Announcing the free PowerON Azure Key Vault Azure DevOps Pipeline Extension!
Starting on the 1st of June 2023 it will no longer be possible to request a code signing certificate from a publicly trusted certificate authority without the use of a Hardware Security Module (HSM).
This means that it will no longer be possible to get a code signing certificate in the standard .pfx format as the private key will always have to be stored on a secure HSM.
While this is good for security and the overall industry, this can cause significant disruption to existing build and release processes within an organisation. For more information on the change DigiCert did a great webinar on the changes: Navigating the New OV Code Signing Requirements – YouTube.
At PowerON we use Azure DevOps Hosted Agents for most of our build and release requirements. This works well as it requires no managed infrastructure, has full RBAC support and is cost effective. Historically we’ve used the Secure File capabilities within Azure DevOps to enable us to sign code with an uploaded code signing certificate.
With the inability to upload the private key coming up we evaluated our options. The most obvious solution was to use Azure Key Vault as we are already an Azure customer. This only has one drawback – it’s not simple to sign code from Azure Key Vaults natively within Azure DevOps.
After further investigation we came across the excellent AzureSignTool from Kevin Jones. While this works great, it requires adding install steps to the pipeline as well as managing the Azure subscription context and service principal access keys, manually and in a script. Compared to other tasks in our pipelines this was clunky and custom which further added to the change overheads.
To improve this for ourselves and the rest of the industry we created a free Azure DevOps pipeline extension named Azure key Vault Code Sign. This uses the AzureSignTool but hides the complexity of setup and integrates with the existing Azure DevOps service connector functionality – making code signing a breeze! Instead of using a script task, a typical usage may be something like:
- task: PowerONPlatforms.akvcodesign.akvcodesign.AKV-Code-Sign@0 displayName: 'Sign MyApp.exe' inputs: azureSubscription: 'MySubscription (817C7175-BD04-4ACD-9426-AD7FFB3D846A)' keyVaultURL: 'https://myvault.vault.azure.net/' certificateName: CodeSigning2022 filePath: 'MyProject\bin\$(configuration)\MyApp.exe'
This brings code signing back into the standard Azure DevOps conventions, and enables easy migration from existing code signing tasks that may already be in place.
To further support trust and learning we are also open sourcing the code behind the extension PowerON-UK/AKV-Code-Sign: Azure Key Vault Code Signing DevOps Pipeline Extension (github.com) which we hope will enable customers to have confidence that the extension is doing what we claim.
We hope you find this useful, please let us know if you have any issues or feedback on the GitHub issues page.
As this is a non-commercial product for us, please be aware that support will be limited and provided without SLA.