We've been digitally signing an ArcGIS Pro add-in using the using the ArcGISSignAddIn.exe tool (per https://github.com/Esri/arcgis-pro-sdk/wiki/ProGuide-Digitally-signed-add-ins-and-configurations#app...). To date, we've been using the tool with a .pfx certificate file.
The world has changed. Beginning on June 1 of this year, per the latest standard, private keys for code signing certificates must be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent. For our use case, we elected to use a cloud-based Key Storage Provider (KSP) for this (i.e., DigiCert KeyLocker).
This new approach has worked well with conventional Microsoft signtool.exe based signing, but it's unfortunately not working with ArcGISSignAddin.exe. When attempting to use the tool with the new KSP-based certificate (as available via the certificate store), an "Internal consistency check failed" error is received and the add-in is not signed.
Any suggestions? Is anyone successfully using ArcGISSignAddIn.exe with a Key Storage Provider?
