What is the most streamlined way to implement code signing in Azure DevOps build pipelines in 2024?

amartin
March 11, 2024
248 views
0 votes
2 Answers

Are .pfx files valid for code signing in 2024? It appears we can no longer use a code signing certificate (that we just purchased from DigiCert) as a .pfx file since we cannot gain access to the private key.

We have several products with corresponding build pipelines that currently rely on an uploaded .pfx file with a password.

What’s the easiest way to update our processes to conform to new standards? Does Azure/ADO have built-in solutions to streamline this?

DigiCert article on this topic.

Answers

Chosen as BEST ANSWER
- amartin
- March 11, 2024 at 3:33 pm
- 0 votes
0
We were able to connect our build pipelines in ADO to DigiCert Key Locker. In our case this was the most straightforward approach.

Article about private keys / .pfx files no longer being directly accessible.

Connect Azure Devops to Key Locker

(Edit)

- yoavlax
- March 10, 2024 at 2:41 pm
- 0 votes
0
It’s recommended to sign your artifacts using an EV certificate, which you can also purchase from DigiCert.

The EV certificate should be stored on Azure Key Vault and can be accessed to it using KV secret.

You can easily sign your binaries using this certificate with AzureSginTool.exe in your pipeline, full example and code: https://github.com/vcsjones/AzureSignTool

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.