Are .pfx files valid for code signing in 2024? It appears we can no longer use a code signing certificate (that we just purchased from DigiCert) as a .pfx file since we cannot gain access to the private key.
We have several products with corresponding build pipelines that currently rely on an uploaded .pfx file with a password.
What’s the easiest way to update our processes to conform to new standards? Does Azure/ADO have built-in solutions to streamline this?
DigiCert article on this topic.
2
Answers
We were able to connect our build pipelines in ADO to DigiCert Key Locker. In our case this was the most straightforward approach.
Article about private keys / .pfx files no longer being directly accessible.
Connect Azure Devops to Key Locker
It’s recommended to sign your artifacts using an EV certificate, which you can also purchase from DigiCert.
The EV certificate should be stored on Azure Key Vault and can be accessed to it using KV secret.
You can easily sign your binaries using this certificate with AzureSginTool.exe in your pipeline, full example and code: https://github.com/vcsjones/AzureSignTool