How do I sign an .app file with an Azure KeyVault stored certificate after June 2023?

Question

Since June 1, 2023, there are new requirements for a code signing certificates that require HSM stored keys. For automation purposes, I am trying to use an Azure KeyVault stored certificate rather than the USB hardware token. This means that .pfx files of code signing certificates are no longer available for local installation of the certificate.

Because of this, I am looking for a way to use the Azure KeyVault stored certificate for code signing an .app file. The best option that I've been able to find so far is AzureSignTool as a replacement for the classic Microsoft SignTool.

I've managed to get the certificate ordered and installed in the Azure KeyVault and can use AzureSignTool to successfully sign standard windows executable files (.exe, .dll, .msi).

However, the AzureSignTool can not sign .app files because it's not a supported format. Is there any workaround out there to either use the old SignTool + Azure KeyVault hosted cert or some other tool to use a cloud hosted (preferably Azure KeyVault) code signing certificate for signing .app files?

AzureSignTool works correctly if signing an .exe but when trying a .app file, it returns the following error.

The file cannot be signed because it is not a recognized file type for signing or it is corrupt. Signing failed with error 800B0003.

I've also tried using AzuKI to sign with the Microsoft SignTool connected to Azure KeyVault but get another error even with an exe file.

SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect.

Answer 1

You need first to register NavSip.dll from BC container on your local machine. You should use "Install-NAVSipCryptoProviderFromBcContainer" command from BCContainerHelper and then try to sign .app file.