Digitally signing add-ins with a tool other than ArcGISSignAddIn.exe

ljlopez

As part of the 3.3 release, the wiki page ProGuide Digitally signed add ins and configurations was updated to indicate the following:

As of June 1, 2023, industry standards changed to require private keys for standard code signing certificates to be stored on Hardware Security Modules (HSMs) or cloud HSMs certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

There may be cases where both the certificate and private key are stored in a HSM or cloud HSM, and the certificate cannot be imported into the local Windows Certificate Store.

Is ArcGISSignAddIn.exe the only tool capable of digitally signing add-ins? Could other tools (such as Azure Sign Tool) be used instead with similar results? I'm exploring the scenario of having the certificate stored in Azure Key Vault instead of Windows Certificate Store, and digitally signing add-ins using Azure Sign Tool instead of ArcGISSignAddIn.exe.

Thanks!

UmaHarano

Hi @ljlopez

Couple things regarding your question -

Windows SDK's SignTool.exe does not support signing esriAddInX files. This is the reason the Pro team created the ArcGISSignAddIn.exe.

Regarding Azure Key Vault - As per my understanding, your private key is stored in the vault. The private key needs to be imported into your Windows Store (Refer to Azure Key Vault documentation for this step).

Once the certificate is available in your Windows Store, you can use ArcGISSignAddIn.exe to sign the addin.

Thank you!

Uma

View solution in original post

UmaHarano