An extension around SignTool to call into Azure Key Vault for the signing
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
KeyVaultSignToolWrapper specify package path Aug 6, 2017
KeyVaultSigner Don't create the .NET Cert object unless we need it Aug 6, 2017
scripts Add CI config Aug 6, 2017
LICENSE Config Jul 31, 2017
appveyor.yml nuget restore for packages.confi Aug 6, 2017
version.json Config Jul 31, 2017


This tool is an extension around SignTool to call into Azure Key Vault for the signing.

Set up

You will need several things to develop/debug this.

  1. You need an azure key vault and a client id/secret for a credential that can access it. Directions to set that up are here, along with a link to a GUI tool for Key Vault that makes it easy to upload a code signing certificate

  2. You’ll need to set KeyVaultSigner as the startup project and use the following command line arguments (certain params are sensitive, so don’t check it would be in the .user file that's ignored!)

    sign "C:\dev\signtest\signed\winqual.exe" "C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\SignTool.exe" "sign /tr /fd sha256 /td sha256" -kvu https://<keyVaultname> -kvc <key vault certificate name> -kvi <client id> -kvs <client secret>

    • Make sure you update the the winqual.exe parameter. Choose some unsigned dll that you’ll have signed
  3. Install the child process debugging tool (needed to follow the flow):

The KeyVaultSigner project is the startup project, because it can start the required mixed-mode debugging (native + managed).