Community
Select to view content in your preferred language

Digitally signing add-ins with a tool other than ArcGISSignAddIn.exe

831
3
Jump to solution
06-13-2024 02:31 PM
ljlopez
by
Occasional Contributor
‎06-13-2024 02:31 PM

As part of the 3.3 release, the wiki page ProGuide Digitally signed add ins and configurations was updated to indicate the following:

As of June 1, 2023, industry standards changed to require private keys for standard code signing certificates to be stored on Hardware Security Modules (HSMs) or cloud HSMs certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

There may be cases where both the certificate and private key are stored in a HSM or cloud HSM, and the certificate cannot be imported into the local Windows Certificate Store.

Is ArcGISSignAddIn.exe the only tool capable of digitally signing add-ins? Could other tools (such as Azure Sign Tool) be used instead with similar results? I'm exploring the scenario of having the certificate stored in Azure Key Vault instead of Windows Certificate Store, and digitally signing add-ins using Azure Sign Tool instead of ArcGISSignAddIn.exe.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
UmaHarano
by Esri Regular Contributor
Esri Regular Contributor
‎06-14-2024 10:40 AM

Hi @ljlopez 

Couple things regarding your question -

Windows SDK's SignTool.exe does not support signing esriAddInX files. This is the reason the Pro team created the ArcGISSignAddIn.exe. 

Regarding Azure Key Vault - As per my understanding, your private key is stored in the vault. The private key needs to be imported into your Windows Store (Refer to Azure Key Vault documentation for this step).

Once the certificate is available in your Windows Store, you can use ArcGISSignAddIn.exe to sign the addin.

Thank you!

Uma

View solution in original post

3 Replies
UmaHarano
by Esri Regular Contributor
Esri Regular Contributor
‎06-14-2024 10:40 AM

Hi @ljlopez 

Couple things regarding your question -

Windows SDK's SignTool.exe does not support signing esriAddInX files. This is the reason the Pro team created the ArcGISSignAddIn.exe. 

Regarding Azure Key Vault - As per my understanding, your private key is stored in the vault. The private key needs to be imported into your Windows Store (Refer to Azure Key Vault documentation for this step).

Once the certificate is available in your Windows Store, you can use ArcGISSignAddIn.exe to sign the addin.

Thank you!

Uma

ljlopez
by
Occasional Contributor
‎06-17-2024 09:15 AM

Thank you, @UmaHarano!

0 Kudos
KevinMcKeown
by
New Contributor
3 weeks ago

Can we confirm that this is still possible and best practice? I am in the same situation but I do not believe pulling a private key from my HSM is possible or best practice for that matter.  @UmaHarano Any thoughts on this?

My next plan of action to potentially ask digicert for another physical copy of our private key to use your tool, but I would prefer to use the built in HSM as intended by Azure. 

0 Kudos