EV Code Signing in Azure Pipelines

2020-10-29 Azure, Azure Key Vault, continuous integration, devops, code signing, Nexus

For basic code-signing on Azure, their secret files is very easy to use and described in many places. Unfortunately, when you want to sign with EV certificates, secret files won’t work and one must use the Azure Key Vault. This makes the process much more complicated. In this blog post, meant mainly as a memory dump to which I can return later when I forget everything, I will describe how we finally managed to do this.

Why EV-certificates?

I am working on a WebAuthN soft-authenticator (backed by smart cards). The authenticator is split into two parts — a part that does the bulk of the work and a driver part, which creates a virtual HID device to communicate with the rest of the system. On windows, the driver part is built using the virtual hid device framework. Unfortunately this framework is only supported for kernel mode drivers. To be able to install these, they must be submitted to Microsoft for signing (how to achieve this is a long, sad and frustrating story, a story for another day) and Microsoft requires the submissions to be signed by EV-certificates. So that is why we need EV-certificates.

Why Azure Key Vault?

EV-certificates come with higher security guarantees than normal certificates. First, the CA issuing them does more thorough checks to ensure that you are really who you claim to be when you ask for a certificate. Second, you don’t actually get the certificate as a simple p12 file. The requirements for EV-certificates state that they must be stored securely — in particular, you aren’t supposed actually be able to access the private key. Instead what you typically get is a secure USB token which stores the private key and you can use it to sign code, but there is no way for you to extract the key to, e.g., store it in azure secrets . And a hardware usb token is useless for azure pipelines. Luckily, there is another option for getting an EV-certificates — Azure Key Vault. Azure Key Vault can function as a sort of secure token which has all the certifications which allow it to be used for EV-certificate storage. And we can ask the CA to have our certificate delivered into AKV instead of on a hardware token. Well, not quite (at the moment anyway). What you need to do instead is to generate the certificate in AKV, generate a CSR (certificate signing request), ask the CA to sign this CSR, and then upload the signed CSR back to AKV.

Obtaining an EV-certificate stored in Azure Key Vault

This can be done from the web interface, but for automation purposes, I’ll give the instructions using the azure cli command line client for azure. First you need to create a policy file describing the certificate you want to create:

  "issuerParameters": {
    "certificateTransparency": null,
    "certificateType": "DigiCert",
    "name": "Unknown"
  "keyProperties": {
    "curve": null,
    "exportable": false,
    "keySize": 2048,
    "keyType": "RSA",
    "reuseKey": true
  "lifetimeActions": [
      "action": {
        "actionType": "emailContacts"
      "trigger": {
        "daysBeforeExpiry": 90,
        "lifetimePercentage": null
  "secretProperties": {
    "contentType": "application/x-pkcs12"
  "x509CertificateProperties": {
    "ekus": [
    "keyUsage": [
    "subject": "C=SE, L=Hägersten-Liljeholmen, O=Technology Nexus Secured Business Solutions AB, CN=Technology Nexus Secured Business Solutions AB",
    "subjectAlternativeNames": {
      "emails": [
    "validityInMonths": 24

The keyProperties key defines the parameters of your RSA keypair and how its stored. If you signed up for a HSM-backed azure key vault, you can set keytype to RSA-HSM for even more security. The lifetimeActions key instructs AKV to send you an email three months before the certificate will expire. The x509CertificateProperties contains en extended key usage oid indicating that the certificate can be used for code signing. Once you have prepared this file and stored it in, say cert-policy.json you can use the following command to generate a new certificate in azure key vault:

$ az keyvault certificate create --vault-name $KEY_VAULT_NAME -p @cer
t-policy.json --name $CERT_NAME

replacing $KEY_VAULT_NAME and $CERT_NAME as appropriate. This will create the certificate in the key vault, but the certificate will be in a disabled state. To enable the certificate, you need to generate and download a CSR, have it signed by a CA, and then upload the signed CSR back to the key vault. This is done as follows:

$ az keyvault certificate pending show --name $CERT_NAME --vault-name $KEY_VAULT_NAME | jq -r .csr | sed -e'1,1s/^/-----BEGIN CERTIFICATE REQUEST-----/g' | sed -e'$,$s/$/-----END CERTIFICATE REQUEST-----/g'

The first command in the pipeline just downloads info in JSON-format about the newly created certificate. The second element in the pipeline uses the jq tool to extract the csr key, which holds the certificate signing request, from the JSON. The last element wraps this in a -----BEGIN/END CERTIFICATE REQUEST----- block so that it is usable by, e.g., openssl.

Now you need to get your CA to sign this CSR. How that is done will depend in your CA and is not described here. For testing purposes you can use a dummy CA as described, e.g., in the pki tutorial or in the How to setup your own CA with OpenSSL gist.

Once you have your CSR signed by a CA, stored in, say, signed-csr.crt which will look something like this:

        Version: 1 (0x0)
        Serial Number: 4660 (0x1234)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SE, ST=Some-State, L=H\xC3\x83\xC2\xA4gersten-Liljeholmen, O=Technology Nexus Secured Business Solutions AB, OU=Prague Office, CN=Technology Nexus Secured Business Solutions AB/emailAddress=jonathan.verner@nexusgroup.com
            Not Before: Oct 26 13:51:33 2020 GMT
            Not After : Oct 26 13:51:33 2021 GMT
        Subject: C=SE, L=H\xC3\xA4gersten-Liljeholmen, O=Technology Nexus Secured Business Solutions AB, CN=Technology Nexus Secured Business Solutions AB
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption

you need to upload it back to azure:

az keyvault certificate pending merge --name $CERT_NAME --vault-name $KEY_VAULT_NAME -f signed-csr.crt

The certificate should now be ready to be used. Now comes the fun part: actually using the certificate to sign software.

Signing with a Key Vault certificate in azure pipelines

Signing software on Windows is usually done using SignTool.exe which comes with Visual Studio (there is also an open source alternative, osslcigncode which can be used on other platforms). However, this tool only works with local certificates. Luckily, vcjones did Microsofts homework for them and created a tool called AzureSignTool to fix exactly this problem. This tool can be installed by running the following command:

dotnet tool install --global azuresigntool

Unfortunately, at the time this blog post was written, this installs a basically unusable version which has abysmal error handling — running it produces no output what-so-ever and if an error occurs, you’re not told and are on your own. So you need to build the tool from source.

Another hurdle is that the tool needs to authenticate to the Key Vault. The easiest way to do this is to create a service connection for your pipeline and use managed identity. Unfortunately, the –azure-key-vault-managed-identity command line option to AzureSignTool doesn’t seem to work and one needs to use an access token. The following yaml snippet and powershell script shows how to do this:

- task: AzureCLI@2
      displayName: Sign Artifacts
        azureSubscription: SERVICE_CONNECTION_NAME
        scriptType: ps
        scriptPath: sign.ps1

The key here is to use the AzureCLI task, which logs you in and allows you to get the access token. The work is done by the sign.ps1 script:

# Set up some env variables (certificate name, keyvault url, signed file description, timestamp server)
$DESCRIPTION="File content description"

# Get an access token (note that by running through the AzureCLI, we are logged in to azure and
# can actually get the token)
$ACCESS_TOKEN=(az account get-access-token --resource https://vault.azure.net | jq -r .accessToken)

# Do the actual signing
AzureSignTool.exe sign --verbose -kva $ACCESS_TOKEN -d "$DESCRIPTION" -kvc "$CERTIFICATE_NAME" -kvu "$KEYVAULT_URL" -fd sha256 -t "$TIMESTAMP_SERVER" file-to-sign.exe