Skip to main content

Sign Azure apps with SignTool using KSP library

SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.

Follow these instructions to sign Azure apps with SignTool and securely reference your private key stored in Software Trust Manager

Tip

SignTool does not support all characters in sign commands, review the following:

  • Supported characters: @ % ( ) - _ = [ ] { } ;

  • Unsupported characters: ! # $ ^ & + ` '

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Prerequisites

Register NavSip.dll library

To download, install, and register NavSip.dll library:

  1. Download Microsoft Dynamics NAV 2018.

  2. Unzip the downloaded file.

  3. Locate the NavSip.dll file in this path: Dynamics.110.NA.2468045.DVD\ServiceTier\System64Folder

  4. Copy and paste the NavSip.dll file in this path: C:\Windows\System32 folder.

  5. Register NavSip.dll using command:

    regsvr32.exe C:\Windows\System32\navsip.dll

Sign

You can sign a file with SignTool using either of the following:

  • Download a copy of certificate

  • Certificate fingerprint

Sign with certificate

To sign, run:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed> 

Command sample:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc key1 /f example.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 signthis.util.app

Sign with certificate fingerprint

Sync certificates (Windows only)

Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.

To sync the default certificate associated with the specified keypair alias:

smctl windows certsync --keypair-alias=<keypair alias>

Note

For more information refer to the Windows command manual.

To sign, run the following PowerShell command:

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -like "<CERTIFICATE ALIAS>"} 

$thumbprint = $cert.Thumbprint 

Write-Host($cert.Thumbprint)  

signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed> 

signtool.exe sign /sha1 3550ffca3cd652dde30675ce681ea1e01073e647 /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 makecat.app

Verify a signature

To verify a signed file:

signtool verify /v /pa <signed file>

Command sample:

signtool verify /v /pa ws.util.app

Note

Signature verification may result in errors during test signing due to signing with test CAs.