How to sign code built using Azure Pipelines using a certificate/key in Azure Key Vault?

Question

We\'re in the process of moving from on-premise build servers to Azure Pipelines. We produce \"shrink-wrap\" desktop software so clearly we need to sign all our binaries before

Answer 1

Yes, it's able to do this in Azure DevOps Service Build pipeline.

For normal situation, we usually use SignTool.exe commands to sign files. There is also an extension Code Signing in marketplace, which could sign a single file, you could use script to run SignTool.exe commands for multiple files.

So you can export your codesigning certificate to a pfx file, which you then upload as a secure file to Azure Devops secure file storage which makes it available to your builds.

Azure DevOps could store secure files. Check this link for details: Secure files

Azure Key Vault instance is kind of more complicated. We also have an Azure Key Vault task.

Use this task in a build or release pipeline to download secrets such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords from an Azure Key Vault instance.

The task can be used to fetch the latest values of all or a subset of secrets from the vault, and set them as variables that can be used in subsequent tasks of a pipeline.

Not sure how GlobalSign will integrate code sign with your environment. Theoretically, it's able to do this. For the detail parts and implementation, you may need to discuss with their pre-sales. Hope this helps.