AzureSignTool icon indicating copy to clipboard operation
AzureSignTool copied to clipboard

Published 20 hours ago verified publisher icon vcsjones

Support for /dg /ds /di

Open avivanoff opened this issue 2 years ago • 6 comments
trafficstars

signtool.exe has a set of options for producing/signing/ingesting digests. It is imperative AzureSignTool has the same support for advanced singing workflows.

avivanoff avatar Nov 20 '23 16:11 avivanoff

producing/signing/ingesting digests

I know what these flags do, but I don't see what AzureSignTool can do with them. AzureSignTool is all about signing something with Azure Key Vault. When you use digest signing, you are taking the the signing step out of the equation. What AzureSignTool would end up doing is exactly what regular signtool does.

How would these flags benefit AzureSignTool users, as opposed to continuing to use regular signtool?

vcsjones avatar Dec 13 '23 17:12 vcsjones

Please post these suggestions to https://github.com/dotnet/sign. That tool is intended to supersede AzureSignTool, NuGetKeyVaultSignTool, and several others.

clairernovotny avatar Dec 13 '23 17:12 clairernovotny

Thanks for the heads up @clairernovotny . Is there any kind of roadmap/status in terms of that migration? We have been happily using AzureSignTool for years to sign various artifacts ... the new project is very welcome if it furthers key vault for such scenarios but I am unsure if attempting to replace it in the various pipelines just now.

sopelt avatar Jan 24 '24 20:01 sopelt

@vcsjones I don't have any particular use case for it myself, but I imagine a useful implementation of this would be to add support for /ds alone (i.e. use the key vault to actually sign a digest produced by signtool /dg, in a format compatible with signtool /di). Perhaps this might allow some advanced scenarios not currently supported, such as multi-signing? (Though there's also less point in doing that these days, at least for SHA1 compatibility purposes.)

Though having said that, once you're splitting the operations up rather than doing an all-in-one, I imagine you could use Azure CLI for the signing step, since that's essentially the same thing AzureSignTool would be doing "under the hood" anyway. AzureSignTool remains a convenient way to do all three steps in one tool.

uecasm avatar Aug 13 '24 02:08 uecasm

@vcsjones, after spending more time on the issue I realized that it is not /dg /ds /di that we need, but /p7.

avivanoff avatar Dec 26 '24 08:12 avivanoff

Looks like it is now a duplicate of #77.

avivanoff avatar Jan 17 '25 19:01 avivanoff