Table of Contents
2
Home » Wiki » Step-by-Step Guide to Sign Visual Studio App Package with AKV (Azure Key Vault)

Step-by-Step Guide to Sign Visual Studio App Package with AKV (Azure Key Vault)

by | Code Signing

Sign Visual Studio App Package Using Azure Key Vault

Signing Application Packages with Code Signing

Signing application packages with a code signing certificate is an important security practice for any developer. To Sign Visual Studio App Package Using Azure Key Vault, Azure Key Vault provides a secure way to store and manage digital certificates and secrets. It allows users to verify that the software they are installing comes from a trusted source and has not been tampered with.

By integrating Azure Key Vault into your build pipeline, you can automate the process of signing Visual Studio application packages.

This article will walk through the steps to set up Azure Key Vault, generate or upload a code signing certificate, and configure your Azure DevOps build pipeline to sign Visual Studio packages using the certificate in Key Vault.

Key Takeaways

  • Azure Key Vault allows secure storage and management of certificates for code signing.
  • Certificates can be generated in Key Vault or uploaded for existing certificates.
  • Build pipelines in Azure DevOps can be configured to access Key Vault certificates.
  • Task groups simplify certificate acquisition and package signing in pipelines.
  • Automated package signing improves security over manual signing.

Prerequisites

  • An Azure subscription
  • An Azure DevOps organization
  • A Visual Studio solution with a project that produces a package (e.g., NuGet, VSIX, MSI, etc.)
  • Permission to create resources in Azure and set up build pipelines in Azure DevOps.

3 Easy Steps to Sign Visual Studio App Package Using Azure Key Vault

  • Create an Azure Key Vault
  • Generate or Import a Code Signing Certificate
  • Configure Build Pipeline in Azure DevOps

Step #1 Create an Azure Key Vault

First, we need to create an Azure Key Vault resource to store certificates.

  • Login to the Azure portal
  • Click Create a resource and search for Key Vault.
  • Click Create on the Key Vault resource.
  • Choose a globally unique name for the vault and fill in other required information, such as resource group, location, and pricing tier.
  • Under Access policies, click Add Access Policy – Select key, certificate, and secret management permissions – Select the Azure DevOps service principal as the authorized application.
  • Click Review + Create, then Create to deploy the vault.
The Key Vault resource will be created and ready to store certificates.

Step #2 Generate or Import a Code Signing Certificate

Now, we need to add a code signing certificate to the vault. This can be done by:

Generate Self-Signed Certificate

  • In the Azure portal, go to your Key Vault resource.
  • Click on Certificates in the left menu.
  • Click the Generate/Import button at the top.
  • Choose Generate and fill in the certificate details:
  • Name: A unique name for the certificate
  • Subject: Identity details like organization
  • Advanced policy settings as needed.
  • Click Create to generate the certificate in the vault.

Import Existing Certificate

If you already have a code signing certificate (PFX/CER file), you can import it directly into the vault.

  • In the Certificates section, click Generate/Import.
  • This time, select Import instead of Generate.
  • Upload your certificate file (PFX or CER).
  • Fill in the name and other details for the certificate.
  • Click Create to import it.

The certificate now exists in Azure Key Vault and is available to use for package signing.

Step #3 Configure Build Pipeline in Azure DevOps

With the certificate stored securely in Key Vault, we can now set up an Azure DevOps build pipeline to acquire the certificate and sign packages.

  • In your Azure DevOps project, create a new build pipeline for your solution.
  • Search for and add the Azure Key Vault task to the pipeline.
  • Set Azure subscription to connect to your subscription
  • Set Key vault to select the vault created earlier
  • For Secrets filter, enter the name of the certificate
  • Add the Signing task from the Security section.
  • Set Certificate to Azure Key Vault
  • Map the Key Vault service connection and certificate name
  • Add build steps to compile your code and produce the package.
  • In the Signing task, specify the files to sign with the certificate.

When the build runs, it fetches the certificate from Key Vault and signs the packages. Automated signing provides better security and compliance than manual signing.

Using Task Groups for Reusable Package Signing Process

For solutions with multiple pipelines building packages to sign, you can define reusable task groups so each pipeline doesn’t need duplicate tasks.

  • In the Library tab, create a new task group.
  • Add the Key Vault and Signing tasks to the task group.
  • Parameterize properties like vault/certificate details.
  • Save the task group.
  • In a build pipeline, add the task group and map the parameters.

This allows consistent signing across pipelines by calling the same task group. Parameters let you customize the vault and certificate per pipeline.

Final Words

Securely signing application packages is an important best practice for software developers. By leveraging Azure Key Vault to store certificates safely and automating package signing in Azure DevOps pipelines, you can greatly improve security with minimal overhead. Following the steps outlined in this guide, you can set up a Key Vault, generate or import the needed certificate, and configure your build pipelines to fetch the certificate and sign packages automatically.

The result is peace of mind knowing your software packages are signed with a trusted certificate to validate they have not been compromised. Automating signing versus risky manual methods improves compliance as well. With Azure’s tools for certificate management and CI/CD, implementing package signing is straightforward, even for complex solutions, ensuring integrity through the development lifecycle and distribution.

Frequently Asked Questions

How does package signing improve security?

Digital signing with a code signing certificate allows users to verify that software comes from the developer and has not been altered or corrupted. Tampering would invalidate the signature.

What types of app packages can be signed with this?

Common package types, such as MSI, NuGet, PowerShell modules, VSIX extensions, etc., can all be signed using certificates from Key Vault.

Do I need an EV code signing certificate?

No, you can use standard code signing certificates stored in Key Vault. EV Code Signing Certificates provide more identity validation, which may be needed for public software.

Can I auto-renew certificates nearing expiry?

Yes, you can set up auto-rotation in Key Vault to generate a new version of a certificate when it nears expiry. Pipelines will seamlessly pick up the latest valid certificate.

How can I verify packages are signed after the build?

You can check built packages have a trusted signature by viewing the certificate details in tools like SignTool (Windows) or codesign (macOS).

Is it secure to store code signing certificates in Key Vault?

Key Vault provides high security, including encryption, RBAC access controls, and logging/monitoring. Certificates are more secure in Key Vault than in build pipelines or source code repositories.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.

Related Articles:

What is FIPS HardwareFIPS Hardware: Everything You Need to Know About It Disable Driver Signature Enforcement in Windows 10How to Disable Driver Signature Enforcement in Windows 10 Identify Windows Defender VersionHow to Identify Windows Defender Version?