Sign Azure apps with SignTool using KSP library
SignTool is a command-line tool provided by Microsoft as part of the Windows SDK (Software Development Kit). It is used to digitally sign files, including executable files, libraries (DLLs), drivers, installer packages, and other types of files on the Windows operating system.
Follow these instructions to sign Azure apps with SignTool and securely reference your private key stored in DigiCert® KeyLocker
Astuce
SignTool does not support all characters in sign commands, review the following:
Supported characters:
@ % ( ) - _ = [ ] { } ;
Unsupported characters:
! # $ ^ & + ` '
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Prerequisites
Windows operating system
Download and configure DigiCert® KeyLocker clients
Download a copy of your certificate or use the certificate fingerprint
Sign
You can sign a file with SignTool using either of the following:
Download a copy of certificate
Certificate fingerprint
Sign with certificate
To sign, run:
signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>
Command sample:
signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc key1 /f example.crt /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 signthis.util.app
Sign with certificate fingerprint
Sync certificates (Windows only)
Before attempting to sign with Signtool, Mage, and NuGet using the certificate fingerprint, run this command to sync your certificates to the Windows certificate store.
To sync the default certificate associated with the specified keypair alias:
smctl windows certsync --keypair-alias=<keypair alias>
Note
For more information refer to the Windows command manual.
To sign, run the following PowerShell command:
$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -like "<CERTIFICATE ALIAS>"} $thumbprint = $cert.Thumbprint Write-Host($cert.Thumbprint) signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed> signtool.exe sign /sha1 3550ffca3cd652dde30675ce681ea1e01073e647 /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 makecat.app
Verify a signature
To verify a signed file:
signtool verify /v /pa <signed file>
Command sample:
signtool verify /v /pa ws.util.app
Note
Signature verification may result in errors during test signing due to signing with test CAs.