Principal tab, search and select the application created in the previous step
- Click Select and then Create to save the access policies.
📌 These permissions allow your application to sign executable files securely
Access Policies configuration in Azure Key Vault
Step 4: Gather Required Information
Before proceeding with signing, ensure you have:
- Key Vault URI (from Azure portal)
- Friendly Name of the code signing certificate in the Key Vault
- Application (client) ID & Tenant ID
- Client Secret (generated in Step 2)
💡 With this information in hand, you’re ready to sign your application securely!
Key Vault settings with required details
Step 5: Sign the Application Using AzureSign Tool:
- Open Command Prompt as Administrator
- Navigate to the directory where AzureSignTool is installed
- Run the following command, replacing placeholders with your values:
azuresigntool sign -kvu “KEY-VAULT-URI” -kvc CERTIFICATE-NAME -kvi “APPLICATION-CLIENT-ID” -kvs “CLIENT-SECRET” –azure-key-vault-tenant-id “tenant-ID” -tr http://timestamp.globalsign.com/tsa/advanced -td sha256 “PATH-TO-EXECUTABLE” - Verify the signing process by checking the Digital Signatures tab in the file properties of the
signed executable.
📌 Once signed, your application is protected and ready for secure deployment.
Conclusion:
Using Azure Key Vault for code signing enhances security, prevents unauthorized modifications, and builds trust with your users. By following this simple guide, you can streamline your application signing process while maintaining security best practices.
💡 Secure your application today and ensure your users always get an authentic experience
💬 Contact our experts today to ensure your applications are protected and compliant.
📌 Stay secure. Stay trusted. Sign your applications the right way!
