Code-Signing certificates with Azure Key Vault: What you need to know post June 1st, 2023
Elevating code-signing security by simplifying CI/CD with Azure Key Vault and HSM solutions!
In these recent days, I’ve had the opportunity to explore the renewal of a code-signing certificate used to authenticate and digitally sign files containing executable code within a Continuous Integration/Continuous Deployment (CI/CD) workflow.
During the search for the most suitable certificate, I learned about a new requirement introduced by the CA/Browser Forum, mandating that all code-signing certificates are now provisioned on USB tokens or within an HSM server.
The USB token signing solution isn’t compatible with CI/CD workflows due to its event-based signing mechanism, rendering it impractical for continuous integration environments, even within secure zones. Additionally, the USB token signing solution doesn’t integrate well with cloud platforms such as Azure DevOps or GitHub Workflow.
An alternative to the USB token is represented by the option of having an on-premise or cloud-based Hardware Security Module (HSM) server at a cost incomparable to both the USB token solution and the scenario in place before June 2023.
After conducting some research and benefiting from insights shared by my friend Giuliano Latini, whom I thank, I opted for this Azure Key Vault code-signing certificate, managed by DigiCert through the SignMyCode portal.
Upon purchasing the certificate, an accreditation process ensues, guided by clear and comprehensive email notifications. Subsequently, the certificate undergoes validation. As part of this validation process, confirmation of purchasing authority is required on behalf of the organization. This necessitates providing a verified and publicly listed phone number, allowing the certification authority to engage directly with either the individual or a designated organization representative. The accreditation and validation process may span several days. Meanwhile, I recommend preparing the Azure environment to accommodate the forthcoming certificate within a Key Vault.
Preparation of the Azure environment involves:
- Selecting the appropriate Azure subscription (if multiple exist) to host the Key Vault
- Configuring the Azure Key Vault to store code-signing certificates
- Creating the Key Vault, Certificate Signing Request (CSR), and importing the code-signing certificate into Azure KeyVault HSM
Following completion of the validation process, a .pem file is issued, requiring importation into the pre-configured Azure Key Vault. This can be accomplished by following the procedure outlined in this article:
The code-signing certificate is now stored in Azure Key Vault and it can be used with various signing tools, including AzureSignTool and .NET SignTool. Integrated within a CI/CD (Continuous Integration/Continuous Deployment) process, these signing tools can be employed, for instance, in a Jenkins pipeline or within a GitHub Workflow. Below are some highly useful links to resources detailing how to retrieve secrets from Azure Key Vault and configure signing tools:
- MSIX and CI/CD Pipeline signing with Azure Key Vault
- Code Signing Using Azure Pipelines and Azure Key Vault
- Migrate to Azure role-based access control
- Grant permission to applications to access an Azure key vault using Azure RBAC
The last link is particularly useful for configuring access roles (RBAC) that need to be assigned to the previously created Azure App.
For scenarios involving large-scale signatures or on-premise (or cloud-based) Hardware Security Module (HSM) requirements, alternative solutions are available. One notable solution, in my view, is CodeSign Secure service offered by Encryption Consulting LLC. This service seamlessly integrates with Jenkins and GitHub Workflow, as evidenced by the following resources:
- CI/CD integration of code signing with Jenkins
- Code Sign Secure: Configuring build verification with GitHub Workflows
Enjoy your code-signing certificates!