AzureSignTool
AzureSignTool copied to clipboard
vcsjones
Azure Gov certificate access
Hi,
I want to do code signing for Azure Gov App service. I see below error below while using Azure DevOps with Azure Gov US certificate. "Confidential Client is not supported in Cross Cloud request"
I found the link below related to the issue. https://blog.jongallant.com/2020/02/azure-identity-other-clouds/
Could you please help me to fix this issue.
Regards, Sundar
Hi,
I have tried below command from Azure DevOps
AzureSignTool sign -du "https://login.microsoftonline.us" -kvu "https://devopscodesigning.vault.usgovcloudapi.net" -kvi "xxxxxxxxxxxxxxxxxxxxxxxxxxx" -kvt "xxxxxxxxxxxxxxxxxxxxxxxxxx" -kvs "xxxxxxxxxxxxxxxxxxxxxxxxx" -kvc "code-ssl-new" -tr "http://ts.ssl.com" -td sha384 -v $(Build.artifactStagingDirectory)\YamlSample.zip"
Regards, Sundar
You can work around this limitation by creating a token through an external process.
See #158
Hi Garett,
Thanks for sharing the link. I am able to use the access token and fix the issue, but I am seeing another issue. "The file cannot be signed because it is not a recognized file type for signing or it is corrupt" Please let me know any fix for this.
Regards, Sundar
Sundar,
Are you sure the file is supported by the tool? There are some limitations over using SignTool listed in the documentation.
You can specify the authority host via an environment variable before using azuresigntool. This is how I use it in our pipelines to connect to Azure Gov.
$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.us/"
azuresigntool <your_args>
You can specify the authority host via an environment variable before using azuresigntool. This is how I use it in our pipelines to connect to Azure Gov.
$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.us/" azuresigntool <your_args>
This worked for me thanks!!
Hi everyone. I'm trying to sign .jar files on my project but with azuresigntool it's being impossible with the next script:
$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.com/"
AzureSignTool.exe sign -kvu "https:..." -kvt "XXX" -kvi "XXX" -kvs "XXX" -kvc "XX" -t "XXX" -v "C:\WK\Firmar\Cron.jar"
The result of the execution is:
warn: AzureSignTool.SignCommand[0] Authenticode timestamps should only be used for compatibility purposes. RFC3161 timestamps should be used. trce: AzureSignTool.SignCommand[0] Retrieving certificate WK. trce: AzureSignTool.SignCommand[0] Retrieved certificate WK. trce: AzureSignTool.SignCommand[0] Creating context info: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar Signing file. trce: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar Getting SIP Data trce: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar Calling SignerSignEx3 info: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar result: -2146762749 fail: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar The file cannot be signed because it is not a recognized file type for signing or it is corrupt. fail: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar Signing failed with error 800B0003. info: AzureSignTool.SignCommand[0] => File: C:\WK\Firmar\Cron.jar Stopping file signing. info: AzureSignTool.SignCommand[0] Successful operations: 0 info: AzureSignTool.SignCommand[0] Failed operations: 1
It seems to me that jar extensions are not allowed, but in this case, ¿ how can i sign them ? ¿ Any other tool or unknown directive on the script ?
Thank you in advance.
Toni
This tool uses mssign.SignerSignEx3 behind the scenes which means it’s deeply windows integrated. I believe it only supports signing windows PE format files. (exe, dll,… etc)